Home » Blog » IMPACT OF DATA PRIVACY LAWS ON OTT PLATFORMS IN INDIA NIKITHA KOTTESWARAN

IMPACT OF DATA PRIVACY LAWS ON OTT PLATFORMS IN INDIA NIKITHA KOTTESWARAN

By /

Authoreed By: Nikitha K

SRM University

ABSTRACT

The fast growth of Over-the-Top (OTT) in India, in its turn, along with the ever-increased number of internet users, has changed the media and entertainment industry. These are the streaming services that providers receive content and stream them down straight to the consumer via the internet and highly depend on personal information to personalise user experience and target advertisement. Nevertheless, the dependence has led to substantial privacy issues, which have seen the Indian government come up with strict data protection legislations, outlined by the [1]Digital Personal Data Protection Act, 2023 (DPDP Act). In this research paper, the author will explore how the data privacy laws affect the OTT services in India including the required compliance, the challenges that they face and how they impinge their consumers and the wider aspect of the digital economy scenario in India. By conducting a comparative analysis with worldwide regulatory norm plans, such as the GDPR, the paper will provide an insight into the way these rules influence strategies of OTT platforms, its business model, and existence in the context of the Indian digital market. The paper also shows the existence of regulatory gaps; enforcement issues and offers solutions to a trade-off between innovation and privacy compliance.

INTRODUCTION

The internet industry in India has experienced its own ground shaking moment in the recent years due to the prevalence of the internet, affordable smartphones and the emergence of Over-the-Top (OTT) platforms. India is ranked as one of the largest internet economies on the globe with more than 900 million internet users expected by 2025. The streaming services like Netflix, Amazon Prime Video, Disney+ Hotstar, and other local attempts at homegrown services like Zee5 and JioCinema have become part of the non-moviegoing entertainment consumption experience of millions of people. These sites exploit user data to provide personalized content, maximize the functionality of user interfaces and provide targeted advertising which is a major part of its revenue model. Nonetheless, privacy problems have been perceived through the vastness of the information acquisition, processing and retention by OTT platforms, particularly given the high-profile data leak exposure, including Aadhaar leak and Pegasus spyware scandals. Lack of an entire data protection framework until recently exposed the consumers to vulnerability and necessitated some regulation. A monumental Supreme Court decision of 2017, [2]Justice K.S. It was Union of India, which considered privacy as a fundamental right through Article 21 of the Indian Constitution; this marked the prelude to the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act). The objective of this paper is to examine how data privacy laws affect the OTTs in India and especially the DPDP Act. It examines the impact of these regulations on the cost of compliance, operational approach, consumer confidence and competition. The study also focuses on the special issues that OTT platforms can deal with in an environment like India with its multilingual, multicultural, and fast-digitizing market.

RESEARCH METHODOLOGY

In order to study in detail, the effects of data privacy laws, specifically, the Digital Personal Data Protection Act, 2023 (DPDP Act), on Over-the-Top (OTT) platforms in India, the research design and the given study will be exploratory in nature with a dual positivistic-interpretive paradigm. The given approach will enable us to analyse the legal frameworks and compliance requirements objectively, but at the same time take into account the subjective experiences of the stakeholders who are the OTT platforms and consumers. The methodology combines qualitative and quantitative research to make a rounded picture of the regulatory, operational, and the social implications.

BACKGROUND: DATA PRIVACY LAWS IN INDIA

[3]The Information Technology Act, 2000 (IT Act), along with the [4]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), served as the primary framework for data protection. These regulations mandated reasonable security measures for sensitive personal data, such as financial and health information, but were limited in scope and enforcement.

The Justice K Puttaswamy judgment in 2017 marked a turning point by affirming privacy as a fundamental right, prompting the formation of the Justice B.N. Srikrishna Committee to draft a comprehensive data protection framework. After multiple iterations, the Digital Personal Data Protection Bill was introduced in 2022 and enacted as the DPDP Act in August 2023. The DPDP Act regulates the collection, processing, storage, and transfer of digital personal data and introduces stringent compliance requirements for data fiduciaries, including OTT platforms.

AN OVERVIEW: OTT PLATFORMS IN INDIA

According to a report by the consulting firm Future Nation, India has an OTT market that is estimated to grow at 7 billion USD by 2027 due to rise in smartphone penetration, low-cost data packages as well as the availed content variety. The market has large players such as Netflix, Amazon Prime Video, Disney+ Hotstar, and regional player, supporting India due to the linguistic variety of the Indian region. OTT services use algorithmic informational data to serve recommendations, ads as per individual usage, and experiences, which is a central pillar to their functioning. 3.2 OTT Paradigm Data Practices OTT platforms gather heaps of data such as demographics, viewing habits, search record, and device data. Targeted Advertising: Targeted ads can also be sent to the consumers via platforms such as Disney+ Hotstar, which have subscription-based offerings with ad support. User Analytics: The information will enable the platforms to know how audiences are behaving, what data can be used to maximise the contents libraries, and the decisions that platforms make regarding this content production.

