India

By Aniket Ghosh Introduction: Why Gaming Platforms Sit at the Centre of Privacy Enforcement India’s gaming and interactive entertainment ecosystem comprising online gaming platforms, fantasy sports operators, real-money gaming companies, casual mobile games, esports platforms and gamified social apps has experienced explosive growth. These platforms are no longer passive entertainment providers; they are data-intensive behavioural engines involving major data privacy risks. Every tap, swipe, pause and in-game decision is captured, analysed and monetised. As a result, gaming platforms process some of the most granular behavioural datasets in the digital economy, often involving: Children and young adults Continuous tracking and profiling Psychological engagement mechanisms Cross-platform advertising and monetisation With the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), gaming companies now face heightened legal scrutiny, particularly around consent, profiling, children’s data, dark patterns and targeted advertising. Applicability of the DPDP Act to Gaming and Interactive Platforms Platforms Covered The DPDP Act applies to all entities processing digital personal data, including: Online and mobile gaming platforms Fantasy sports and skill-based gaming operators Esports platforms Casual and hyper-casual game developers Social gaming and metaverse platforms Real-money gaming and betting intermediaries Both Indian and offshore platforms offering services to users in India fall within scope. Gaming Companies as Data Fiduciaries Gaming platforms almost invariably qualify as data fiduciaries, as they determine: What user data is collected How gameplay data is analysed How engagement and monetisation strategies are deployed Third parties such as analytics providers, ad-tech platforms, payment processors and cloud service providers operate as data processors, though primary liability remains with the platform. Large gaming platforms may be designated as Significant Data Fiduciaries (SDFs) due to: Scale of user base Volume of behavioural data Involvement of children Use of AI-driven engagement tools Behavioural Data in Gaming: A High-Risk Category What Is Behavioural Data? Gaming platforms routinely collect: Gameplay patterns Reaction times Spending behaviour In-game communications Social interactions Device and location metadata When combined, this data enables deep behavioural profiling, capable of predicting user preferences, vulnerabilities and spending propensity. Why Regulators Are Concerned Behavioural profiling in gaming raises concerns around: Manipulative engagement design Addiction and compulsive behaviour Exploitation of cognitive biases Psychological harm, particularly to minors Under the DPDP Act, such data processing must be lawful, proportionate and purpose-bound – a standard many legacy gaming models struggle to meet. Consent in Gaming: Validity Under the DPDP Act Consent Must Be Real, Not Illusory Gaming platforms often rely on click-wrap agreements, bundled consents, and long, technical privacy policies. Under the DPDP Act, consent must be: Free Informed Specific Unambiguous Capable of withdrawal “Accept to play” models that condition access on broad data permissions risk being treated as coerced consent. DPDP Rules: Notice and Transparency Obligations The DPDP Rules require platforms to disclose: Categories of personal data collected Purpose of processing (including analytics and advertising) Third-party data sharing User rights and withdrawal mechanisms Grievance redressal channels Generic disclosures that do not explain behavioural analytics and profiling are unlikely to withstand scrutiny. Dark Patterns and Manipulative Design in Gaming What Are Dark Patterns? Dark patterns are interface designs that manipulate user behaviour, including: Infinite scroll and loot box mechanics Misleading reward structures Obscured opt-outs Artificial urgency While not explicitly defined in the DPDP Act, such practices undermine free and informed consent. Regulatory Trajectory Gaming platforms are increasingly scrutinised by consumer protection authorities, sectoral regulators, and Courts. Under the DPDP framework, dark patterns may invalidate consent and expose platforms to enforcement action for unlawful data processing. Children’s Data: A Legal Minefield for Gaming Platforms Children Under the DPDP Act Any user below 18 years is a child under the DPDP Act. This is particularly consequential for gaming platforms with: Casual or cartoon-style games School-age user bases Freemium models Parental Consent and Verification Processing children’s data requires: Verifiable parental consent Mechanisms to confirm guardian identity Clear linkage between parent and child Self-declared age gates are insufficient. Prohibition on Tracking and Targeted Advertising The DPDP Act restricts behavioural tracking, profiling and targeted advertising directed at children. This directly impacts: Ad-supported gaming models In-game personalised offers Behaviour-based monetisation strategies Real-Money Gaming, Payments and Financial Data Financial and Transactional Data Real-money gaming platforms process: Payment information Wallet balances Spending patterns This data carries elevated risk due to Fraud potential, addiction concerns, and