Telcos flag key compliance gaps in DPDP rules, seek SIM ease for older teens

The DPDP rules prescribe “reasonable security safeguards” such as encryption, obfuscation and masking of personal data.

India’s telecom operators have flagged several compliance hurdles in the freshly notified Digital Personal Data Protection (DPDP) Rules 2025, warning that operational gaps around verifiable consent for minors, multilingual consent, breach-notification obligations, and alignment with sector-specific telecom laws could create friction as companies transition to the new data-protection regime.

Industry body Cellular Operators Association of India (COAI)—which represents Bharti Airtel, Reliance Jio and Vodafone Idea—said it is preparing a detailed submission for the Ministry of Electronics and Information Technology (MeitY).

“COAI is in the process of compiling detailed inputs for MeitY on the DPDP Rules,” said S.P. Kochhar, director general of COAI.

Kochhar said obtaining verifiable parental consent for all users under 18 is impractical and runs counter to the digital autonomy encouraged under several government initiatives. COAI has recommended a practical exemption for 16–18-year-olds for SIM acquisition so they can obtain mobile connections without parental verification.

Under the DPDP rules, companies must seek verifiable parental consent before processing the data of minors, and certain forms of data—particularly those enabling behavioural tracking for ads—will be completely barred for children.

The DPDP Act, 2023 sets the rules for how organisations collect, process and store digital personal data in India. The law came into effect on 14 November, with companies given 12–18 months to comply. This includes appointing consent managers, data-protection officers, building systems for explicit user permission, and reporting data breaches within 72 hours.

Operators warned that data-breach reporting is already governed by multiple regulations under the IT Act, CERT-In directions and Department of Telecommunications (DoT) rules, and the DPDP framework now adds another layer.

“Harmonised timelines and aligned procedures are required to avoid unnecessary duplication and ensure cohesive compliance across regulatory regimes,” Kochhar said.

COAI recommended that CERT-In and the Data Protection Board adopt a single breach-reporting trigger, a unified reporting window, and a standardised incident-notification format for all digital and telecom entities—ensuring regulators receive consistent and actionable information without parallel filings.

The DPDP rules prescribe “reasonable security safeguards” such as encryption, obfuscation and masking of personal data. However, telecom operators argue that adequacy should be judged through a layered, risk-based assessment, not prescriptive tools alone.

“Telecom providers already operate mature network and system security controls that significantly reduce risks of unauthorised access or data misuse. These provide a robust defence-in-depth architecture for protecting digital personal data processed over telecom networks,” Kochhar said.

By November 2026, companies must appoint consent managers and, within 18 months, implement systems to seek express user permission before using data for business purposes such as targeted advertising.

COAI said restrictions that bar directors and key personnel from having any association with entities holding personal data may be overly stringent. It suggested replacing blanket prohibitions with declaration-based safeguards and recommended allowing a single, interoperable consent-management layer for the telecom sector—either through a common industry consent manager or interoperable mechanisms.