- Failure to comply with the law could result in substantial penalties, reaching as high as Rs250cr.
- Nuances of compliance differ significantly across various gaming formats.
As India’s online gaming industry anticipates the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, discussions around essential clarifications and exemptions for the gaming sector are becoming increasingly pertinent.
With the online gaming industry projected to have reached a market size of Rs16,428 crore in 2023 and employing over 100,000 individuals, the impending regulation heralds a significant shift in how this rapidly growing sector will handle personal data.
The role of the All-India Game Developers’ Forum (AIGDF) in conjunction with the Indian Governance and Policy Project (IGAP) has shed light on critical compliance requirements tailored to different gaming categories—namely, ‘Free-to-Play’, ‘Real-Money’, and ‘Web3’ gaming.
AIGDF spokesperson Roland Landers described the DPDP Act as landmark legislation for India, with implications that resonate throughout the gaming ecosystem. Failure to comply with its provisions could result in substantial penalties, reaching as high as Rs250 crore (approximately $30 million).
The impending risk places immense pressure on Indian gaming companies, particularly micro, small, and medium enterprises (MSMEs), to adapt swiftly and efficiently to the new data protection landscape.
The nuances of compliance differ significantly across various gaming formats, particularly for ‘Free-to-Play’ games, which often attract younger audiences.
For such games, the DPDP Act necessitates stringent parental consent protocols, alongside data processing restrictions that focus on protecting minors. This framework may disrupt traditional business models by introducing prohibitions on behavioral monitoring and targeted advertising directed at children, thereby requiring developers to reassess their monetisation strategies.
In contrast, ‘Real-Money Games’ may experience varying degrees of operational impact. While the core gameplay may remain unaffected, the implications for Know Your Customer (KYC) processes, which are essential for legal compliance, may be substantial due to new notice and consent requirements stipulated by the DPDP Act.
Further complicating matters, the interaction of the DPDP Act with the evolving landscape of Web3 gaming—characterised by digital avatars, blockchain technology, and pseudonymous identities—presents a complex regulatory challenge.
The report highlights the need for clarifications from authorities regarding how these unique characteristics will coexist with data protection obligations.
As the DPDP Act is set to implement a “digital by design” framework, the gaming industry finds itself at a critical juncture. The way forward necessitates proactive engagement with regulatory bodies to address ambiguities and ensure compliance while fostering innovation.
The collaborative efforts of industry stakeholders will be vital in shaping a balanced approach that prioritizes user privacy without stifling the growth of this vibrant sector.