regulatory overlap with financial laws. Such data must be processed with heightened security and minimal retention. KYC and Identity Data Where KYC is required, platforms must: Limit collection to necessity Clearly disclose purpose Secure data against unauthorised access Repurposing KYC data for marketing or profiling is legally hazardous. Third-Party Sharing and Ad-Tech Risk Gaming platforms frequently integrate with advertising networks, attribution providers, and analytics engines. The DPDP Act places responsibility on the gaming platform to ensure: Processor compliance Contractual safeguards Breach notification obligations Uncontrolled SDKs and plug-ins are a common source of data leakage. Data Breaches and Incident Response Mandatory Reporting Obligations Under the DPDP Act and Rules, gaming platforms must notify the Data Protection Board of India and affected users. This obligation applies even to non-financial harm. Reputational Fallout Data breaches involving children, behavioural data, and payment information are likely to attract disproportionate public and regulatory backlash. Penalties and Enforcement Exposure Monetary Penalties The DPDP Act empowers the Data Protection Board to impose penalties up to INR 250 crore per contravention, considering: Nature of data involved Scale of processing Harm caused Mitigation steps taken Gaming platforms processing children’s or behavioural data face elevated penalty risk.\ Business Impact Beyond penalties, platforms may face: Platform bans or restrictions Loss of advertising partners App store scrutiny Investor concerns For gaming businesses, regulatory action can directly threaten viability. Compliance Roadmap for Gaming Platforms Data Mapping and Risk Assessment: Identify behavioural, financial and children’s data flows. Consent and UX Redesign: Simplify consent journeys and eliminate dark patterns. Children’s Data Controls: Implement robust age-gating and parental consent systems. Vendor and SDK Audits: Review third-party integrations and contracts. Governance and Training: Educate product, design and marketing teams on privacy risks. Conclusion: Sustainable Gaming Requires Responsible Data Practices The DPDP Act and Rules signal a clear regulatory message: behavioural exploitation is not a sustainable business model. Gaming platforms must rebalance innovation with responsibility, particularly where vulnerable users are involved. Platforms that proactively redesign consent, limit profiling and embed privacy-by-design will be best positioned to thrive in India’s evolving digital ecosystem.

SNG & Partners has announced the appointment of Rajendra Patil as Partner in its Banking & Finance practice. Rajendra’s appointment further augments one of the firm’s established practice offerings, bringing deep in-house leadership experience from the banking sector to the firm. He will be working out of the firm’s Nehru Centre office in Mumbai. Rajendra brings extensive domain experience of more than three decades emanating from a distinguished professional journey of working in-house with leading financial institutions, including ICICI Bank, CRISIL, IDFC, RBL Bank, Bharat Financial Inclusion and IndusInd Bank, where he led and managed a wide spectrum of corporate legal, litigation, compliance, governance, regulatory and corporate secretarial functions. Throughout his career, he has been responsible for managing contentious and non-contentious legal, compliance, governance and corporate secretarial aspects as well as capital market assignments and dealing with law enforcement agencies, for several reputed banking and financial services institutions. Welcoming Rajendra to the team, Anju Gandhi, Senior Partner and Head – Banking & Finance, SNG & Partners, said, “I have known Rajendra professionally for several years and have closely seen his leadership, judgment and ability to manage nuanced legal and regulatory challenges for several large financial institutions. His transition from an in-house leadership role to law firm practice will add to SNG & Partners’ USP of achieving commercial outcomes for its clients, while complying with the procedural and substantive aspects of law. Rajendra’s strong blend of legal, compliance, regulatory expertise and business acumen will be a significant asset to our clients, and I am personally delighted to welcome him to SNG & Partners.” He has also supported business teams by assessing legal, compliance and contractual risk, working closely with external counsel, leading negotiations with third parties, and managing corporate secretarial functions, including Board and shareholder meetings, thereby strengthening governance and compliance frameworks within financial institutions. Rajendra’s transition from a long-standing in-house leadership role into law firm practice brings a distinctive and valuable perspective to SNG & Partners. His combined understanding of legal strategy, regulatory expectations and business realities equips him to deliver practical, commercially aligned advice to clients, and further strengthens the firm’s Banking & Finance practice. With Rajendra’s onboarding, SNG & Partners now has a strength of 30 Partners and a formidable team of over 100 lawyers, strategically based across 3 key locations: New Delhi, Mumbai and Bengaluru.

