DPDPA is set to Influence India’s Online Gambling Landscape

With GDPR in the EU and the CCPA in California, India is next in line to receive extensive privacy protection for online users, with the Digital Personal Data Protection Bill, 2023 (DPDPA) expected to impact users and gaming operators in India significantly.

Improved data protection and privacy processes are soon in play

While the DPDPA was notified in the Lok Sabha in August 2023, the Indian government states it will implement the Act within 10 months of its initial notification. The notion has been much-awaited and is expected to pass, redefining the country’s data privacy and protection regime.

The bill aims to regulate personal digital data, resolve breaches, and establish a comprehensive national framework for processing personal data.

Covered in the DPDPA is the processing of digital personal data in India, including information collected online and offline, which is later digitized. The processing includes collection, storage, use, and sharing. It also extends to personal data processed outside India if the information is related to goods or services offered in India.

Gambling companies must comply with data localization, data segregation, data purging after use, and other compliances. Data fiduciaries, which include gaming companies, are required to ensure the accuracy and security of the data and delete it once its purpose has been fulfilled.

Once the bill becomes law, a framework and a Data Protection Board (DPA) will be set up to handle data breaches and customer complaints. The DPA will also have the authority to issue fines to offenders. These fines are hefty, with penalties of up to ₹250 crore per violation.

What the DPDPA will mean for gamblers and operators

Online casinos deal with multiple types of personal data, such as name, email, gender, age, transaction methods, addresses, and more. Since gambling operators handle such a wide range of data, this is one of the industries where the implementation of the DPDPA will be noticed the most.

Once the bill is implemented, players will be affected positively by:

• Having the right to data portability and the right to be forgotten.
• Having the right to access, correct, and erase their personal information.
• Having their data processed accurately and securely.

In turn, operators will be required to comply with data localization, segregation of data, and purging of data after use, among other compliances. These “data fiduciaries,” which include gaming companies, are required to ensure the accuracy and security of the data, as well as delete it once its purpose has been fulfilled.

Some issues are yet to be ironed out

Probably the biggest concern raised about the current version of the DPDPA is that central government agencies are to be exempt from processing any or all provisions.

Government agencies are not required to delete personal data, which allows them to create extensive, 360-degree profiles of users for surveillance. It is yet to be confirmed if these exemptions will breach fundamental privacy rights.

Another complicated matter of the DPDPA, although not as relevant to gambling operators already restricting its product to those over 18 years of age, is that users under 18 years of age will be considered minors in the eyes of the DPDPA.

According to the bill, Users under 18 will require a parent or guardian to consent to data collection. This could result in stricter age verification or limitation of marketing product features like loot boxes for those under 18 in non-gambling games, resulting in a potential drop in overall users.