Navigating Privacy in Media and Entertainment: The Impact of India's DPDP Act of 2023


In the dynamic landscape of the media and entertainment (M&E) industry, where content is king, the safeguarding of user data has become a paramount concern. The Digital Personal Data Protection Act (DPDP Act) of 2023 in India emerges as a pivotal force reshaping how M&E companies handle personal data. Understanding the significance of privacy in this industry is essential to comprehend the profound impact the DPDP Act is poised to have. 


In an era where M&E companies operate across diverse platforms and jurisdictions, user trust stands as the cornerstone of their success. The direct and intimate relationship these companies have with consumers places a premium on privacy. Unlike an anonymous ad company, media companies hold a special place in users’ lives, making data breaches not just an annoyance but a profound betrayal. This has been evident in past incidents, such as the Sony PlayStation Network hack, which took years for the company to regain gamers’ trust. 

Moreover, the regulatory landscape has intensified, with laws like the DPDP Act becoming formidable tools for consumer protection. As M&E companies interact directly with both content and consumers, they are under constant scrutiny from both users and regulators. The downstream ecosystem of ads and marketing relies heavily on data collected by these companies, placing them at the forefront of regulatory attention. 


The DPDP Act introduces several provisions that directly impact how M&E companies handle personal data. These are: 

  • Consent Dynamics: 

One of the key pillars of the DPDP Act is the explicit requirement for companies to obtain consent before collecting or using personal data. In an industry where user data fuels targeted marketing and content recommendations, obtaining informed consent adds a layer of complexity. This shift may alter user engagement dynamics and pose challenges to traditional data-driven marketing strategies. 

  •   Data Minimization Challenge: 

The Act mandates data minimization, compelling companies to limit the personal data they collect. For M&E companies accustomed to creating detailed user profiles for personalized content recommendations, this poses a significant challenge. The precision of targeted advertising and user experience may be influenced as a result. 

  • Data Retention Constraints: 

Companies are now required to retain personal data only for as long as necessary for the original purpose. This has repercussions for M&E companies relying on extended user behavior tracking to enhance content recommendations and refine services. Business models and analytics strategies may need adjustment to comply with shorter data retention periods. 

  • Data Localization Imperative: 

A distinctive feature of the DPDP Act is the requirement for companies to store personal data within India. These challenges the infrastructure choices of M&E companies, particularly those relying on cloud-based services with data stored outside the country. Adapting to data localization requirements may require substantial investments in new technologies and processes. 


While adapting to the DPDP Act presents challenges, it also presents opportunities for M&E companies. 

  • Building Consumer Trust: 

Privacy-conscious practices aligned with the DPDP Act can enhance consumer trust and loyalty. As users become more aware of and confident in how their data is handled, M&E companies adopting these practices may gain a competitive edge in an industry where trust is paramount. 

  • Navigating Regulatory Landscape: 

DPDP Act compliance goes beyond fulfilling specific provisions; it positions companies to navigate the evolving regulatory landscape effectively. Proactive adjustments in technology and communication strategies demonstrate a commitment to privacy, mitigating the risk of regulatory backlash. 


The DPDP Act of 2023 is a transformative force for the media and entertainment industry in India, emphasizing the critical role of privacy. As companies adapt to its provisions, they must navigate the delicate balance between compliance and maintaining user trust. While challenges lie in reshaping data practices and infrastructure, the opportunities for building stronger relationships with users and thriving in a privacy-conscious era are significant. The DPDP Act marks a pivotal moment in the industry’s journey toward a more secure, transparent, and consumer-centric approach to data privacy. 

Major Privacy Updates of the Week

Canadian Government Employee Data Faces a Major Breach

The cybercriminal organization LockBit has taken credit for a significant security breach, as reported by SC Magazine, involving the theft of 1.5 terabytes of data belonging to employees of the Canadian government. The Treasury Board of Canada Secretariat is currently engaged in efforts to pinpoint the exact individuals impacted by this breach. Nevertheless, it’s possible that any government employee who has engaged with two government contractors since 1999 might have had their personal and financial information compromised.

Secretive White House Surveillance Program Gives Cops Access to Trillions of US Phone Records

U.S. Senator Ron Wyden from Oregon, a Democrat, has penned a letter to Attorney General Merrick Garland, raising concerns about the legal standing of the Data Analytical Services. This government surveillance initiative, as reported by Wired, collaborates with AT&T to gather phone records from individuals who have been in contact with suspects of criminal activities. Wyden argues that this program infringes on privacy rights and could provoke significant anger among numerous Americans and fellow Congress members.  

PCPD Publishes 2022-23 Annual Report

The 2022-2023 annual report from Hong Kong’s Office of the Privacy Commissioner for Personal Data has been published, detailing the implementation of the Personal Data (Privacy) (Amendment) Ordinance 2021. The report by the PCPD revealed that the office has actively taken steps to combat doxing. It also included a few investigative reports that emphasize the significance of protecting privacy and offer suggestions to avoid future incidents of similar privacy violations.  

Morgan Stanley, US states reach $6.5M data security settlement

New York’s Attorney General, Letitia James, declared that a settlement of 6.5 million dollars has been reached with the global financial corporation Morgan Stanley. This follows a lawsuit involving multiple states, which accused the firm of jeopardizing consumer data. Attorneys general from Connecticut, Florida, Indiana, New Jersey, New York, and Vermont alleged that Morgan Stanley did not properly decommission its computers and failed to delete unencrypted data from some computer devices before they were auctioned off.

Personal info, including staff social insurance numbers, stolen in Toronto library cyberattack

CBC News has reported that the Toronto Public Library was targeted in a ransomware attack, resulting in the theft of personal identifiable information of both current and former employees. The library is actively engaged in identifying the exact employees who have been impacted by this breach. Additionally, it has announced plans to provide two years of complimentary credit monitoring services to those staff members whose personal data was compromised. 

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro