Data Protection and Player Privacy: What India’s new Data Protection regime entails for its Gaming Industry

The online gaming industry has witnessed exponential growth across the world, with India emerging as one of the fastest-growing online gaming markets. With millions of users across the country rapidly engaging in interactive, immersive, and often highly social gaming experiences, the industry continues to expand – as do the risks associated with misuse, theft, or unauthorized collection and processing of players’ personal data. It can be said that personal information shared on these online gaming platforms has become a valuable commodity, making data protection a priority not just for players but also for online gaming companies.

Online gaming today is thus not just about gameplay, but also about social interaction, digital commerce, and developing immersive virtual experiences. Consequently, players may often share their personal information (including financial and other sensitive information) – knowingly or unknowingly, without awareness of the associated risks. Such information, if not adequately protected, can expose users/players to risks of misuse, unauthorized sharing, or exploitation by gaming companies or fraudulent third-party entities.

Keeping this in mind, the Indian government as well as the gaming industry can be seen to increasingly emphasize the importance of evolving a responsible and ethical approach to online gaming. This emphasis also lends to certain (gaming-specific) provisions being enshrined under India’s Digital Personal Data Protection Act, 2023 (“DPDPA”), read with the draft Digital Personal Data Protection Rules, 2025 (“DPDPR”) issued thereunder. This article delves into the evolving privacy concerns within the Indian gaming industry and the corresponding legal obligations of gaming operators proposed under the relevant statute.

The increasingly immersive nature of online gaming perpetuates an ecosystem where players share an increasing amount of personal information online. Typically, players will submit personal data such as email addresses, mobile numbers during registration or signup on their platforms. However, players may also submit payment details for the purpose of real-money gameplay, or else opt to integrate the player’s accounts with various other social media accounts held by them. Such increasing collection and processing of the players’ information contributes to several concerns when it comes to data privacy in the online gaming sector. A few emerging concerns in relation to Indian players are highlighted below.

Player Awareness and Informed Consent: While the DPDPA mandates organizations to obtain informed consent (upon issuing notice to the individual providing the data), per the Information Technology Act, 2000 (and rules issued thereunder), organizations have traditionally obtained bundled consent from players (as elaborated below) in the form of standard terms and conditions. To the common player, terms and conditions may be long and difficult to comprehend.

As a result, players may – in practice – often have limited knowledge about the data that they’re sharing during their signup on the platform and how such data is being used. For instance, during registration, gaming operators may sometimes collect personal identifiable information (PII) or data beyond the personal information manually submitted by users, including the non-specific age or location, and/ or device or social media details of the players. Beyond this, user/ player activity on the platform, such as gameplay duration, preferences, and in-game interactions, may also be tracked and analyzed.

Safety and Parental Consent for Minors: The Indian gaming industry enjoys widespread popularity mostly amongst a younger user demographic, which can include minors who are accessing gaming platforms with or without the knowledge of their parent or legal guardians. This (key) demographic of users is more likely to be unaware of the implications of sharing their personal information, leaving them more vulnerable to cyber threats and exploitation.

The existing legal framework governing data privacy and gaming in India principally includes the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended in 2023). With the introduction of the DPDPA (and the draft DPDPR), however, India is gradually moving toward a more robust data protection framework for the protection of personal data in the gaming space (including the online gaming industry).

The DPDPA (once fully enforced) will impose stringent requirements regarding how (domestic and international) gaming operators offering services in India collect, store, and process the personal data of their players/ users. The DPDPA classifies stakeholders engaged in the collection of any personal data of Data Principals as “Data Fiduciaries”. Further, it classifies any entity engaged in processing personal data (on behalf of Data Fiduciaries) as “Data Processors.” Gaming operators are, accordingly, likely to qualify as one or the other (if not both).

