India’s major telecom operators have backed away from the newly announced Digital Privacy Protection (DPDP) 2025 rules, arguing that critical issues identified during the consultation – including consent for minors, security standards and duplicate reporting requirements – have not been adequately addressed.
Industry body Cellular Operators Association of India (COAI), which represents Bharti Airtel, Reliance Jio and Vodafone Idea, has identified several compliance hurdles, including issues with verifiable consent for minors, processing multilingual consent, breach notification requirements and compliance with industry-specific laws.
“COAI is in the process of compiling detailed inputs to MeitY (Ministry of Electronics and Information Technology) on the DPDP rules,” COAI Director General SP Kochhar said in a statement.
Read also | Mint Explainer: What the new data protection law means for Indian startups
Kochhar said obtaining verifiable consent for users under the age of 18 poses practical challenges for operators and runs counter to the digital autonomy promoted by several government initiatives.
COAI has proposed a practical exemption for minors aged 16-18 years to acquire a SIM card, which means that without verifying parental consent, these age groups can get a SIM card.
For users under 18, companies will have to seek “verifiable” parental consent before using their data. At the same time, certain types of data, such as those that enable general user tracking for advertisements, will be completely blocked to ensure the safety of children, according to DPDP rules.
Date Rules
The Personal Data Protection Act 2023 lays down rules on how organizations in India can collect, use, store and process digital personal data. It aims to protect the privacy of individuals while enabling the responsible use of data by businesses and government. The DPDP rules are intended to operationalize the law.
India’s long-awaited privacy regime was officially launched on November 14, more than two years after Parliament passed the DPDP Act 2023. Companies will have to comply with the law’s provisions within 12-18 months, including appointing consent managers and data protection officers, putting in place systems for explicit user consent and reporting data breaches within 72 hours.
Read also | The Privacy Act is changing OTT operations, forcing audits and new safeguards
“Given the multiple incident reporting obligations under the IT Act, CERT-In (Indian Computer Emergency Response Team) guidelines, DoT (Department of Telecom) guidelines and now the DPDP framework, harmonized timelines and harmonized procedures are necessary to help avoid unnecessary duplication to ensure cohesive compliance across regulatory regimes,” said Kochhar.
Telecom operators said CERT-In and the Privacy Council, a body set up to oversee the implementation of the law and impose penalties for breaches, may consider adopting a uniform timeline for reporting breaches with a single trigger and a harmonized reporting window applicable to all digital and telecom entities.
A standardized incident reporting format, accepted by all relevant authorities, would ensure that regulators receive timely, consistent and useful information without the need for multiple parallel reports at different time frames, COAI said.
Reasonable security guarantees
The DPDP rules require companies to take reasonable security measures to prevent the leakage of personal data. They outline measures such as encryption, obfuscation, masking or the use of virtual tokens mapped to personal data to ensure adequate protection.
The operators argued that the adequacy of “reasonable security safeguards” should be assessed in a layered, risk-based manner, rather than being limited to encryption and masking alone.
“From an industry perspective, advanced network and system security controls already in place by telecommunications service providers reduce the risk of unauthorized access, exfiltration or misuse of personal data. These measures provide a robust defense-in-depth architecture for digital personal data processed over telecommunications networks,” Kochhar said.
Read also | How privacy rules can tighten the screws on dark patterns
In 12 months’ time, until 14 November 2026, companies must appoint consent managers – the people responsible for social media platforms that ask for permission to use people’s personal data.
And within 18 months, companies must put in place a mechanism to obtain explicit permission from users before using their data for commercial purposes, such as targeted advertising.
As for consent controllers, telecoms operators have said that the current restrictions, which prevent directors and key employees from having links with companies that hold personal data, may be too strict.
COAI suggested replacing the blanket ban with safeguards against preferential treatment, such as declarations at registration, rather than mandating changes to corporate articles of association. The association proposed a single, interoperable layer of consent management for the telecommunications sector through a common industry consent manager or interoperable arrangements.
