Telecom Firms Flag Gaps in DPDP Rules, Seek Sector-Specific Guidance
Telecom operators say parental-consent mandates, age checks and overlapping compliance frameworks could slow digital access and complicate telecom operations.
Topics
News
- Microsoft Rolls Out Maia 200 AI Chip to Cut Reliance on Nvidia
- Google.org Funds 12 AI Projects to Accelerate Scientific Research
- MIT Sloan Management Review India, IDfy to Release Study on Data Privacy
- India’s AI Summit to Draw World’s Top Tech Leaders This February
- Startups Seek Tax Clarity After SC Ruling Against Tiger Global
- Tata Vows $11 Billion for Innovation City Near Navi Mumbai Airport
India’s telecom lobby has welcomed the newly notified Digital Personal Data Protection Rules 2025 (DPDP Rules) but warned that key obligations remain ambiguous and operationally challenging for the sector.
The lobby, Cellular Operators Association of India (COAI), which represents major telecom firms including Bharti Airtel, Reliance Jio and Vodafone Idea, said the rules’ consent and compliance requirements would create friction in delivering telecom services.
COAI has asked the government to allow minors aged 16–18 to obtain SIM cards without parental consent or ID-verification, arguing the requirement doesn’t reflect India’s diverse family structures or the reality of young adults needing independent digital access.
The rules as notified require telecom operators to obtain “verifiable consent” from a parent or guardian for processing the personal data of anyone under 18.
“The parental-consent mandate is impractical,” COAI’s director general, S.P. Kochhar, said, adding that it would slow down onboarding, hike costs and deter younger users from getting connected, undermining the government’s own push for wider digital adoption.
Beyond minors’ consent, operators flagged other unresolved issues, including how to verify age, how to handle consent in multiple Indian languages, what constitutes acceptable “reasonable security safeguards,” and how breach-reporting and consent-manager obligations will align with existing telecom regulations under the telecom regulator and cyber-security frameworks.
Under the DPDP Rules, companies handling digital personal data, or “data fiduciaries,” must obtain clear, informed consent before processing personal data. For children’s data, verifiable parental or guardian consent is mandatory, backed by reliable identity verification or approved government credentials such as Digital Locker.
Security obligations and breach-reporting requirements, including deadlines to notify regulators and affected users, apply to telecom firms alongside other sectors.
But COAI argues that telcos already operate under multiple legal frameworks such as the IT Act, cybersecurity directives and telecom-specific regulations, and that layering new obligations without coordination creates “unnecessary duplication.”
COAI has submitted a request to the ministry of electronics and information technology for clearer guidance and a “risk-based, sector-sensitive approach,” especially around age verification, data-breach reporting formats, multilingual consent and the role of consent-managers in telecom.
