India's leading telecommunications companies are voicing significant concerns about the newly implemented Digital Personal Data Protection (DPDP) Rules for 2025. Represented by the Cellular Operators Association of India (COAI), major players including Bharti Airtel, Reliance Jio, and Vodafone Idea argue that critical issues they raised during consultation periods remain unresolved, creating substantial compliance hurdles.
Key Challenges with Minor Consent and Security
The industry body highlighted multiple practical difficulties, with obtaining verifiable consent for users under 18 being a primary obstacle. S.P. Kochhar, the Director General of COAI, stated that this requirement poses practical challenges and contradicts the digital autonomy promoted by various government initiatives.
COAI had previously suggested a practical exemption for minors aged 16 to 18 when acquiring SIM cards, allowing them to do so without going through the cumbersome process of verifiable parental consent. The new rules, however, mandate that companies must seek this verifiable parental consent before processing the data of any user under 18. Furthermore, the rules completely prohibit certain data practices for children, such as tracking for targeted advertising, to enhance their online safety.
Duplicative Reporting and Compliance Burdens
Another major point of contention is the issue of overlapping and duplicative reporting requirements. Kochhar emphasized that companies now face a multiplicity of incident-reporting obligations under the IT Act, CERT-In directions, Department of Telecommunications (DoT) guidelines, and the new DPDP framework.
To streamline compliance, the telecom operators have proposed that CERT-In and the newly formed Data Protection Board adopt a unified breach-reporting timeline. This would involve a single trigger and a harmonized reporting window applicable across all digital and telecom entities. The association also advocates for a standardized incident-notification format accepted by all authorities to ensure timely and consistent information without the need for multiple parallel reports.
Debate Over Security Standards and Consent Managers
The rules require companies to implement reasonable security safeguards, such as data encryption, obfuscation, and masking, to prevent personal data breaches. However, the telecom operators argue that the assessment of what constitutes reasonable security should be more nuanced.
They propose a layered, risk-based approach, pointing out that the mature network and system security controls already deployed by Telecom Service Providers (TSPs) already provide a robust defense architecture, reducing the risk of unauthorized data access or misuse.
Additionally, concerns were raised about the appointment of consent managers. Companies have 12 months, until 14 November 2026, to appoint these managers. The current restrictions, which disallow directors and key personnel from having any association with companies that handle personal data, are viewed as overly stringent.
COAI has suggested replacing this blanket prohibition with safeguards against preferential treatment, such as declarations at the time of registration. The association also proposed creating a single, interoperable consent-management layer for the entire telecom sector to improve efficiency.
With companies required to fully comply with the Act's provisions within 12-18 months, including implementing systems for express user permission and reporting data breaches within 72 hours, the industry is actively compiling detailed inputs for the Ministry of Electronics and Information Technology (MeitY) to address these pressing issues.
