Telecom Firms Flag Gaps in DPDP Rules, Seek Sector-Specific Guidance
Telecom operators say parental-consent mandates, age checks and overlapping compliance frameworks could slow digital access and complicate telecom operations.
Topics
News
- DeepSeek Pushes Open-Source Math AI to Olympiad Heights
- Telecom Firms Flag Gaps in DPDP Rules, Seek Sector-Specific Guidance
- SAP Taps TCS to Overhaul Internal IT and Cloud Stack
- Deepwatch Sets Up Bengaluru GCC to Power AI-Driven Cybersecurity Push
- Reliance, L&T Make $13.5 Billion Push Into AI Data Centers
- India’s Hardware Startup Boom Faces Roadblocks Despite $296 Billion Potential
India’s telecom lobby has welcomed the newly notified Digital Personal Data Protection Rules 2025 (DPDP Rules) but warned that key obligations remain ambiguous and operationally challenging for the sector.
The lobby, Cellular Operators Association of India (COAI), which represents major telecom firms including Bharti Airtel, Reliance Jio and Vodafone Idea, said the rules’ consent and compliance requirements would create friction in delivering telecom services.
COAI has asked the government to allow minors aged 16–18 to obtain SIM cards without parental consent or ID-verification, arguing the requirement doesn’t reflect India’s diverse family structures or the reality of young adults needing independent digital access.
The rules as notified require telecom operators to obtain “verifiable consent” from a parent or guardian for processing the personal data of anyone under 18.
“The parental-consent mandate is impractical,” COAI’s director general, S.P. Kochhar, said, adding that it would slow down onboarding, hike costs and deter younger users from getting connected, undermining the government’s own push for wider digital adoption.
Beyond minors’ consent, operators flagged other unresolved issues, including how to verify age, how to handle consent in multiple Indian languages, what constitutes acceptable “reasonable security safeguards,” and how breach-reporting and consent-manager obligations will align with existing telecom regulations under the telecom regulator and cyber-security frameworks.
Under the DPDP Rules, companies handling digital personal data, or “data fiduciaries,” must obtain clear, informed consent before processing personal data. For children’s data, verifiable parental or guardian consent is mandatory, backed by reliable identity verification or approved government credentials such as Digital Locker.
Security obligations and breach-reporting requirements, including deadlines to notify regulators and affected users, apply to telecom firms alongside other sectors.
But COAI argues that telcos already operate under multiple legal frameworks such as the IT Act, cybersecurity directives and telecom-specific regulations, and that layering new obligations without coordination creates “unnecessary duplication.”
COAI has submitted a request to the ministry of electronics and information technology for clearer guidance and a “risk-based, sector-sensitive approach,” especially around age verification, data-breach reporting formats, multilingual consent and the role of consent-managers in telecom.
