Under new regulations stemming from the Digital Personal Data Protection Act, e-commerce platforms, social media networks, and online gaming services will soon be required to delete user data three years after it is no longer necessary. This move marks a significant step towards more stringent data privacy controls in India, aiming to give users greater control over their personal information.
For the first time, the draft rules categorise different types of data fiduciaries—entities that manage and process personal data—and set clear timelines for the retention of user information. These requirements are outlined in Section 8 of the draft rules, which state that personal data must be erased once it is no longer required for the purpose it was collected. This includes details such as profiles, email addresses, and phone numbers used to access services on platforms like e-commerce sites, online gaming platforms, and social media networks.
The new rules, which were made public on January 3 for public consultation, also specify that platforms must notify users at least 48 hours before their data is deleted. This allows users to log in or contact the platform if they wish to retain their information. These measures apply specifically to platforms with substantial user bases, ensuring that larger services with millions of users are held to rigorous standards for data retention and deletion.
According to the draft rules, the data fiduciaries are categorised as follows: e-commerce platforms are defined as entities with no fewer than 20 million registered users in India, online gaming intermediaries as those with 5 million or more users, and social media platforms as those with 20 million or more users. These thresholds ensure that the new rules apply to the most influential and widely used platforms in the country, offering enhanced protection for a broad swath of the population.
In addition to these user deletion requirements, the draft rules also stipulate that e-commerce platforms, social media intermediaries, and online gaming services must provide users with access to their accounts and any virtual tokens they may have accumulated. Virtual tokens, which can be exchanged for money, goods, or services, must be accessible to users even when their personal data is being deleted. This ensures that users do not lose access to the digital assets they have accumulated on these platforms.
The e-commerce entity definition in the draft rules clarifies that it applies to any entity that owns, operates, or manages a digital facility or platform for e-commerce, as per the Consumer Protection Act, 2019. However, it does not cover individual sellers who offer goods or services for sale on a marketplace platform. Similarly, online gaming intermediaries are defined as any intermediary that enables users to access online games, while social media intermediaries are those that enable online interactions between users, allowing them to create, upload, share, and access information using the platform.
This move towards regulating digital data retention comes at a time when data privacy has become an increasing concern globally, with users becoming more aware of the risks associated with prolonged data storage. The draft rules address this issue by ensuring that data is not retained longer than necessary, providing users with more control over their personal information.
More Read
The draft rules are currently open for public consultation, with feedback being accepted until February 18. The government is seeking input from industry stakeholders, privacy advocates, and the general public before finalising the regulations. This consultation period is an opportunity for those affected by the new rules to voice their concerns and contribute to the final version of the regulations.
While these new data protection rules mark an important step in protecting user privacy, they also highlight the growing responsibility of digital platforms to manage and safeguard the vast amounts of personal data they collect. As the regulatory landscape continues to evolve, these rules may set a precedent for other countries looking to implement stronger data privacy laws.
As the consultation period progresses, stakeholders will be keen to see how these new regulations evolve and how they will impact both users and businesses operating in the digital space. With the rise of online services in every aspect of life, the importance of protecting personal data has never been greater, and these new rules aim to strike a balance between innovation and privacy protection.
