Hey Streamers 👋,

A warm welcome to the 91st edition of the “Streaming in India” newsletter, your weekly news digest about streaming players, OTT trends, and analyses. If you are not already a subscriber, please sign up and join thousands of others who receive it directly in their inbox every Wednesday.

I invested in Athleteagent, building the IMDb of Sport with Aaron Rodgers, Steelers Quarterback as co-founder, as a precursor to the Pressplay Capital fund formation [I am launching the region’s first fund focused on the attention economy - LPs and Startups, please do get in touch here]. Go Ahead and check out “Why we invested?” by clicking on the image above!

Agenda

1. DPDP Act Rules Hit OTT First-Party Data: How India’s Streamers Are Preparing

2. Stricter Consent Rules and ‘Consent Managers’

3. Cross-Border Data Transfers and Localization

4. How Indian Streaming Platforms Are Preparing

5. Outlook: A New Normal for Indian Streaming

And….Action!

DPDP Act Rules Hit OTT First-Party Data: How India’s Streamers Are Preparing

India’s new Digital Personal Data Protection (DPDP) Act, 2023 – along with draft rules released in early 2025 – is poised to reshape how streaming platforms handle user data. For OTT services (over-the-top video platforms), first-party data (like viewing history, preferences, and profile info) has been a cornerstone for personalization and monetization. Now, stringent data protection requirements mean platforms must rethink consent, data flows, and privacy practices in fundamental ways.

The DPDP framework makes explicit user consent the primary basis for processing personal data, with consent needing to be “free, specific, informed, unconditional, and unambiguous,” given through clear affirmative action. In short, Indian streamers will need to ensure users truly opt in for data use – and can just as easily opt out – or face hefty penalties for non-compliance. This has set the stage for a compliance overhaul in the streaming industry, from how apps obtain consent to where they store data.

Why does this matter to streaming? In the quest for audience engagement, OTT platforms have leaned on personal data to power recommendation engines, targeted ads, and curated experiences. Treating user information casually or without transparency can erode trust – and under the DPDP Act, it can also invite “severe penalties” [campaignindia.in]. On the flip side, those that champion user privacy may turn compliance into a competitive advantage, fostering loyalty by demonstrating respect for user data. As one industry expert noted, prioritizing privacy can become a distinct market differentiator, signalling a commitment to user value beyond just content metrics.

In a market as competitive as Indian streaming, finding the balance between personalization and privacy will be key.

Stricter Consent Rules and ‘Consent Managers’

India’s DPDP Act forces OTT platforms to replace blanket “I agree” terms with specific, ongoing permission for every data use. Bundled consent becomes invalid, so expect separate opt-ins for things like personalized recommendations, targeted ads, email updates, and analytics.

To police this, the Act introduces a licensed Consent Manager. Whether third-party or in-house, it must confirm in real time that a user has approved each data action. Government plans for an API-based Consent Management System could standardize these checks, denying any process that lacks valid consent.

This shift ends the “one-and-done” model. Apps will periodically nudge viewers—“Still OK with us using your watch history?”—so users stay aware and in control. Platforms must redesign interfaces: clearer privacy dashboards, unbundled toggles, and simple “withdraw consent” buttons. If the CMS goes live, many prompts may look and feel uniform across apps.

Industry voices call the move a “pivotal step toward transparency” but warn of consent fatigue if viewers are peppered with too many pop-ups. The challenge is to give meaningful choice without eroding user experience.

Failure carries teeth. Section 33 lets regulators fine violators up to ₹250 crore (≈ $30 million). Unsurprisingly, major streamers are already updating policies, adding opt-outs, and publishing transparency reports. Netflix, Prime Video, and JioHotstar, for instance, now let members switch off personalization or review collected data—goodwill gestures that double as pre-compliance.

More changes are imminent: multi-language notices, shorter policies, and default restrictions on kids’ data. In effect, every viewer should soon see, understand, and control how an OTT platform uses personal information—bringing Indian streaming in line with the world’s toughest privacy norms, but without the labyrinthine legalese of yesterday’s policy pages.

