Reshaping Gamification in Online Gaming: The Impact of the DPDP Act 2023
Introduction
A person’s data is critical for identification, predicting behavior, understanding their perspective, and taking advantage of their weaknesses to influence their actions according to the goals of the digital world. Data operators frequently critically analyze this information to understand better individual preferences, which helps in targeting advertisements, personalizing content, and providing tailored recommendations. Although this can improve the experience of the user by providing relevant content, any misuse or unauthorized handling of such data can lead to significant legal consequences, including hefty fines and penalties for the operators involved.
To prevent this unlawful use of personal data on digital platforms by the companies, the Digital Personal Data Protection Act of 2023 has been introduced against the unauthorized use of personal data on digital platforms. This legislation, which was passed by the Lok Sabha on August 7, 2023. It was unanimously approved by the Rajya Sabha on August 9, 2023, and received Presidential assent on August 11, 2023.[1]
The main aim of this act is to establish a structured framework for the processing and protection of personal data. As stated in the act, it is intended to regulate “the processing of digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process such personal data for lawful purposes, along with connected or incidental matters.”[2]
India is also emerging as a significant player in the online gaming industry, encouraged by the growth of high-speed internet and increased use of smartphones. The gaming sector in India is valued at around INR 16,428 crore in 2023 and is expected to reach INR 33,243 crore by 2028.[3] This rapid growth is largely driven by the youth who are deeply engaged in the gaming ecosystem.
Role of Data in Gamification
With the growth in the gaming sector, there is an increase in user data as gaming companies collect information from players to optimize gamification and understand their preferences. The data shared while registering for online games has becomes valuable for the commercial purposes and is now more heavily regulated by legislators worldwide. The online gaming industry handles a variety of player data across different games and features. This includes personal details such as the player’s name, gender, age, and email address. In cases of in-game purchases, payment information is also stored.
The DPDP Act talks about concepts like “Data Principal” and “Data Fiduciary” which are seen in global privacy laws. However, DPDP Act has its own unique features and gaming companies need to comply with this Act even if they already comply with the global standards like the GDPR.
The DPDP Act is designed to establish and enforce privacy obligations concerning personal data that is managed or processed digitally , with a major focus on data fiduciaries, which has been defined in the act as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”[4] The online gaming entities that collect and process the data obtained from the players in India will be classified as “Data Fiduciaries” under the DPDP Act. The act is not restricted to the data processed within the country, but it includes even the data fiduciaries collecting and processing data abroad and who are providing significant goods and services to the data principals in India.
The DPDP Act defines data fiduciaries broadly, covering a wide range of entities that collect and process user data. However, give the different purpose for processing the data and business model of a fiduciary, the Act’s obligations may affect differently to different types of gaming data fiduciaries. Different gaming fiduciaries, such as free-to-play games, real-money games, and Web3 games, must comply with the DPDP Act, and non-compliance may impact each category differently.[5]
Impact of the DPDP Act on Different Types of Games
- Free-to-Play Games (F2P): F2P games allow users to access a lot of content without actually paying. They generate their revenue either through in-app purchases or through advertisements. Young children and teenagers are attracted by these games and clear permission must be taken from the parents or guardians of children before collecting any personal data from children. DPDP Act is strict regarding handling of children’s data.
- Real-Money Games: These games involve real money, bets, and wagers while playing. DPDP Act has stringent rules regarding how companies must handle the personal financial data of the users. RMGs are required to inform users regarding how their data will be used and then obtain their consent, this is important to ensure the protection of user’s data.
- Web3 Games: These games use blockchain technology which allows users to stay anonymous, but as a consequence, user identity is unknown. Also, the information which is once recorded in blockchain cannot be changed later in time. All these features of blockchain make it difficult to comply with regulations like DPDP Act which are based on user identity and data privacy.
Challenges in Age Verification
One key challenge that gaming companies face is- the verification of age of the players. According to the DPDP Act, companies are required to verify age of the users and if the users are found to be under 18 years of age, consent must be taken from their parents or guardians.
Currently in India, gaming companies do not have accurate age information regarding their users. They just use age-rating systems, however, since these systems are not legally enforced children below age of 18 years also have access to games meant for 18 years and above. With the DPDP Act, companies are required to set up proper age verification systems. The multi-layered verification process system is likely to discourage children below 18 years from signing up for games.
The data collected by the company during verification and while obtaining consent must be securely managed and if requested by the users, data must also be deleted by the company.
Key Rights of Data Principals Under the DPDP Act
Chapter III of the DPDP Act talks about the rights of users regarding their personal data. These rights include- the right to access information about personal data, the right to correction and erasure of personal data, the right to grievance redressal, and the right to nominate. These rights of the users make it obligatory for the data fiduciaries to act in accordance with the requests made by the users. The data fiduciaries must ensure that the users can access and make changes to their personal data easily. They must create user-friendly systems to allow users to check what data is recorded. They must also ensure that the grievances and issues of the users are handled efficiently and a process for the same must be created.
Penalties for Non-Compliance and Mitigating the Risk
The DPDP Act puts penalties for the non-compliance of the rules by the fiduciaries, which is as high as ₹250 crores. These penalties put fiduciaries under the pressure to follow the follow of the act.
To avoid facing such penalties, these companies must work within the limits set by the act and implement various measures for the protection of the data and provide transparency to the users. This can build customer confidence as well as trust in their platforms
Conclusion
The Digital Personal Data Protection Act (DPDP Act) is an important development in India’s online gaming industry. The Act makes use of data of the users to improve player experience. Under the provisions of this Act, gaming companies are required to allow users to access information about personal data, correct or delete their personal information and imposes strict penalties on companies if do not comply with the provisions of the Act. This Act will prove to be a milestone in the history of gaming industry which would not only protect the rights of the users but would also allow for the companies to improve and be creative.
Author: Sidhant Verma, in case of any queries please contact/write back to us at support@ipandlegalfilings.com or IP & Legal Filing
[1] [The Viewpoint] Digital Personal Data Protection Act, 2023 – A Brief Analysis
[2] DPDP Act, 2023
[3] New frontier online gaming report
[4] Section 2 of the DPDP Act, 2023
[5] 6ee4f9_4be9e9b27b6c4a919baefb021d004d54.pdf
