Data Privacy Risks for Telecom Operators and OTT Platforms Under India’s DPDP Regime: User Metadata, Surveillance and Platform Accountability

Introduction: Why Telecom and OTT Platforms Sit at the Heart of India’s Privacy Debate

Few sectors process personal data as continuously, invisibly and unavoidably as telecom operators and OTT platforms making them among the most susceptible to data privacy risks. Every phone call, message, stream, click, pause and recommendation generates layers of metadata, often more revealing than the underlying content itself.

Telecom service providers (TSPs), internet service providers (ISPs), OTT messaging apps, video streaming platforms, social media services and content aggregators today process:

• Subscriber identity and KYC data
• Call detail records and usage logs
• Location and IP metadata
• Viewing, listening and browsing histories
• Behavioural and preference profiles

For most users, participation in modern digital life is impossible without submitting to this data collection.

With the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), India has placed legally enforceable limits on how such data may be collected, used, shared and retained. For telecom and OTT businesses, the new framework creates a complex compliance matrix, intersecting:

• Data protection law
• Telecom and IT regulations
• National security and lawful interception regimes
• Consumer protection and competition law

Applicability of the DPDP Act to Telecom and OTT Platforms

A. Entities Covered

The DPDP Act applies to all entities processing digital personal data, including:

• Telecom service providers (mobile, broadband, ISP)
• OTT messaging platforms
• Video and music streaming services
• Social media and content platforms
• Unified communications and VoIP providers
• Content distribution and aggregation platforms

Both Indian and foreign platforms offering services to individuals in India fall within scope.

B. Telecom and OTT Platforms as Data Fiduciaries

Most telecom operators and OTT platforms qualify as data fiduciaries, as they determine:

• What subscriber or user data is collected
• How usage and metadata is processed
• How long such data is retained
• Whether data is shared with advertisers, partners or authorities

Third parties such as cloud providers, analytics vendors and ad-tech platforms act as data processors, but primary liability remains with the platform. Given their scale and systemic importance, major telecom operators and OTT platforms are strong candidates for Significant Data Fiduciary (SDF) designation.

Metadata as Personal Data: The Hidden Compliance Risk

A. What Is Metadata?

Metadata includes:

• Call detail records (CDRs)
• IP addresses and device identifiers
• Location and cell-tower data
• Viewing and listening histories
• Session durations and interaction patterns

Even without content, metadata can reveal intimate aspects of a person’s life, including habits, relationships, beliefs and vulnerabilities. Under the DPDP Act, such metadata constitutes personal data where it relates to an identifiable individual.

B. Continuous and Passive Collection

Unlike many industries, telecom and OTT platforms collect data continuously, automatically and often without active user interaction. This creates heightened scrutiny around necessity, proportionality and transparency.

Consent and Notice: Structural Challenges in Telecom and OTT

A. Consent as the Default Legal Basis

Under the DPDP Act, consent must be:

• Free
• Informed
• Specific
• Unambiguous
• Capable of withdrawal

However, telecom and OTT services often operate on “service-essential” data processing, where refusal of consent effectively prevents service use.

Such asymmetry creates legal risk if consent is bundled across multiple purposes, users cannot meaningfully opt out and if processing exceeds operational necessity

B. DPDP Rules: Enhanced Notice Obligations

The DPDP Rules require platforms to clearly disclose:

• Categories of personal and metadata collected
• Purpose of processing (including analytics and recommendations)
• Third-party sharing and ad-tech integrations
• Retention practices
• Grievance redressal mechanisms

Generic, global privacy policies that obscure metadata processing are unlikely to satisfy Indian regulators.

Purpose Limitation and Profiling in OTT Platforms

A. Content Delivery vs Behavioural Profiling

OTT platforms collect data to deliver content and improve quality of service. However, this data is frequently repurposed for:

• Recommendation engines
• Behavioural profiling
• Targeted advertising
• Cross-platform monetisation

Under the DPDP Act, such secondary use requires explicit disclosure and valid consent.

B. Recommendation Algorithms and Transparency

While algorithmic transparency is not explicitly mandated, opaque profiling practices increase:

• Consent invalidation risk
• Consumer complaints
• Regulatory scrutiny

Platforms must be able to demonstrate purpose limitation and proportionality.

Children’s Data on OTT and Content Platforms

A. Children as a Protected Category

Any user below 18 years is a child under the DPDP Act. This is particularly relevant for video streaming platforms, gaming-adjacent OTT services and educational and infotainment content.

B. Parental Consent and Profiling Restrictions

Processing children’s data requires verifiable parental consent and restrictions on tracking and targeted advertising. Many OTT platforms currently rely on self-declared age and generic “kids mode” toggles. These measures may be insufficient under the DPDP framework.

Telecom KYC, Retention and Surveillance

A. Subscriber KYC Data

Telecom operators collect extensive KYC data, often under statutory mandate. However, the DPDP Act still requires purpose-limited use, secure storage and justified retention periods. Indefinite retention “because regulations require it” may not always be defensible without clear legal backing.

B. Lawful Interception and Government Access

Telecom and OTT platforms operate under multiple laws permitting government access to data. While the DPDP Act contains exemptions for state functions, over-broad or poorly documented access requests can still expose platforms to:

• Legal challenges
• Reputational harm
• Cross-border compliance conflicts

Platforms must maintain robust internal governance around government data requests.

Third-Party Sharing and Ad-Tech Risk

OTT platforms commonly integrate advertising networks and measurement and attribution tools and content partners. Under the DPDP Act:

• Platforms remain responsible for processor compliance
• Uncontrolled SDKs pose significant leakage risk
• Ad-tech driven profiling must be transparently disclosed

Data Breaches and National-Scale Impact

A. Mandatory Breach Notification

Under the DPDP Act and Rules, telecom and OTT platforms must notify the Data Protection Board of India and the affected users. Given the scale of user bases, breaches can rapidly become national-level incidents.

B. Systemic Risk and Public Trust

Breaches involving telecom metadata or OTT usage data can:

• Undermine public confidence
• Attract parliamentary and regulatory scrutiny
• Trigger multi-jurisdictional investigations

Penalties and Enforcement Exposure

A. Monetary Penalties

The DPDP Act empowers penalties up to INR 250 crore per contravention, assessed based on:

• Nature and sensitivity of data
• Scale and duration of processing
• Impact on data principals

Telecom and OTT platforms face systemic exposure due to volume and continuity of processing.

B. Regulatory and Commercial Consequences

Beyond penalties, platforms may face:

• Licence or regulatory scrutiny
• Platform restrictions or directives
• Loss of advertiser and partner trust
• Global reputational spillover

Compliance Roadmap for Telecom and OTT Platforms

1. Metadata Mapping and Classification: Identify and document all metadata categories processed.

2. Consent and Notice Re-architecture: Simplify disclosures and unbundle consent where feasible.

3. Profiling and Ad-Tech Controls: Audit recommendation engines and advertising integrations.

4. Children’s Data Safeguards: Implement robust age-gating and parental consent systems.

5. Government Request Governance: Standardise lawful access procedures and documentation.

Conclusion: Privacy as the Price of Digital Trust

Telecom and OTT platforms are the infrastructure of modern digital life. With that role comes heightened responsibility. The DPDP Act and Rules signal that scale and indispensability do not justify unchecked data exploitation.

Platforms that embed privacy-by-design, limit profiling excesses and maintain transparent governance will be best positioned to retain user trust and regulatory confidence in India’s evolving digital ecosystem.