With the intent to grant greater control over personal data and maintain a balance between the protection of privacy and data-driven innovations, India enacted the Digital Personal Data Protection Act 2023 (DPDPA) in August 2023. The government is also likely to notify rules prescribing specific compliances under the DPDPA over the next few months. With this background, here are five key steps that over the top (OTT) and content streaming platforms should proactively consider to ensure compliance with the DPDPA.
1. Review Existing Personal Data
The DPDPA requires a data fiduciary, which means an entity collecting and processing personal data, to obtain express consent from data principals or individuals to whom personal data relates. In cases where personal data has been collected prior to the enactment of the DPDPA, the data fiduciary is required to give notice to the relevant data principal informing them of the personal data collected, purpose of collection, rights of the data principal and manner of making complaint to the data protection board.
The form of notice is yet to be prescribed as part of the Rules. But for now, OTT platforms should consider reviewing and classifying their users’ personal data such as name, email address, billing address, financial information etc. This will help maintain preparedness for swift compliance with the notice requirements once the Rules are notified.
2. Set Up Systems to Verify Consent by Guardians for Minor Users
OTT platforms that provide content or services to children may have collected or may collect personal data of users who are minors. The DPDPA requires such platforms to ensure that verifiable consent by the guardians is obtained when collecting personal data.
The DPDPA does not stipulate specific measures to verify legitimate consent. Efficient age verification solutions in the industry are still in a development stage. Regardless, OTT platforms will be required to set up appropriate systems to ensure verifiable consent is obtained from the guardian of a minor user. OTT platforms may consider mandating the guardian to fill a consent form to be returned via email, facsimile or electronic scan; or verify the guardian’s consent over a call or a video conference with trained personnel appointed by the OTT platform; or require guardians to provide a government issued identification.
3. Define Purpose for Collection and Processing of Personal Data
Under the DPDPA, every request on obtaining consent for the collection and processing of personal data is required to be accompanied by a notice setting out, amongst others, the purpose for which the personal data will be processed. The form of notice is likely to be stipulated in the Rules. In the meantime, OTT platforms can work on delineating the purpose to be outlined in the notice and ensure that it is broad enough to cover the primary services being provided to the user as well as ancillary features. The latter enhances user experience and may include new content recommendations based on a user’s watch history, new services and features that a platform may seek to provide to its users in future, marketing and promotions.
4. Agreements with Third Party Data Processors
Data fiduciaries are responsible for acts and omissions of data processors, which are entities that process data on behalf of the data fiduciary including large IT companies, and are required to ensure compliance with the DPDPA. In a case where an OTT platform engages an external party for data analysis, such third-party would be categorised as a data processor. However, the OTT platform will continue to be responsible for the acts and omissions of the third-party. OTT platforms should ensure that they enter into robust agreements with data processors, with back-to-back representations, warranties and indemnities to ensure that data processors store and process personal data in accordance with law. If OTT platforms do not have robust agreements in place with existing data processors, they should be executed on priority.
5. Implement Robust Systems
OTT platforms should consider setting up appropriate systems and teams to manage data protection related requirements including redressal of grievances, requests for withdrawal of consent, correction, updates or erasure of personal data. Instituting a dedicated team for this will ensure that the OTT platform is able comply with user requests as well as any directions by the government and data protection board in a timely manner.