IMPORTANT PROVISIONS OF DPDP ACT

DPDP Act covers every personal data that is digital and also has extraterritorial scope thus it may cover those entities based outside India that process personal data generated by Indian residents. Some of its provisions are:

  1. Consent-Based Processing: Before processing personal data, data fiduciaries have to seek out explicit informed consent of data principals (users). The consent should be unequivocal, retractable, and it should be supported by an indication informing about the objective of data collection.
  2. Data Breach Notification: In case of a privacy breach, data fiduciaries shall report to the Data Protection Board of India (DPB) within 72 hours after knowing about the breach and notify the user of the nature of the breach and mitigation measures.
  3. Data Minimization and Retention: The collections of personal data should be limited to only a defined reason and should be deleted when it is not required anymore or when the consent is withdrawn. Some of the platforms such as OTT services have a three-year limitation of the retention of a particular type of data.
  4. Significant Data Fiduciaries (SDFs): OTT platforms that process a significant amount of data and Data can be nominated as SDFs which necessitate extra obligations, e.g., an appointment of a Data Protection Officer (DPO) and Data Protection Impact Assessment (DPIA).
  5. Export of Data: The DPDP Act will not prohibit data export outside India and expressly permits transfers, but government may place restrictions on data transfers to some jurisdictions.
  6. Punishments: the failure to comply can lead to fines between INR 500 million ( 5.7 million) and INR 2.5 billion ( 28 million).

OTT PLATFORMS IN INDIA

The OTT market in India is expected to hit the $7 billion mark by 2027 as presence of smartphones, low-cost data plans, and proliferation of different types of content services are witnessed. Netflix, Amazon Prime Video, and Disney+ Hotstar have taken over the market, and local companies, serving India due to its diversity in language, also exist. OTT rely on algorithms heavily based on data, constantly analysing their own content to suggest it to consumers, personalise advertisements, and to optimise, making personal data a foundation on which they operate.

DATA PRACTICES OF OTT PLATFORMS

The data OTT platforms receive amounts to huge volumes, described as demographic data, watching preferences, searching activity, and even device information. The information is used to:

  • Personalised Content: Suggested content that is aligned with watching trends, thus making users more engaged.
  • Targeted Ads: Services such as Disney+ Hotstar, run on ad-based subscriptions whereby user data is used to push targeted ads.
  • User Analytics: Data will also aid platforms in identifying audience behaviour, content libraries maximisation and the decision-making process with regard to content productions. 

INFLUENCE OF DATA PRIVACY LEGISLATIONS ON OTT ACCOUNTS

  1. Costs to meet Compliance Requirements The compliance cost of the DPDP Act has highly escalated OTT platforms, especially the SDFs. Important requirements are:
  2. Consent Management: The platforms should have easy-to-use consent tools, including opt ins, and should provide users with an adequate option to withdraw consent. This involves redesigning the current data collection procedures and spending in consent management systems.

Data Protection Impact Assessments (DPIAs): SDFs will be required to carry out a DPIA prior to processing high-risk data, required in practice leading to greater operational costs and complexity.

  1. Security: Data security: data security has to be observed seven limits as prescribed in the draft DPDP Rules, such as data encryption, access to the data, and substantial investments in the cybersecurity infrastructure.
  2. Data Breach Notifications: 72 hours of notice: this requires well-designed incident response systems that contribute to overheads. These obligations may be expensive especially by smaller OTT platforms who do not have much to spare.
  3. Data Minimization: Limiting the data that is being collected to the minimum required might lower the resolution of the user analysis, which can impact the content suggestion algorithms and perceived advertising revenue.

Cross Border Data Transfers: The ability to process through global data centres is shared by many of the OTT platforms. The limitation of cross-border transfers may result in geographical immobilization of data requiring more infrastructures.

Legacy Data Compliance: The platforms will have to issue alert notices to users known to them on their rights under the DPDP Act, this will need major legwork of mapping and handling legacy data with that.

  1. Data Minimization: By minimizing the data being collected to the bare minimum, the resolution of user analysis may reduce the resolution, and this can change the content suggestion algorithms and perceived advertising revenue.
  2. Cross Border Data Transfers: This capability of running global data centers is one common among a majority of the OTT platforms. The limitation to cross border transfer can lead to geographical immobilization of the data that is in need of additional infrastructures.
  3. Legacy Data Compliance: The platforms would be required to send alert notices to the users who are known to them, with respect to their rights under the DPDP Act, and that will require a lot of leg work of mapping and managing legacy data with that.

