Table of Contents
The Digital Personal Data Protection (DPDP) Act, which was passed in 2023 is soon to become applicable in India.
The implementation of the DPDP Act marks a new digital privacy governance era in India which will affect various industries and companies. The media and entertainment (M&E) sector, amongst others, must quickly adapt to the provisions of this act.
For the media and entertainment industry, which has diverse sub-sectors such as OTT platforms, digital content, films, VFX, gaming, television, and newspapers, the DPDP Act introduces stringent regulations that necessitate a thorough reassessment of data management practices which have been traditionally (or not) in place through many years.
Media and entertainment companies typically gather personal data from users to analyze their behaviour. The implications of the DPDP Act are particularly profound when it comes to OTT and digital streaming, where large volumes of user data are routinely collected and processed for content personalisation and targeted advertising. Television networks and newspapers, which traditionally operated with fewer data privacy concerns, will also need to adapt to the new standards wherever applicable.
Implementation of the DPDP Act will not only safeguard user’s information but also create transparency and accountability within the industry. It will drive growth and innovation in India’s vibrant media and entertainment landscape.
Let’s look at some points of consideration:
1. Privacy Notice:
Privacy notices inform end users about the collection, use, sharing, and retention of their personal data. They detail what information is being collected, how it will be used, the third parties it may be shared with, duration for which it will be retained and other relevant information as detailed by compliance standards. Privacy notices must be displayed across web apps and mobile applications. Given India’s linguistic diversity, these notices should be available in all 22 officially recognised languages to ensure user understanding.
2. Consent Requirement:
The media and entertainment sector must obtain user consent for various activities, including profiling, promotions, personalized advertising, newsletters, SMS, and email promotions. Explicit consent from individuals will be required before collecting and processing their personal data. Consent is also required for cookie collection for personalization, remarketing, and retargeting. Consent forms must be transparent in disclosure of information and be available in multiple languages to accommodate user’s language needs.
3. Data Security:
Media and entertainment firms will need to invest in advanced cybersecurity measures to safeguard user data, especially beacuse high volume of data is exchanged in digital streaming, online gaming, and social media platforms.
4. Data Subject Rights and Handling of Children’s Data:
Individuals have the right to access, correct, and delete their personal data. Users can also nominate others to handle their personal data. Media companies must establish efficient processes to handle these requests.
Children are significant users of media and entertainment content, especially in gaming. There must be provisions for parental consent, which must be verifiable. Companies must avoid tracking children’s behavior patterns and targeting them with advertisements, which is prohibited under the DPDP Act.
5. Data Minimization:
As opposed to traditional approach of collecting as much personal information possible, companies must now focus on data minimisation and collect only the data necessary with specific objectives. They will have to revise traditional data collection practices and collect minimal data. This will affect all the processes, from user registrations to content recommendations.
6. Cross-Border Data Transfers:
The Digital Personal Data Protection Act places restrictions on transferring personal data outside India. Media and entertainment companies with international operations or partnerships will need to ensure compliance, be mindful of data storage on local servers and using indigenous third party processing companies and solutions. Any data transfer outside India must only proceed with full compliance, consent and approvals in place.
7. Compliance of Data Dependent Technologies like VFX:
The Digital Personal Data Protection (DPDP) Act impacts technologies like VFX where, data involves highly sensitive personal information like facial scans and voice recordings. Explicit consent must be taken before use. Only necessary data must be collected wherever possible and anonymised wherever possible. Additionally, it also requires strong security measures, including encryption, secure access controls, and regular audits to protect against unauthorized access and breaches.
8. AI and Machine Learning Algorithms:
Many media and entertainment companies use AI and ML algorithms to analyze user behavior and personalize content recommendations. Users must have the option to opt-out of data processing by these algorithms specifically. Companies must disclose what personal data is collected and how it is used to train AI models.
9. Impact on Marketing and Advertising:
Targeted advertising and personalized content delivery, which rely heavily on user data, may be impacted. Companies will need to find innovative ways to continue delivering personalized experiences while respecting user privacy.
10. Awareness and Training:
To ensure that all employees and stakeholders are aware of the new rules and regulations, regular trainings and awareness campaigns must be done. Continuous monitoring of the progress must also be done.
