OTT messaging platforms occupy a distinctive position within India’s digital regulatory architecture. These platforms operate simultaneously as communication services, large-scale content intermediaries, and processors of vast volumes of personal data. As a result, they are subject, often in parallel, to regulatory frameworks designed for different objectives.
First, the Digital Personal Data Protection Act, 2023, along with the Digital Personal Data Protection Rules, 2025 (the DPDP regime), governs the collection, processing, retention, sharing, and security of personal data. Its focus is individual rights, data accountability, and enforcement. Secondly, the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the Intermediary Guidelines regime) regulate platform liability, safe-harbour protections, content moderation obligations, and grievance redressal mechanisms.
The regulatory challenge for OTT messaging platforms lies not in interpreting either framework in isolation, but in operationalising both simultaneously, without hollowing out privacy protections under the DPDP regime or eroding the safe-harbour safeguards that underpin the intermediary framework.
Evolving Compliance Regime
India is currently in a transitional compliance phase for OTT messaging platforms, with the DPDP and Intermediary Guidelines regimes evolving in parallel. The Digital Personal Data Protection Act, 2023, is being operationalised in phases, which requires platforms to navigate overlapping regulatory timelines.
With effect from 13 November 2025, the DPDP regime’s foundational architecture came into force, including its definitional framework and institutional enforcement mechanisms-notably the establishment and functioning of the Data Protection Board. A year later, on 13 November 2026, provisions relating to the consent manager framework are scheduled to commence.
The core operational compliance obligations that cover lawful processing, notice and consent requirements, fiduciary duties, data principal rights, safeguards relating to children’s data, and the enhanced obligations applicable to designated entities are scheduled to apply from 13 May 2027 (MeitY Notification G.S.R. 843(E), 13 November 2025). For OTT messaging platforms, this staggered rollout underscores the need for early alignment of governance, technical systems, and compliance strategy, well before the final phase takes effect.
In parallel, the Intermediary Guidelines regime is also undergoing revision. With effect from 15 November 2025, Rule 3(1)(d) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 was substituted in its entirety. While the 36-hour takedown obligation has been retained, the amendment narrows the trigger for “actual knowledge” to court orders or reasoned intimations issued by authorised officers (MeitY Notification G.S.R. 775(E), 22 October 2025).
First In Line
OTT messaging platforms are among the first to feel the combined force of these regimes, as they routinely handle user data, inter alia, identifiers, device and network information, metadata, backups, and operational logs. It also relies on safety measures that naturally create retention pressure, such as preserving evidence for user complaints, detecting spam or fraud and responding to child safety concerns.
Under the DPDP regime, data handling is governed by the lawful basis for processing, the design and delivery of notices and consent mechanisms, purpose limitation, data minimisation, retention and deletion obligations, security safeguards, and the platform’s capacity to respond to data principal rights. Under the Intermediary Guidelines regime, the same platforms are treated as intermediaries and required to satisfy prescribed due diligence obligations to retain statutory safe-harbour protections (Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, r. 7). They must also operate content and grievance systems that can discharge swift action against unlawful information. The result is that features such as reporting, blocking, verification, complaint intake, and law enforcement coordination become compliance touchpoints under both regimes.
Overlaps & Compliances
The main overlap shows up in the transparency requirement. The Intermediary Guidelines regime requires intermediaries to publish their privacy policy and user agreement (Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, r. 3(1)(a)) and to notify users of prohibited categories of content and the platform’s right to act on violations. The DPDP regime reinforces a similar requirement from a privacy lens by requiring clear notice and, where applicable, valid consent for processing (Digital Personal Data Protection Act, 2023, s. 5).
The second point of alignment is grievance and redressal. The Intermediary Guidelines regime requires the appointment of a grievance officer and imposes structured timelines and processes for handling user complaints (Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, r. 3(2)). The DPDP regime, in parallel, provides a redressal pathway for data principals, including handling rights requests and the possibility of escalation to the Data Protection Board, where applicable (Digital Personal Data Protection Act, 2023, s. 8(10)).
The Tug & Pulls Of Regimes
The point of friction lies in the overlap between these regimes, where intermediary due diligence obligations may, in practice, pull against the DPDP framework’s privacy-first design. For instance, the Intermediary Guidelines regime pushes platforms towards faster and broader enforcement requirements, while the DPDP regime pushes them towards minimised data processing. The Intermediary Rules, as applicable to significant social media intermediaries providing messaging services, have often been understood as requiring the ability to identify the first originator of certain information in specific circumstances (Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, r. 4(2)). This tends to incentivise identity-linked traceability mechanisms, whereas the DPDP regime makes this difficult by incorporating purpose limitation, data minimisation, and security safeguards into its framework.
The platform should be able to document the necessity, restrict access, and explain which information is strictly required to comply with a lawful direction.
A second conflict is that speedy takedown compliance naturally creates retention pressure, as takedown workflows often lead platforms to retain user data and complaint artefacts far longer and more broadly than necessary, while the DPDP regime requires retention to be purpose-tied and time-bound (Digital Personal Data Protection Act, 2023, s. 8(7)).
A reconciliation strategy is less about building two compliance programmes and more about building one operating model for complaints, orders and user requests. There must be three lines of responsibility in a workable model for a messaging platform. One line of responsibility should own content legality and user safety, including complaint assessment and action under the Intermediary Guidelines regime. A second should own data legality, including DPDP compliance, notice and consent integrity, retention logic and user rights handling. A third should own government and legal process, including validation of court orders and statutory directions. Once those roles are fixed, the platform should institutionalise a single decision matrix for recurring scenarios, including harassment, impersonation, fraud, non-consensual intimate imagery, child safety complaints, defamation and government directions. Each case type should have a pre-agreed approach to what data is collected, what action is taken, what is retained and for how long, and who signs off on disclosures.
The Intermediary Guidelines regime regulates platform conduct through the logic of safe harbour, while the DPDP regime assesses the same conduct through the lenses of individual rights and systemic risk. For OTT messaging platforms, compliance cannot be approached as parallel checklists. What is required is a single, integrated operating model, one that enables swift response to lawful takedown and grievance obligations, enforces disciplined data minimisation and retention practices, and maintains an auditable record capable of withstanding scrutiny under both frameworks. Platforms that fail to harmonise these obligations risk eroding safe-harbour protections on the one hand, and triggering DPDP enforcement on the other.
(Kaushik Moitra is a partner and Bebin Prakash is an associate at Bharucha & Partners)
Disclaimer:The opinions, beliefs, and views expressed by the various authors and forum participants on this website are personal and do not reflect the opinions, beliefs, and views of ABP Network Pvt. Ltd.