Cross-Border Data Transfers and Localization

Another significant aspect of the DPDP regime is its stance on cross-border data flows – a topic of particular interest to global streaming services operating in India. Many popular OTT platforms (think Netflix, Amazon Prime etc) rely on cloud infrastructure and data centers that may be located outside India, meaning personal data of Indian users often flows across borders. The new law imposes some guardrails here: personal data transfers abroad are allowed by default, except to certain countries that the Indian government may blacklist for reasons such as inadequate data protection or national security concerns [dpo-india.com]. In other words, India has chosen a “negative list” approach – rather than approving specific countries, it will ban transfers to disallowed jurisdictions, and everything else remains permissible. This is somewhat more flexible than the EU’s GDPR (which requires an adequacy finding or safeguards for each transfer) and is intended to let businesses operate globally unless a destination is explicitly off-limits.

For streaming platforms, this means they can continue using global data clouds and services in the US, Europe, etc., for now – since no countries have been officially blacklisted yet. However, they must stay vigilant. The law empowers the government to step in and prohibit data exports to certain territories via a committee or notification. Major Indian tech players are already lobbying on this front. Reliance Jio (which runs JioHotstar), for instance, strongly advocates for keeping Indian user data within national borders. In a recent consultation, a Jio executive backed forming a government committee to recommend what kinds of personal data “should not be transferred outside India,” aligning with Jio’s call to update policies so that Indian data stays in Indian data centers [hindustantimes.com]. Jio’s stance is perhaps unsurprising – data localization could benefit domestic companies with large local infrastructure – but it underscores a real possibility that regulations might tighten further on foreign data transfers.

Netflix and Amazon, which currently handle Indian data largely on global servers, could consider deploying India-based servers or cloud regions if required. The Livemint newspaper noted that global platforms operating in India may face “additional burdens from data localization requirements and restrictions on cross-border transfers, further complicating compliance.” [livemint.com]. While the Act doesn’t force full localization yet, the writing on the wall is that data sovereignty is a priority for regulators – companies might recall how previous drafts of India’s data law had much stricter localization clauses (which were relaxed in the final Act).

One immediate step streamers are taking is updating their data processing and transfer clauses in user agreements and internal policies [storyboard18.com]. Many are performing audits of where all their data flows, to plug any compliance gaps. It’s worth noting that some Indian streaming platforms are inherently more localized – for example, JioHotstar likely keeps data on Reliance’s own servers in India, and ShareChat’s Moj (a homegrown short-video app) would mostly store data in-country as well. These players could turn strict data residency into a selling point (“Your data stays in India”). But even they must be careful when using any third-party services or global CDNs that might transfer data abroad. Meanwhile, international services will be balancing efficiency with compliance – using global clouds for scalability, but ready to pivot to an India-only cloud if the government’s rules demand it.

How Indian Streaming Platforms Are Preparing

With the DPDP law on the horizon (the Act was passed in 2023 but is in the process of full implementation via the 2025 rules), streaming platforms in India – both global players and homegrown services – have sprung into action to get their houses in order. Compliance is a company-wide endeavor, touching legal, tech, product, and even marketing teams. Here’s how some of the key players are preparing:

• Reliance Jio’s new platform after acquiring Disney+ Hotstar—blends JioCinema’s tech with Hotstar’s vast audience. Reliance insists all user data stay on Indian soil: profiles, viewing logs, and device IDs reside on domestic servers, while third-party trackers are swapped for home-grown analytics. The group even lobbied regulators to restrict sensitive data exports.

  JioHotstar’s GDPR-hardened playbooks now show up locally. The app age-gates at sign-up; viewers under 18 need DigiLocker-verified parental consent before any personalised ads or tracking. Fresh consent tiles let users toggle personalised rows, sports alerts, or marketing emails—each switchable in a streamlined Privacy Hub, hitting DPDP’s “easy withdraw” rule.

  Real-time sports telemetry, formerly mined by default, now runs only after opt-in, with sensitive fields hashed or aggregated. When cross-border processing is unavoidable—say, for a U.S. AI model—data is tokenised so raw identities never exit India, keeping JioHotstar within the anticipated “negative-list” limits.

  Governance is equally tight: a Data Protection Officer reports to the board, every product sprint clears a privacy-by-design checklist, and ad-tech partners must show proof of consent.

• Netflix India: Netflix operates globally but has a significant and growing subscriber base in India. Netflix has dealt with strict privacy laws in Europe (GDPR) and elsewhere, so it likely has a mature data protection program. For India, Netflix will be updating user consent flows possibly in subtle ways – for example, when you create a new profile or account, expect clearer prompts about data usage.

