From TRPs to Trust: DPDP and the Future of Media & Entertainment

Introduction 

The media and entertainment industry in India has become one of the largest processors of personal data. Streaming platforms, OTT services, digital news portals, social media intermediaries, gaming companies, and advertising ecosystems collect and use millions of data points every day. The Digital Personal Data Protection Act 2023, and the DPDP Rules 2025 governs how such data is collected, processed, shared, stored and erased. The objective of the new framework is to ensure that personal data is processed fairly, lawfully and in a manner that respects the rights of individuals. For media organisations, this means they must change how they handle data, including how they take consent, how long they keep data, how they report data breaches, and how users can raise complaints.  

Fundamental Change in Consent and Notice Practices 

The most immediate compliance change for media and entertainment companies is the way they obtain and manage user consent. Earlier, consent was usually taken through lengthy and complex terms and conditions that bundled multiple purposes such as content personalisation, advertising, and data sharing into a single acceptance. Under the DPDP Rules, this approach is no longer acceptable. Consent must now be free, specific, informed, unconditional, and unambiguous, and must be given through a clear affirmative action by the user, requiring companies to clearly explain each purpose and seek consent in a transparent and granular manner. 

Notice, Consent and User Rights 

Consent Notice (Rule 3): Every Data Fiduciary will now have to issue a separate consent notice that is clear, plain, and understandable independently of other information. This notice must contain a proper itemised description of personal data collected and the specific purposes for processing. For media platforms, this impacts sign-up screens and in-app notifications. Streaming platforms must explicitly state why they collect watch history or location data. Advertising entities must explain how behavioral information is used for personalised advertisements. This requires Media and Entertainment companies to redesign user interfaces to take consent for example, a user must consent separately for content recommendations versus sharing data with an ad tech partner. 

Withdrawal (Rule 3): The notice must provide direct communication links allowing users to withdraw consent, exercise statutory rights, or file a complaint. The means for the Data Principal to withdraw her consent must be comparable in ease to that with which consent was given. This makes privacy a central operational element, not an option. For minors and people with disabilities,  Rules 10 and 11 provide detailed procedures for obtaining verifiable consent. Platforms must verify the parent/guardian’s identity and age (often using government-authorised mechanisms such as virtual tokens or Digital Locker credentials) (Rule 10). This impacts platforms with a large child user base (e.g., gaming, streaming services). They must establish separate minor user journeys, maintain secure parental dashboards, and restrict behavioural tracking and targeted advertising for child users, except in specific situations exempted under Rule 12. 

Strengthening Data Principal Rights 

The DPDP regime strengthens user rights. Under Rule 14, platforms must publish accessible information detailing how users may exercise their rights (e.g., access to data, correction of inaccurate data, erasure of information, and grievance redressal). The platform must respond within a reasonable period not exceeding ninety days. To meet these standards, media platforms must change their back-end systems. They must be capable of surgical data retrieval pinpointing everything from watch histories to transaction logs to ensure that a user’s request for correction or erasure can be executed instantly across the entire data lifecycle. 

Enhanced Accountability and Breach Management 

The compliance regime elevates the penalties and formalises the process for managing security incidents. Earlier security obligations were often based on “reasonable security practices” defined by IT rules, and data breach disclosure to the regulator or user was discretionary or governed by specific contracts. Now the DPDP framework introduces clear, mandatory protocols and financial liability for non-compliance.  

Security Safeguards (Rule 6): Rule 6 imposes strict, minimum mandatory security measures on every Data Fiduciary. These include encrypting or masking personal data, implementing access controls, maintaining logs for monitoring access, detecting unauthorised access, and ensuring continued processing through backups. The Fiduciary must also retain logs and personal data for at least one year for breach detection and investigation, unless a longer period is required by another law. Media and Entertainment platforms must enhance their security posture, and the obligation to include appropriate security safeguards in contracts with Data Processors (e.g., cloud services) is binding. 

Mandatory Breach Notification (Rule 7): Rule 7 sets out a simple and timely process for reporting personal data breaches. The Fiduciary must inform each affected Data Principal without delay, concisely and clearly, detailing the breach, likely consequences, safety measures she may take, and business contact information for queries. The Data Fiduciary must notify the Data Protection Board (DPB) without delay of the breach, and provide an updated, detailed report, including remedial measures, within seventy-two hours of becoming aware of the breach.  

