OTT messaging platforms occupy a unique and complex position in India’s digital regulatory framework. This platform simultaneously acts as a communication service provider, a large-scale content intermediary and a processor of personal data. This is why two different regulatory frameworks are applied to them in parallel. First- Digital Personal Data Protection Act, 2023 (DPDP) and second, guidelines along with the Information Technology Act, 2000 (IT Act).
The challenge before OTT platforms is not just to understand the laws, but to comply with both together, so that neither privacy rules are violated nor ‘Safe Harbor’ protection is lost. According to Kaushik Moitra of Bharucha & Partners, India is currently going through a phase of change, where both the laws are evolving. DPDP system: It is being implemented in different phases. The Data Protection Board and Framework has come into effect from 13 November 2025. The ‘Consent Manager’ rules will be introduced in November 2026 and the most important compliances (such as notice, consent, data principal rights and protection of children’s data) will come into effect from 13 May 2027.
IT rules have been amended from 15 November 2025. Under the change in Rule 3(1)(d), now only court orders or authorized government information will be considered limited. OTT platforms will be the first to feel this double pressure as they handle metadata, logs and user information. Its two main points are transparency and grievance redressal. Both laws demand transparency. IT rules make it mandatory to publish a privacy policy and appoint a grievance officer. The DPDP law demands clear notice and consent mechanisms and safeguards for data principles.
IT rules specifically require social media intermediaries to identify the first originator of a message in certain circumstances, which encourages platforms to safeguard data and create traceability mechanisms. In contrast, the DPDP law emphasizes on data reduction (minimum collection of data) and purpose limitation. That is, one law asks to keep the data for investigation, while the other law asks to delete the data for privacy.
Platforms should create an integrated operating model instead of creating two separate programs. There should be three main aspects of responsibility in this. First- Content and Security: In this, complaints should be assessed and action taken under IT rules. Second- Data Validity: Which sets the deadline for DPDP compliance, consent management and data retention. Third- Legal process: Which confirms government orders and court instructions.
Platforms should prepare a ‘decision matrix’ for cases like harassment, fraud or child protection, in which it is decided in advance which data will be collected. What action will be taken and for how long will the data be kept safe.
Compliance can no longer be a parallel checklist for OTT messaging platforms. They need a balanced system that can act quickly on legal orders. Also strictly follow the principles of data minimization. If they do not succeed in reconciling these two obligations, they will, on the one hand, risk losing their intermediary protection (safe harbour) and on the other hand, become subject to heavy penalties under the DPDP.
