DATA PROTECTION
format of the Privacy Notice, it is likely that platforms may be required to make certain tweaks at different stages of a user’s journey on the platform. In addition, the gaming operator is required to give an option to the gamer to access the Privacy Notice in English or any language specified in the Eighth Schedule to the Constitution of India, as the gamer so decides. Points to consider: Operators can consider starting off by identifying the relevant stages in their product flow where fresh or additional personal data is being collected from the gamer. Usually, stages where fresh personal data is collected from a gamer are during: (a) sign-up; (b) profile creation; (c) during actual gameplay; (d) access to an in-app marketplace; (e) engagement and interaction with other users; and (f) during in- app purchases, among others. These stages may of course differ from product to product, but identifying these stages is crucial, since the DPDP Act may require operators to include necessary information tabs and build opt-in consents at these very stages. In addition, since there is a requirement to provide users with the ability to give consent and the Privacy Notice in English or any of the 22 languages under the Indian Constitution, operators may want to engage local translators or explore technological means to enable the same. Cautious approach while dealing with child data Given that existing Indian laws do not contain age-based differentiation for personal data, the DPDP Act brings about a paradigm shift by imposing special obligations while collecting and processing personal data of a “child”. A “child” is defined as an individual who is yet to attain the age of majority viz., 18 years. These special obligations become particularly crucial for formats such as e-sports and daily fantasy, where a significant user base comprises of children and teenagers. There are three main restrictions that the DPDP Act has imposed when it comes to the processing of children data. First, operators must obtain the verifiable consent of a parent or guardian. 7 Second, no operator should undertake any processing that is likely to have a detrimental effect on the well-being of a
child gamer. 8 Third, operators should not engage in behavioral monitoring or send targeted advertisements to children. 9 There are of course ambiguities present in some of these restrictions, such as the meaning of “detrimental effect”, and the government is yet to provide clarity on how the “verifiable consent” of the parent or guardian will be obtained. Restriction on the behavioral tracking of children will also pose a business challenge for operators that specifically curate online games for educational, clinical, and diagnostic purposes for children. However, the Central Government has the discretion and power to exempt certain Data Fiduciaries or class of Data Fiduciaries from the obligation to obtain verifiable parental consent and relax the prohibitions on tracking etc. 10 The exact criteria through which such Data Fiduciaries will be identified and exempted is yet unclear, but we expect the government to take a practical approach and provide baseline criteria which Data Fiduciaries are expected to meet in order to qualify for the exemption. Points to consider: Considering that the DPDP Act has stringent conditions for children’s data, operators may want to consider having a separate on-boarding and data collection process for child users. Obtaining the ‘verifiable consent’ of a parent or guardian will be crucial and it will be helpful to explore how other parallel industries verify child users in practise. Since the DPDP Act notes that the government may exempt certain Data Fiduciaries from these requirements if they are able to demonstrate their data processing activities are conducted in a safe manner, it will be useful to keep accurate logs of data and have transparent policies in place. Lastly, since gaming operators are also separately governed by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“ IT Rules ”) 11 where concepts like “user harm” are defined, one may want to take a purposive and co-joint reading of the DPDP Act and the IT Rules. Honoring the rights of data principals The rights of a Data Principal are the foundation on which the DPDP Act is based. The DPDP Act gives certain rights to the
7 Section 9(1) of the Act 8 Sections 9(2) of the Act 9 Sections 9(3) of the Act 10 Sections 9(5) of the Act 11 By this 2023 amendment, online gaming industry has been brought under the purview of the IT Rules
PAGE 28
IMGL MAGAZINE | JANUARY 2024
Made with FlippingBook flipbook maker