  

  Netflix might also provide more in-app privacy options for Indian users, such as toggling personalized recommendations or controlling what data is shared for Netflix’s research and algorithm training. (Globally, Netflix already allows users to thumb up/down content for better recommendations – in India they may frame such features clearly as optional personalization tools subject to consent.) Because Netflix caters to families (they have a Kids profile feature), they will ensure that kids’ profiles are compliant – e.g., no targeted content or ads at all in kids profiles (Netflix anyway doesn’t have ads in its current plans, but if it introduces an ad-supported tier in India like it did in some countries, it will have to be extremely careful with any accounts labeled under 18). On cross-border data, Netflix likely keeps user watch histories and preferences on servers outside India (like AWS in the US or EU).

  Under DPDP, this is allowed unless those countries are blacklisted, but Netflix will keep an eye on any such government notifications. If needed, Netflix could shift to an India region cloud or replicate data locally to continue smooth service. The company has not made many public statements on DPDP, but one can infer from its global stance that it will treat the Indian law with the seriousness of GDPR – meaning rigorous internal audits, updating vendor contracts (since even data processors must comply), and possibly offering Indian users similar rights management as EU users (a way to download your data, delete account info, etc., in compliance with the Act’s provisions).

• ShareChat & Moj: ShareChat, a homegrown social media and short-video platform (Moj is its TikTok-like app), faces a unique challenge because a huge part of its user base are young individuals creating and consuming content, and the service is free and ad-supported. ShareChat’s CEO voiced concerns back when the bill was being drafted that setting the consent age at 18 (higher than some global norms) could be problematic for growth [m.economictimes.com], but the law indeed defines children as under 18. So, ShareChat and Moj will have to obtain parental consent for potentially millions of teen users – or find a workable solution like adjusting the experience for minors.

  They might implement a self-declaration at signup (e.g., “I am 18+” checkbox) to at least identify which users might be minors. For those who say they are under 18 (or perhaps if their usage patterns suggest it), Moj could require an email from a parent or an OTP verification of a parent’s identity via DigiLocker’s upcoming solution. It’s a tricky balance because adding too much friction could drive young users away (and they form a large chunk of Moj’s audience). ShareChat will also have to curtail personalized ads for under-18 users. Likely, they will default minors to a more general content feed. For adult users, ShareChat/Moj will start showing more granular consent notices – perhaps asking for permission to use your content liking and sharing history to recommend new posts, or permission to use your device info for targeted ads.

  In the meantime, ShareChat has been bolstering its compliance team – for instance, looking to appoint dedicated Data Protection Officers and beefing up data security audits. They’ve reportedly begun updating privacy policies to be more transparent about data practices and user rights. Also, since ShareChat is preparing to allow political advertising on its platforms [m.economictimes.com], it must tread carefully: political opinion could be sensitive personal data, and targeting ads by political preferences might invite scrutiny under DPDP’s principles of purpose limitation and consent. We may see ShareChat offering opt-outs for personalized ads or prompts that explicitly ask users if they want to see tailored content.

• Other Indian OTTs (Zee5, SonyLIV, etc.): Other Indian-run platforms like Zee5, SonyLIV,and newer ones like Tata Play’s OTT aggregation will similarly be focusing on hiring privacy professionals and conducting internal audits [storyboard18.com]. Many companies across sectors, from media to finance, have started appointing Data Protection Officers and doing gap assessments to comply with DPDP. Streaming services are no exception – their legal teams are likely working overtime to rewrite privacy policies in plainer language, set up user consent logs, and ensure a mechanism for addressing user rights requests (like if someone asks “delete all my data,” the platform needs a workflow to do so within the lawful time frame).

  Indian OTTs also need to get their advertising partners and tech vendors in line. For example, if an OTT platform uses a third-party ad network to fill video ad slots, that ad network will also have to comply with DPDP (as a data processor or separate fiduciary). This means contracts are being updated with data protection addendums, and some practices like dropping tracking cookies or sharing user identifiers with external ad partners might be curtailed. A practical change viewers might notice is more visible cookie consent notices on OTT websites, and options in apps to say yes or no to “personalized ads.”

