Data privacy law upends OTT operations, forcing audits and new safeguards
The implementation of the Digital Personal Data Protection Act, 2023, mandates significant compliance efforts from OTT platforms, particularly in data management and privacy. This may disrupt existing revenue models and impose heavier burdens on smaller platforms compared to larger ones.
Video-streaming platforms have begun putting in place legal teams in order to comply with the personal data-privacy regime that formally kicked in last week.
More than two years after the Digital Personal Data Protection Act, 2023 (DPDP Act) was passed by parliament, the ministry of electronics & information technology (MeitY) has notified the rules and established a four-member data-protection board, bringing the law into effect. The board will oversee compliance, hear grievances, and impose penalties when the provisions of the law are breached.
Industry experts say OTT platforms that are likely to be classified as significant data fiduciaries under the law - entities that will likely process large volumes of customer data - will have to cover extensive compliance ground, such as conducting data protection impact assessments, appointing a data protection officer, carrying out audits and so on. Platforms aimed at children or offering interactive gaming will face stricter rules on consent, age-gating, data retention, and handling children's personal data. Smaller platforms with limited reach and simpler data flows may see a lighter compliance burden. Monetization—especially advertising—could take a significant hit.
Industry awaits clarity
“We are in the process of structuring legal teams and will have more clarity over the next week or two. There will be a cost burden, but other markets have shown these processes are doable," a senior official at a streaming platform said on the condition of anonymity. This official added that OTT companies had been in conversation with the government over the rules, and the 18-month timeline should help them make the transition to the new data privacy regime smoothly.
Queries sent to services like Netflix and JioHotstar remained unanswered. However, an Amazon India spokesperson said, “We are assessing the DPDP rules."
The Digital Personal Data Protection Act, 2023 lays out the rules for how organizations in India can collect, use, store, and process digital personal data. It aims to protect individuals’ privacy while enabling responsible data use by businesses and the government.
Indian OTT platforms are now gearing up to comply with the DPDP Rules, 2025, said Rajat Agrawal, chief operating officer and director of Ultra Media & Entertainment Group. While some platforms may have already had measures in place, this new regulation indeed serves as a wake-up call to ensure robust data protection and compliance. This could increase compliance costs, with estimates suggesting a 10-15% rise in technology budgets. Legal and process-governance spends will also increase, with some startups allocating 15-20% of their legal budgets to DPDPA-readiness, Agrawal added.
Many OTT platforms had some of the building blocks of compliance already in place, but for most, the law represents a “wake-up call", because the obligations are more prescriptive and enforceable than what existed, according to Cyril Abrol, partner, Remfry & Sagar.
“Now that the rules have been formally notified, the clock is ticking: the regulator has set out clear obligations and timelines, penalties are substantial and enforcement capability is beginning to take shape, and monetisation models - especially those relying on targeted advertising and profiling - could feel the impact sooner than expected. With a limited transition window of roughly 12–18 months for many of the requirements, platforms need to accelerate their planning and implementation efforts," Abrol added.
Penalties under the DPDP Act can go up to ₹250 crore for failing to ensure adequate security safeguards, and up to ₹200 crore for not notifying the data protection board or the individual for a data breach.
Compliance deep-dive begins
Many platforms are now accelerating internal audits, renegotiating vendor contracts, and re-evaluating data-sharing arrangements with ad-tech partners, according to Ashima Obhan, senior partner, Obhan & Associates. The push is towards building demonstrable compliance – not just paper compliance – particularly where minors’ data, cross-border transfers, and algorithmic profiling are involved.
Industry experts emphasize that the impact of the data privacy rules is likely to be far-reaching for OTTs, especially in the Indian context where OTTs depend on advertising revenue more than subscription. Anupam Shukla, partner, Pioneer Legal, said that monetization will be impacted because of restrictions on the use of personal data, particularly the prohibition of targeted advertising and tracking of children’s data. This may disrupt revenue models heavily reliant on behavioural advertising and personalized content recommendations, forcing a shift towards subscription-based or contextual advertising models.
“Data becomes a central element of focus. That being said, the impact may vary across the ecosystem - as there are certain OTTs that had already commenced their privacy journey basis global parallels and good practices in addition to the requirement under the IT Rules for ‘sensitive personal data or information’, breach reporting etc, while others had restricted compliance specifically to those mandated under existing law. However, given the comprehensive nature of the newly enacted law, all OTTs must look at their systems and processes afresh, regardless of their stage of compliance," said Mihir Rale, partner and co-head, digital, TMT, Cyril Amarchand Mangaldas.
Smaller OTTs brace for change
As far as the rules go, there would have significant implications for OTT platforms in terms of compliance management and running their operations, said Vikas Bansal, partner, IT risk advisory and assurance, BDO India.
“The key factors impacting the overall operational model will be child consent, notice and consent while logging in, which includes guest login. There is definitely a cost shift to these platforms to introduce either an external data privacy platform or building an in-house platform specially to manage consent and notice. These platforms are required to be used by a Consent Manager which subsequently may require reporting to the data privacy board of India," Bansal added.
OTT platforms typically process sizeable volumes of personal data, agreed Kalindhi Bhatia, partner at BTG Advaya. They will need to revisit and finetune their existing data practices to align with the new law, say for privacy notice details, data subject rights, engaging data processors, and so on. “Bigger OTT players, especially those with global footprints, may already have mature privacy processes in place, which should reduce the additional burden. However, certain OTT players, such as those offering child-focused content will attract additional compliances, for instance, mechanisms for obtaining verifiable parental consent, age-gating and enhanced safeguards for handling children’s data. Similarly, the platforms that enable or provide gaming will be subject to data retention limitations," Bhatia added.
The pressure will be felt most by smaller platforms, because the fixed cost of compliance can weigh heavily on leaner business models, especially those dependent on targeted advertising, according to Ketan Mukhija, senior partner, Burgeon Law. Overall, the rules push the OTT ecosystem toward higher accountability, technical maturity, and far more disciplined data stewardship.
“Domestic OTTs will likely face a steeper adjustment curve. What previously functioned as a voluntary reputational safeguard has become a legally enforceable liability, with penalties capable of directly impacting monetization models. Larger platforms may absorb these costs and even position compliance as a competitive differentiator, while smaller players risk margin pressure," said Hardeep Sachdeva, senior partner, AZB & Partners.
topics