By Aniket Ghosh Navigating Consent, Purpose Limitation and Regulatory Expectations Under India’s Data Protection Regime Introduction: Why Data Privacy Has Become a Board-Level Issue in BFSI India’s banking, financial services and insurance (“BFSI”) sector particularly digital lending platforms, NBFCs, fintech intermediaries, payment aggregators and neo-banks, operates at the intersection of high-velocity data collection and intense regulatory oversight. Credit underwriting, fraud prevention, customer onboarding, collections, and analytics are fundamentally data driven. With the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the subsequent notification of the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), data privacy compliance has moved from a peripheral IT concern to a core legal, governance and reputational risk. For BFSI entities, the implications are particularly acute: Financial data is inherently sensitive and high-value. Digital lending models depend on continuous data processing across multiple third parties. Enforcement exposure is magnified due to scale, automation and consumer-facing operations. This article examines how India’s data protection framework applies to digital lending and financial services, identifies sector-specific compliance challenges, evaluates enforcement and penalty risks, and sets out a practical mitigation roadmap for regulated entities and fintech. The Legal Framework: DPDP Act and DPDP Rules – What BFSI Must Know Scope and Applicability The DPDP Act applies to the processing of digital personal data where: The data is collected in digital form; or Data initially collected in non-digital form is subsequently digitised. BFSI entities process personal data at every stage of the customer lifecycle including KYC, credit assessment, loan servicing, collections, grievance redressal, and analytics, bringing most operations squarely within the Act’s scope. The law has extraterritorial reach: offshore fintechs or group entities processing Indian customers’ data in connection with goods or services offered in India may also be covered. Key Concepts Relevant to Financial Services Data Principal: The individual customer, borrower, guarantor, or user whose personal data is processed. Data Fiduciary: Banks, NBFCs, fintech platforms, lenders, payment intermediaries determining the purpose and means of processing. Data Processor: KYC vendors, credit bureaus, cloud providers, call-centre operators, analytics vendors, collection agencies. Significant Data Fiduciary (“SDF”): Certain BFSI entities may be notified as SDFs based on volume of data, risk to individuals, and use of new technologies, triggering enhanced compliance obligations. Consent and Notice: The Core Compliance Challenge in Digital Lending Consent as the Primary Ground Under the DPDP Act, consent is the default legal basis for processing personal data. Consent must be: Free Specific Informed Unconditional Unambiguous Given through clear affirmative action For digital lenders, this presents immediate friction with legacy onboarding flows. Notice Requirements Under the DPDP Rules The DPDP Rules prescribe mandatory notice disclosures, including: Categories of personal data being collected Purpose of processing Details of data fiduciaries and processors Rights of data principals Grievance redressal mechanism Method to withdraw consent Bundled, vague or omnibus notices commonly used by fintech apps are unlikely to meet the standard. Dark Patterns and Regulatory Scrutiny Pre-ticked boxes, forced consent, and “take-it-or-leave-it” app permissions may be construed as invalid consent. In digital lending where users often have limited bargaining power this creates heightened enforcement risk. Purpose Limitation and Data Minimisation: Rethinking Credit Models Purpose Limitation Personal data may be processed only for the purpose specified in the notice or for purposes reasonably incidental thereto. For BFSI players, common risk areas include: Using KYC or transactional data for unrelated marketing Repurposing data for cross-selling without fresh consent Sharing borrower data across group entities Data Minimisation The DPDP Act mandates collection of only such data as is necessary for the stated purpose. In practice, digital lenders often collect: Full contact lists Location data Device metadata Behavioural analytics Unless clearly justified and disclosed, such practices may violate the minimisation principle. Third-Party Sharing and Vendor Risk in BFSI Data Processors and Downstream Liability The DPDP Act places primary liability on