DPDP Act set to make India’s gaming safer and more transparent

New Delhi: India’s Digital Personal Data Protection (DPDP) Act is set to reshape the country’s video gaming sector, one of its fastest-growing digital industries. With the number of gamers in India exceeding 500 million, the Act introduces stricter obligations for data fiduciaries, enhanced safeguards for users, and a focus on transparency, consent, and trust across mobile, PC, and console gaming.

The legislation requires gaming companies to provide clear, granular consent journeys so players can understand what data is collected and how it is used. It also sets higher compliance expectations for major platforms, particularly in areas such as analytics, personalisation, community systems, and in-game social features. 

Studios will need to revisit long-standing data practices, including the handling of children’s data, limits on short-term storage, enhanced security, and mandatory breach notifications to the Data Protection Board of India and affected users.

Nitish Mittersain, Joint MD and CEO, Nazara Technologies, said, “The DPDP Act is a defining moment for India’s gaming industry. As an ecosystem, we have moved from growth at all costs to growth built on trust, safety and accountability. When players and parents know their data is being handled responsibly, they stay longer, spend more and become advocates for the medium. At Nazara, our approach is simple, adherence and compliance. The Act gives the industry a common language and a clear baseline to build that discipline.”

Vinayak Godse, CEO, Data Security Council of India (DSCI), added, “The DPDP Act and the notified rules strengthen the foundation of India’s digital economy by aligning user rights, business growth and responsible innovation and offer essential operational clarity for organisations implementing the DPDP Act, including those in highly data-driven sectors such as gaming. The Rules reinforce transparency and security obligations, streamline breach-reporting procedures, and provide practical guidance on processing children’s data which is again a critical area for gaming platforms."

He added, "By introducing structured responsibilities for Significant Data Fiduciaries and a risk-sensitive compliance framework, the Rules set clear expectations that will help gaming companies transition from broad data practices to purpose-driven, accountable processing. DSCI believes these provisions will strengthen user trust, elevate safety standards, and support innovation across India’s rapidly expanding gaming ecosystem.”

Anurag Choudhary, Founder and CEO, Felicity Games, said, “The DPDP Act is forcing every studio – big or small – to ask hard questions about how they use player data. That can feel daunting at first, but it is ultimately healthy. For us, the priority is to build ‘privacy by design’ into our game lifecycle. That means clear, meaningful consent flows, transparent dashboards for players, and special care for minors who interact with our titles. If we get those basics right, we are not just compliant – we are building deeper, more durable relationships with our players.”

Kashyap Reddy, CEO and Co-founder, Hitwicket, added, “Indian gamers are passionate, vocal and incredibly savvy about the experiences they choose. For us, cricket is built on fairness and respect – and we believe the same ethos should apply to how we treat data. Every match we host is backed by analytics, but behind every data point is a fan. 

As Indian gaming increasingly reaches a global audience, strong privacy practices and responsible data directly influence player trust. The act will make gaming more transparent and safer for kids. This means parents will have better comfort level with their children playing games. Parents will ensure they grant their approval only to higher quality games or brands.”

The Act, which received Presidential assent on August 11, 2023, lays out obligations for Data Fiduciaries, the rights and duties of Data Principals, special provisions such as children-focused protections, the role of the Data Protection Board of India, and a clear framework for penalties and dispute resolution. 

Companies must map data flows, implement robust consent management and age-gating, and strengthen internal governance across product, engineering, marketing, and customer support functions. For mid-sized and emerging studios, the legislation also provides an opportunity to differentiate on trust from the outset.

Sridhar Muppidi, President, Game Developer Association of India (GDAI), said, “We welcome the new Data Protection Act, which is comprehensive and will help protect gamers’ privacy. We don’t expect the DPDP Act to have any major impact on Indian game developers, as most already follow GDPR-level standards. That said, we encourage the government to run awareness campaigns to educate smaller developers, since any breach could lead to heavy penalties.”