DPDP rules to dent Gaming advertising revenues, significantly raise compliance burden

India’s Digital Personal Data Protection (DPDP) Rules, 2025 have prompted sharp reactions from the online video gaming industry, with stakeholders warning that stringent obligations around data retention, age-verification and parental consent may significantly raise compliance costs and reshape product design across the sector.

Under the Third Schedule, large online gaming intermediaries — those with over 50 lakh registered users — have been permitted to retain most categories of personal data for up to three years from a user’s last interaction. The retention period resets each time a user logs in or reaches out to the platform. Only two activities are exempt: enabling access to a user’s account and allowing access to stored virtual tokens. If the user does not return, the three-year period will be calculated from the date the Rules come into force.

Rule 8 further mandates that platforms erase user data once a player stops engaging for the specific purpose and does not exercise any rights, unless the retention is required by law or falls within the three-year window. Before wiping the data, platforms must issue a 48-hour notice, effectively giving users a final opportunity to log in and extend the retention period.

Separately, all data fiduciaries — irrespective of size — must retain personal data, traffic logs and processing records for at least one year from the date of any processing activity. For the gaming sector, this creates a two-layered regime: a one-year baseline applicable to all entities and a three-year inactivity-based retention window for the largest intermediaries.

‘A new paradigm for personal data compliance’

The All India Game Developers Federation (AIGDF) said the DPDP Rules introduce welcome privacy protections but acknowledged that the operational shifts will be significant for a sector largely dominated by MSMEs.

A federation spokesperson said, “The notified DPDP Rules introduce many important and necessary safeguards for user privacy. For India’s gaming companies, they also represent a new paradigm for personal data compliance. This nascent sector, largely comprised of mobile-based online games, will need to adopt new compliance frameworks in the 18-month implementation window provided by the Central Government.”

A key concern is the sweeping requirement for age-verification and parental-consent flows before any user data can be processed.

“Most critically, robust age-verification and verifiable parental consent systems will need to be created at the registration step for all games, prior to any processing of user data,” the spokesperson added. “Limitations on the processing of the data of children may change both advertising practices and in-game monetization models.”

The federation also flagged the industry’s fragmented structure: “A large number of MSMEs are present within this industry. These entities possess limited capacity to implement effective, streamlined, and cost-effective systems for age-verification and consent.”

Child-data obligations to trigger product redesigns

Legal experts warned that DPDP’s provisions governing minors’ data impose deep, structural changes.

Akshayy S. Nanda, Partner at Saraf and Partners, said, “The DPDPA creates significant operational challenges for gaming companies, particularly those with substantial child player bases, because the law imposes enhanced protections for children’s personal data that fundamentally change how games can collect, use, and retain information from young players.”

He noted that games must overhaul onboarding flows. “Instead of allowing children to create accounts directly with a simple ‘I agree to terms’ checkbox, games must first verify whether the player is a child, then obtain explicit consent from a parent or guardian before the game collects any data.”

Nanda said the parental-consent requirement introduces extensive operational complexity. “Games must implement age verification at signup, establish secure channels for communicating with parents or guardians, verify that the person providing consent is actually a parent or guardian with authority over the child, and maintain documented proof that valid consent was obtained.”

He added that once consent is secured, usage of children’s data will be severely limited. “Games cannot use sophisticated behavioral profiling of children to drive in-game spending, cannot send personalized purchase recommendations, cannot use location targeting, and cannot employ psychological manipulation tactics common in adult-focused games.”

Technology and gaming lawyer Jay Sayta pointed out that large gaming intermediaries must also comply with strict deletion norms.

“Online gaming intermediaries having 50 lakh or more registered users in India need to delete personal data of users who have been inactive for three years,” he said. He added that the sector awaits clarity on which platforms will be classified as Significant Data Fiduciaries (SDFs), a designation that carries additional audit and reporting obligations. “If some categories of online gaming platforms are classified as SDFs, they will have a higher compliance burden including audit, assessment and reporting requirements.”

Sayta also flagged compliance challenges specifically for platforms hosting minors. “Online gaming companies allowing minors will have to seek consent of their guardians before processing their data, leading to disruptions and significant technological additions to the product.”

Although the operative provisions take effect only in May 2027, Sayta said companies will have to begin internal restructuring well in advance. “Gaming companies will have to incur significant efforts including changing the product flow, notifications, data collection procedure, consent mechanism etc., which will increase the compliance burden and costs.”

With multi-layered retention norms, mandatory age-gating, redesigned registration flows, restrictions on children’s monetisation pathways and possible SDF-level audits, the DPDP Rules represent the most far-reaching regulatory shift for India’s online gaming industry.

The next 18 months are likely to be critical as companies, industry associations and legal experts work with policymakers to align user-privacy obligations with the commercial realities of a fast-growing but compliance-constrained sector.