Sector wise readiness
Online and real money gaming: the 50 lakh line, not 2 crore
A misconception I keep seeing when gaming startups read DPDP checklists: "the auto erasure rules are for the giants, we are mid size, we are clear."
That is the assumption that catches gaming operators out, because your threshold is not the one everyone quotes.
E-commerce and social media cross into the Third Schedule retention regime at 2 crore users. Online and real money gaming crosses it at 50 lakh. That is a quarter of the bar. A mid size operator who feels small next to the 2 crore number can already be fully in scope and not realise it.
A sector map is a superset, not a launch checklist. So start with what applies to everyone, whatever your size.
What applies from the start, whatever your size
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts
- ✅ Breach response
What gaming lives on from day one, whatever your user count
- ✅ KYC, wallet and payment security. Encrypt and tokenise KYC documents, wallet balances and transaction logs, with tight access control.
- ✅ One year transaction logs. Keep transaction logs at least a year from the transaction.
- ✅ Age assurance. Robust checks so minors are not onboarded into real money play, and no behavioural monitoring of children. This one is absolute.
What switches on only once you cross 50 lakh users
- ⚠️ The 3 year inactivity erasure regime, with the user account and virtual token carve outs.
- ⚠️ 48 hour pre erasure notice.
These are automatic at the threshold. Not before, but the day you cross it they apply, whether or not anyone has notified you.
Kept separate from all of the above
- ❌ SDF obligations. Crossing 50 lakh brings the retention regime by size, but it does not make you a Significant Data Fiduciary. That status comes only on Government notification. Large operators should assess it. Nobody auto becomes one.
The better question
The better question is not "are we big enough for the gaming rules?"
It is "have we actually crossed 50 lakh, and have we built the day one basics regardless?"
Law creates obligations. Scale and risk influence implementation. But KYC security and transaction logs apply from your first paying user. The threshold only adds to that floor.
If you run a gaming platform, did you know the trigger was 50 lakh, not 2 crore? Drop it in the comments.
Next in this series: social media and UGC platforms, where the 2 crore line and content data meet.