Significant Data Fiduciaries, Children’s Data and Algorithmic Accountability 

Certain large-scale Media and Entertainment platforms may be designated as Significant Data Fiduciaries (SDFs) based on user volume, data sensitivity, and risk to individuals. Rule 13 imposes additional obligations on SDFs. 

Additional Obligations (Rule 13) 

An SDF must undertake a Data Protection Impact Assessment and an annual audit to verify effective compliance with the Act and the DPDP Rules. The report containing significant observations must be furnished to the Data Protection Board. 

Algorithmic Accountability 

SDFs must conduct due diligence to ensure that technical measures, including algorithmic software adopted for hosting, displaying, modifying, or recommending content, do not create risks to user rights. For Media and Entertainment platforms relying heavily on algorithms for content recommendation, trending lists, and personalisation, this introduces a formal obligation to assess whether algorithmic systems produce discriminatory or rights-invasive outcomes. Streaming platforms and large news aggregators may therefore need periodic independent evaluation of algorithms and adjusted governance practices. 

Special Protection for Vulnerable Groups (Children) 

Children’s data must be given protection in the DPDP Rules. Earlier general consent rules often applied, and the use of targeted advertising and behavioural tracking was common across all age groups. Violations relating to children had penalties up to ₹200 crore.  

Verifiable Parental Consent (Rule 10): When a child’s personal data is involved, a Data Fiduciary must adopt technical and organisational measures to ensure verifiable consent of the parent is obtained before processing. Verification must check that the individual identifying as the parent is an adult (age 18+) and identifiable using reliable details or virtual tokens. 

Prohibition & Exemptions (Rule 12): The DPDP Act prohibits tracking, behavioural monitoring, and targeted advertising directed at children. Rule 12 specifies that this prohibition shall not apply to processing done for certain purposes, such as: Ensuring that any information, service or advertisement likely to cause any detrimental effect on the child is not accessible to her (Rule 12; Fourth Schedule, Part B, Item 5). In addition, real-time location tracking of the child in the interest of her safety and protection (Rule 12; Fourth Schedule, Part B, Item 4).  

Data Transfer, Government Interventions and Sectoral Impact 

Cross-Border Data Transfer (Rule 15): Rule 15 regulates transferring personal data outside India. While permissible, the Data Fiduciary must comply with conditions the Central Government may specify concerning transfer to a foreign state or any entity controlled by such state. Media and Entertainment companies must prepare for possible restrictions, the need for local storage of sensitive datasets, and the requirement to track all cross-border data flows. 

Government Requests and Data Retention (Rule 23): Rule 23 authorises government agencies to request personal data for purposes such as national security, statutory functions, or law enforcement. Media and Entertainment organisations must maintain structured logs and retain traffic data for one year to comply with such requests. They may also be directed not to disclose to the user that the government sought information if disclosure is likely to prejudicially affect national security or state interests. 

Strengthening Data Principal Rights and Grievance Redressal 

What used to happen was that users could only view basic account information or request deletion through slow, cumbersome support channels; the organisation largely controlled the data lifecycle. However, the revised rules reinforce several concrete rights for Data Principals: 

• Individuals can ask for a copy of their personal data, or seek corrections and updates. 

• Individuals may request the removal of personal data in certain situations. 

• Data Fiduciaries must address all grievances (related to access, correction, updating, or erasure) within a maximum of ninety days under its grievance redressal system (Rule 14). 

• The Rules mandate that the Data Protection Board and the Appellate Tribunal (TDSAT) shall function as a digital office, adopting techno-legal measures to conduct proceedings without requiring physical presence. 

Conclusion 

The DPDP Act 2023 followed by DPDP Rules 2025 constitutes a rights-based approach for data protection in India that focuses on putting accountability on the companies. Specifically for the media and entertainment industry, this highlight changes in how personal data is collected, processed, stored, and shared. The rules lay down proper consent practices, platform design, security measures, data retention, and cross-border data transfers. It requires clear transparency, purpose-based use of data, verified consent for children, strong security safeguards, timely breach reporting, and proper handling of user rights. Large platforms also have additional duties, including algorithmic accountability and annual assessments. Overall, the law requires media companies to make data protection a core part of their operations and decision-making. 

For any queries, Connect with us.