FUTURE TRENDS AND CONSIDERATION

High-level Integration with AI and East Technologies

The DPDPA dents itself heavily on AI-powered personalization and is of utmost concern to OTT platforms. Since AI models use the data of users when training them, platforms are obliged to abide by data minimization and consent principles. Lack of certain AI regulations in India, in opposition to EUAI Act, in a way gives flexibility and at the same time uncertainty. To keep up with the world trends, platforms ought to actively embrace the ethical AI practices.

       Convergence and Divergence of the World

The DPDPA is similar to GDPR-like principles but not in the same manner in its enforcement and scope. These differences have to be dealt with by the OTT platforms which decided to operate in a global market, adopting a harmonized approach in compliance to reduce the number of conflicts.

       Changing consumer expectations

Since consumers are increasingly becoming more and more aware of their privacy rights, OTT platforms should focus on user empowerment and transparency as a key mechanism of retaining users. Those platforms, which actively surpass the requirements of DPDPA, may benefit in terms of competitive advantage.

RECOMMENDATIONS

  • Diversify into PETs such as differential privacy and homomorphic encryption, to allow the further processing of the data without violating the privacy of the user.
  • Implement simpler and practical CMPs that have clear and concise language to signify consent and support of the Indian population that is multilingual.
  • Manage high-level security protocols, including end to end encryption and real time detection mechanisms in case of breaches.
  • Announce DPOs to SDFs and train them fully in terms of DPDPA compliance
  • Conduct DPIAs to discover and alleviate privacy hazards, especially to SDFs.
  • Build local data centres or work alongside cloud companies with its servers based in India.
  • Start awareness programs to create awareness in users about their rights under the DPDPA with interesting catchy content.

CASE STUDIES

Netflix:

Achieving the Strike between Personalization and Compliance Netflix depends on its user data in recommending the engine. Data required to be minimized and other consent requirements may restrict the volume of data that can be personalized which can impact the user satisfaction levels. There is a need to start deploying CMPs in countries around the world, such as CMPs that will be able to adhere to GDPR and CCPA and be adjusted to the DPDPA. The platform will however need to invest in local solutions to suit the India needs, however, like language support of privacy notice to regional languages.

 Disney+ Hotstar:

Processing (Large) Data Being one of the largest OTT services in India, Disney+ Hotstar will probably be identified as an SDF and therefore, it should be provided with a DPO and DPIAs. Wide coverage and a variety of resources, Information and services provided in the platform militates against poor data security strategies. Disney+ Hotstar enjoys the advantage of having a worldwide infrastructure that can enable it to accommodate the compliance, but needs to traverse the regulatory environment that is peculiar to India, such as possible localization of data.

Regional Platforms:

Resource Constraints Smaller streaming sites such as Hoichoi have high counter-compliance expenses such as the employment of DPOs and enhancement of cybersecurity. Such platforms might not match with world giants, and they have problems of market consolidation or collaboration to share in the house of compliance facilities.

CONCLUSION

Digital Personal Data Protection Act, 2023 marks the turning point in the area of data privacy in India, and the implications of the act are of great importance to OTT platforms. Although the DPDPA increases consumer confidence and makes India level with the rest of the world, it presents operational, financial, and strategy problems to OTT providers. The cost of compliance is high in terms of investments and change in technologies, people and processes especially in the case of smaller platforms. Nevertheless, an active embrace of privacy-enhancing technologies, resilient management of consent and user training can drive compliance to competitive benefit. Following the suggested measures protection methods, such as PETs and CMPs, storage of data locally as well as industrial cooperation, the OTT platforms can manage the requirements of the DPDPA and promote innovation and trust. Regulatory compliance of OTT platforms and their sustained business as India becomes a digital economy is going to be a balance between regulation and user centric innovations.

REFERENCE(S):

https://emildai.eu/dpdpa-2023-vs-gdpr-a-comparative-analysis-of-indias-eus-data-privacy-laws/

https://cag.gov.in/uploads/icisa_virtual_publishing/Journal-with-cover-DG-message-08-10-2024-06704c77f434894-25842653.pdf

https://iapp.org/resources/article/operational-impacts-of-indias-dpdpa-part6/

https://blog.ipleaders.in/data-protection-laws-in-india-2/

https://www.privacyworld.blog/2025/04/the-impact-of-indias-new-digital-personal-data-protection-rules/

[1] Digital Personal Data Protection Act, 2023 (DPDP Act)

[2] Justice K.S. Puttaswamy (Retd.) vs. Union of India case is (2017) 10 SCC 1

[3] The Information Technology Act, 2000

[4] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top