Telecom industry flags compliance hurdles in digital personal data rules

India's major telecom operators have pushed back against the newly-notified Digital Personal Data Protection (DPDP) Rules 2025, arguing that critical issues flagged during consultations—including consent for minors, security standards and duplicative reporting requirements—have not been adequately resolved.

Industry body Cellular Operators Association of India (COAI), which represents Bharti Airtel, Reliance Jio, and Vodafone Idea, flagged multiple compliance hurdles, including challenges in verifiable consent for minors, handling of multilingual consent, breach-notification requirements, and alignment with sector-specific laws.

“COAI is in the process of compiling detailed inputs for MeitY (ministry of electronics and information technology) on the DPDP Rules,” S.P. Kochhar, director general of COAI, said in a statement.

Kochhar said obtaining verifiable consent for users under 18 poses practical challenges for operators, and runs counter to the digital autonomy promoted by several government initiatives.

COAI had suggested a practical exemption for minors aged 16–18 for SIM acquisition, which means that without going through verifiable parental consent, these age group can get the SIM card issued.

For users under 18, companies will need to seek “verifiable” parental consent before using their data. At the same time, certain types of data, such as those that enable general tracking of users for ads, will be completely barred to ensure children’s safety, as per the DPDP rules.

Rules on data

The Digital Personal Data Protection Act, 2023 lays out the rules for how organizations in India can collect, use, store, and process digital personal data. It aims to protect individuals’ privacy while enabling responsible data use by businesses and the government. The DPDP rules are meant to operationalize the law.

India’s long-awaited data-privacy regime formally kicked in on 14 November, more than two years after the DPDP Act 2023 was passed by Parliament. Companies will need to comply with the Act’s provisions within 12–18 months, including appointing consent managers and data-protection officers, putting in place systems for express user permission, and reporting data breaches within 72 hours.

“Given the multiplicity of incident-reporting obligations under the IT Act, CERT-In (Indian Computer Emergency Response Team) directions, DoT (department of telecommunications) guidelines and now the DPDP framework, harmonised timelines and aligned procedures are required to help avoid unnecessary duplication to ensure cohesive compliance across regulatory regimes,” Kochhar said.

The telecom Operators said that CERT-In and the Data Protection Board, a body set up to oversee the implementation of the law and impose penalties for breaches, may consider adopting a unified breach-reporting timeline, with a single trigger and a harmonised reporting window applicable across all digital and telecom entities.

A standardised incident-notification format, accepted by all competent authorities, would ensure that regulators receive timely, consistent and useful information, without necessitating multiple parallel reports under differing timelines, COAI said.

Reasonable security safeguards

The DPDP rules require companies to take reasonable security safeguards to prevent personal data breach. They outline measures such as encrypting, obfuscating, masking or using virtual tokens mapped to personal data to ensure adequate protection.

The operators argued that the adequacy of "reasonable security safeguards" should be assessed in a layered, risk-based manner, rather than being confined solely to encryption and masking.

“From a sectoral standpoint, mature network and system security controls already deployed by telecom service providers reduce the risk of unauthorised access, exfiltration or misuse of personal data. These measures provide a robust defense-in-depth architecture for protecting digital personal data processed over telecom networks,” Kochhar said.

In 12 months, that is, by 14 November 2026, companies need to appoint consent managers—the person accountable for social media platforms seeking permission to use people’s personal data.

And within 18 months, companies have to implement a mechanism to seek express permission from users before using their data for business purposes, such as targeted advertisements.

On consent managers, the telecom operators said the current restrictions disallowing directors and key personnel from having any association with companies that have personal data may be overly stringent.

COAI had suggested replacing the blanket prohibition with safeguards against preferential treatment, such as declarations at the time of registration rather than mandating changes to corporate constitutions. The association proposed a single, interoperable consent‑management layer for the telecom sector through a common industry consent manager or interoperable arrangements.