  The Internet and Mobile Association of India (IAMAI), representing digital companies, has been lobbying for a 24-month implementation timeline given the technical and financial effort required [storyboard18.com]. If that grace period is granted, streaming services will use the time to carefully roll out these changes in phases, test what works for user experience, and educate their users about the new privacy options.

Outlook: A New Normal for Indian Streaming

As the DPDP Act rules get finalized and enforcement kicks in (expected soon), streaming industry professionals should prepare for a new normal. Compliance will not be a one-time project but an ongoing process – much like how GDPR transformed companies in Europe. We can anticipate a few outcomes in the coming months and years:

• User Experience Changes: Don’t be surprised if your favorite OTT app’s login or settings page looks different. More privacy notices, consent pop-ups, and granular controls will become standard. The challenge will be to integrate these smoothly so that they inform but not irritate users. The hope is that through smart UX design and perhaps standardized consent interfaces, users will easily understand their choices. A well-implemented system could even improve trust – for example, a clear prompt that explains why an app wants your data can reassure users and lead them to agree if they see value.

• Competitive Differentiation on Privacy: Some streaming platforms might use privacy as a selling point in marketing. We might hear slogans like “Your privacy is our priority” or see features highlighting how little data a service collects. Smaller or newer entrants could attempt to win audiences by saying they are more respectful of data than the big players. On the other hand, the bigger players can leverage their advanced compliance infrastructure as a trust signal – e.g., a global player can say “we comply with the world’s strictest standards, including India’s DPDP Act.” As noted earlier, cultivating a reputation for high privacy standards can enhance audience loyalty.

• Monetization Balancing Act: Streaming platforms will likely diversify revenue strategies. If personalized ads face hurdles, there may be increased experimentation with subscription bundles, premium ad-free tiers, or commerce integrations to reduce reliance on ad targeting revenue. Advertisers and brands will adapt too – focusing on contextual ads, sponsorships, and creative that works in a privacy-constrained environment. In the end, those advertisers still want access to the vast streaming audiences; they will just find new, hopefully privacy-compliant, ways to reach them.

• Stronger Data Governance Culture: Internally, streaming companies in India will mature in how they handle data. Many are establishing formal data governance committees, conducting regular audits, and training employees at all levels about privacy. “Privacy by design” will be more than a buzzword – it will be part of the product development checklist.

  For example, when launching a new feature, the team will consciously decide what user data is absolutely necessary for it to function and how to minimize or secure that data. We’re already seeing major firms hiring Data Protection Officers and data governance leads to oversee these efforts. This professionalization of privacy will likely benefit users and companies alike, by reducing breaches and building resilience against regulatory scrutiny.

• Unresolved Questions: There are still areas that will evolve. The government’s plan for the Consent Manager system needs to be clarified – once standards are in place, will streaming apps integrate with a government-certified consent dashboard used across apps?

  How will enforcement work – will there be audits or only complaint-driven action by the Data Protection Board? The answers will shape how strictly and uniformly streaming services implement the rules. Additionally, if the government revisits the age-of-consent (there’s talk of possibly lowering it to 16 in the future depending on global norms), platforms might have to adjust their processes again. The regulatory landscape might continue to shift with related laws (for instance, there’s concurrently a push for a new Digital India Act that could overlap with some IT and content regulations). Streaming companies will need to stay agile and engaged in policy discussions to avoid being caught off guard.

Share

In Budapest, wealthy Indian-origin businessman Pankaj Bhatti is found brutally murdered. What initially looks like a hate crime soon unravels into a complex conspiracy. Detective Sherdil, a witty and unorthodox investigator, joins forces with Natasha to solve the case - Diljit Dosanjh and Boman Irani in the same movie make it a worthwhile watch!

Streaming in India is a weekly newsletter exploring the trends that matter to streaming professionals in India. If you are not already a subscriber, sign up and join several others who receive it directly in their inbox every Wednesday.

Please sign up for my other newsletter focused on “eyeball economy” focused startups (Media, Entertainment, Gaming, Ad Tech & Sports), the Indian / Middle East startup and venture capital ecosystem; in your inbox every Monday: Mehtta Ventures Dubai.

I represent the Adsolut Media business in the Middle East and am a “board observer” for their growth. We have amongst the largest supply of Connected Television premium inventory in the Middle East - Sub-continental corridor along with one of the largest mobile / web inventories as well. Please get in touch for your monetization requirements.