As “Data Fiduciaries specifically, online gaming businesses will be required to adhere to various legal requirements for handling personal information of users/ players (the “Data Principals”). A few key mandates which impact gaming businesses include:

Data Minimization and Consent Notice: Online gaming platforms will be required to devise appropriate mechanisms to ensure data collection of players is restricted strictly to what is necessary for specific and defined purposes in connection with the services they provide. For this purpose, gaming entities will need to prepare and provide players with clear and concise privacy notices in line with the DPDPA, which outline the type of personal data collected and the specific purpose for its use. In connection with this, entities will be required to update standard privacy policies and terms of service in line with the requirements of consent under the DPDPA, to ensure these contain appropriately detailed and transparent disclosures as needed.

This is since, as mentioned above, the DPDPA requires that Data Fiduciaries must obtain consent from the players/ users for collecting or processing their personal data. Specifically, it dictates that such consent must be “…free, specific, informed, unconditional and unambiguous with a clear affirmative action…” Further, only (limited) personal information that is necessary for the specified purpose (in respect of which informed consent of the user is obtained) can be processed by Data Fiduciaries per the DPDPA. Accordingly, blanket consent of the user cannot be sought by gaming entities in the form of standardized privacy policies.

Special Safeguards for Processing Children’s Data: The DPDPA introduces strict measures for handling data of children or minors (i.e. any individuals who have not attained the age of at least 18 years). Under the DPDPA, the parents or legal guardian(s) of a child or minor are also considered as “Data Principals” in respect of the child’s personal information. Consequently, online gaming platforms must implement appropriate mechanisms for obtaining verifiable consent from the parents or legal guardians of users/ players who are minors. In practice, entities will also be required to ensure their consent mechanisms can appropriately determine whether they are collecting data from a user who is a minor (i.e. a situation where the minor's consent cannot be relied upon for processing his/ her data).

Importantly, online gaming platforms are also prohibited from engaging in any behavioral monitoring, or targeted advertising aimed at minors. Further, any form of data processing that could adversely affect the well-being of a minor is also strictly barred.

Cross-Border Data Transfers: While the DPDPA does not bar cross-border data transfers, it grants authority to the Indian government to restrict the transfer of data to designated jurisdictions prospectively. Gaming companies operating in multiple countries must therefore ensure their data storage and transfer mechanisms remain adaptable and compliant with potential future restrictions.

Rights of Data Principals (Players): The DPDPA enumerates key rights for Data Principals that gaming companies will need to take appropriate steps to provide for, including specifically the following:

- Right to Withdraw Consent: Subject to the DPDPA, players have the right to withdraw their consent (in respect of any personal information provided for processing) at any time. Accordingly, online gaming platforms will be required to take steps to ensure that players can exercise this right easily without facing any form of penalty.

- Right to seek correction, updation and erasure of information: In the event a player has previously consented to the collection or use of their personal data, the players hold the right to request correction, updation or the complete removal of such data from the platform’s records.

 - Right to Access Information: Under the DPDPA, players will have the right to seek information from the online gaming platforms as regards the personal data collected, retained or transferred to third parties by the platform operator.

 - Right to Grievance redressal: The DPDPA empowers players with the right to grievance redressal, allowing them to raise concerns regarding a platform’s handling of their data or failure to comply with the obligations under the Act. In furtherance, gaming platforms are required to disclose timeframes for responding to grievances of Data Principal on their platforms and implement measures to ensure that grievances are dealt with within the prescribed time.

With the introduction of the DPDPA, it is evidently crucial for (international and domestic) gaming businesses alike to take steps to align their data practices with the stringent requirements thereunder and implement a statutorily compliant data protection framework to build trust, mitigate risks, and create a safer environment for players. This is especially since, according to the draft DPDPR, larger online gaming businesses (having 50 lakh or more users) are demarcated as “Significant Data Fiduciaries” and are required to adhere to a higher compliance threshold or face heavy penalties (which could extend to INR 250 Crore).

Accordingly, recognition and awareness of the legal responsibilities under the DPDPA are crucial within the Indian gaming industry. By proactively taking early steps to address privacy concerns, the gaming industry can continue to evolve responsibly while ensuring the safety of players.

About the authors: Ashneet Hanspal is a Senior Associate and Parag Singhal is an Associate at Ahlawat & Associates.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.