Online gaming firms and developers have sought exemptions from age-gating norms for processing children’s data under the Digital Personal Data Protection (DPDP) Act. The ministry of electronics and IT is currently finalising rules to operationalise the Act.
The firms have sought exemption on the grounds that the compliance burden of taking parental consent, not tracking or behavioural monitoring of children, and targeted advertising under the Act will affect the business models of free-to-play (F2P) gaming companies.
The DPDP Act, which was passed last year, makes it mandatory for platforms to get parental consent before using data of children below 18 years of age.
“To alleviate concerns for F2P offerings, the government should ensure that there is adequate flexibility for a seamless integration of parental consent mechanisms without over-prescriptions (obtaining, storing, and revoking consent),” a report containing set of recommendations by the All India Game Developers’ Forum (AIGDF) and the Indian Governance and Policy Project (IGAP) said.
AIGDF represents gaming developers and companies such as Nazara, Mayhem Studios, and Garena, among others. The companies are soon expected to share the recommendations with MeitY.
Free-to-play games are offered for free after getting downloaded. The revenue model of companies/small developers offering such games depends on in-game purchases that include upgrades, features that enhance the gaming experience, as well as targeted advertising.
For example, such companies collect data from users during gameplay, which can be used to serve targeted advertising to them based on their behaviours, preferences, in-game choices, and location.
“In typical circumstances, F2P gaming data fiduciaries may not be precisely aware of the specific age, or age bracket, of their users,” the developers’ forum said. The developers also expressed concerns over know-your-customer (KYC) processes, which the government was thinking for companies to establish parent-children relation and get verifiable parental consent before processing children data.
Besides, the game developers said tracking or behavioural monitoring is a crucial aspect for the gaming sector which maintains user profiles or accounts, actively tracking their progress through a game for a range of purposes. Such tracking may be necessary in the case of minors for operating basic in-game features such as matchmaking, or for tackling cheating.
According to them, a restriction on behavioural tracking in the DPDP Act also carries the potential to interfere with various technical tools (including artificial intelligence driven tools) that may be deployed to monitor risks to children within gaming environments and detect toxic behavior, cyber-bullying or predatory activity.
“Subject to such conditions that adequately ensure the wellbeing of minors in relation to the processing of their data, the government may consider granting relevant exemptions to F2P data fiduciaries, as a class, from the applicability of behavioural tracking or targeted advertising obligations for minors under the DPDP Act,” AIGDF and IGAP said in the report.
Among other things, the gaming companies and developers have sought clarifications on the kind of personal data that is likely to cause any detrimental effect on the well-being of a child.
The DPDP rules should specify reasonable transition timelines for complying with restrictions on processing of digital personal data in specific countries that are notified under Section 16 of the DPDP Act, according to the developers.
Further, the companies have also raised concerns regarding compliance of DPDP Act by Web3 gaming data fiduciaries that deploy blockchain-based technologies.
As per the DPDP Act, the firms concerned will need to collect data afresh from users and spell out clearly its purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected, according to the provisions of the Act. The government will also notify a Data Protection Board that will levy the penalty of up to Rs 250 crore on the company in case of any incidents of data breaches and non-compliance of provisions of the Act.