the data fiduciary, even where processing is outsourced. Common BFSI processors include: KYC and AML service providers Credit bureaus Call-centre and collection agencies Cloud service providers The DPDP Rules require contractual safeguards, including: Clear processing instructions Confidentiality obligations Security standards Breach reporting timelines Collections and Recovery Agents: A High-Risk Area Aggressive recovery practices that are often outsourced, have already attracted scrutiny from RBI and courts. Under the DPDP framework, misuse of borrower data by agents can result in direct liability for the lender. Cross-Border Data Transfers: Regulatory Uncertainty Continues The DPDP Act permits cross-border transfers to countries notified by the Central Government. While the framework is more liberal than earlier drafts, BFSI entities must still: Track data flows across jurisdictions Ensure overseas processors comply with Indian standards Monitor future government notifications Global fintechs operating hub-and-spoke data models must reassess their architecture. Data Breaches and Incident Response: From IT Issue to Legal Crisis Mandatory Breach Notification The DPDP Act and Rules require reporting of personal data breaches to: The Data Protection Board of India Affected data principals This applies regardless of fault, intent, or scale. BFSI-Specific Exposure Financial data breaches can result in: Identity theft Financial fraud Regulatory action by multiple authorities Class-action style litigation Severe reputational damage A delayed or poorly handled breach response can compound liability. Enhanced Obligations for Significant Data Fiduciaries If notified as an SDF, BFSI entities must: Appoint a Data Protection Officer based in India Conduct Data Protection Impact Assessments (DPIAs) Undertake periodic audits Implement heightened governance measures Large NBFCs, digital lending platforms, and payment intermediaries are prime candidates for SDF classification. Penalties and Enforcement Risk Monetary Penalties The DPDP Act empowers the Data Protection Board to impose penalties up to INR 250 crore per violation, depending on: Nature and gravity of breach Duration and recurrence Type of personal data affected Mitigation measures taken Reputational and Commercial Impact Beyond statutory penalties, BFSI entities face: Loss of customer trust Regulatory action by sectoral regulators Contractual defaults Investor and partner concerns Data protection failures can materially impact valuation and market position. Practical Compliance Roadmap for BFSI Entities Data Mapping and Inventory: Identify what personal data is collected, from whom, for what purpose, and where it flows. Consent Architecture Redesign: Revamp onboarding journeys, notices, and consent mechanisms to meet DPDP standards. Vendor and Processor Contracts: Update agreements to include DPDP-compliant clauses and audit rights. Internal Governance: Appoint privacy leads, define escalation protocols, and align compliance with RBI and SEBI frameworks. Breach Response Playbooks: Create legally vetted incident response plans with defined timelines and responsibilities. Training and Culture: Ensure product, tech, compliance, and customer-facing teams understand privacy obligations. Conclusion: From Compliance Burden to Competitive Advantage For the BFSI sector, data privacy compliance is no longer optional, cosmetic, or deferrable. The DPDP Act and Rules represent a structural shift in how financial institutions must view customer data not as a freely exploitable asset, but as a regulated trust. Entities that proactively embed privacy into product design, governance and vendor management will not only mitigate enforcement risk but also build durable consumer confidence in an increasingly competitive digital financial ecosystem.

Argus Partners is pleased to announce that it has advised Heritage Foods Limited on its acquisition of 51% stake in Peanutbutter and Jelly Private Limited (Get-A-Way) from Sky Gate Hospitality, a subsidiary of Devyani International Limited. Peanutbutter and Jelly Private Limited, through its brand Get-A-Way, operates in the guilt-free indulgence segment and has pioneered offerings in high-protein, no-added-sugar ice creams and desserts. This acquisition enables Heritage Foods Limited to enter the healthy desserts segment and expand its consumer food portfolio. The team at Argus Partners advising consisted of Pallavi Kanakagiri (Partner), Siddharth Malakar (Senior Associate) and Khushi Bhardwaj (Associate). Read more at: HinduBusinessLine, CNBC-TV18.