Online Gaming Platforms and Self-Regulation

Exploring the Feasibility of the Mechanism

** Anay Mehrotra and Puneet Srivastava

INTRODUCTION

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘New IT Rules’), were amended on April 6, 2023, by the Union Ministry of Electronics and Information Technology (MeitY). These amendments aim to protect online game players from ‘potential harm’ and ‘regulate’ various aspects of online gaming. However, significant concerns have emerged, which need to be addressed by the authorities.

Governments struggle to amend existing laws to keep pace with technological advancements, as highlighted in the Economic Survey 2020-21. We believe that this assessment extends to online gaming platforms as well. The Survey notes that modern regulations are often complex because regulators try to foresee every possible scenario, fearing the consequences of ex-post facto audits of their discretion. However, regulations cannot account for all circumstances, leading to more discretion and interpretations. The Survey recommends developing principles-based regulation that allows for flexibility while ensuring transparency and effective post-facto enforcement. 

While this principle-based approach has not yet been applied to Indian technology regulation, the core principles of the traditional model used in financial regulation, which is grounded in a principle-based framework, can be applied to the amended IT Rules to evaluate their feasibility.  Current literature suggests evaluating whether the necessity of regulation aligns with its stringency, focusing on three core objectives of the principle based-framework: fairness, market integrity, and financial stability. If the amended rules fall short under this framework, future legislation should incorporate these principles to ensure greater regulatory fairness.

IN-DEPTH ANALYSIS AND CRITIQUE ON THE NEW IT RULES

In this section, we will be analyzing the amendment based on fairness, market integrity, and financial stability: 

A. REGULATORY FAIRNESS AND THE ‘DUCK’ PRINCIPLE

Simply put, the ‘Duck’ principle dictates that institutions performing the same functions must be regulated the same way. The Duck principle rests on regulatory fairness, i.e., in so far as institutions entail similar risks and activities they shall be regulated with proportional stringency, so as to not unfairly advantage one online domain over the other. The idea is if it “walks like a duck and quacks like a duck,” then it should be regulated like a duck. It is based on the principle of activity-based regulation as opposed to entity-based regulation, which can be applied more broadly. This means the legal nature of the entity is less important than the actual activity it engages in. We believe that the New IT rules breach this principle on the following two fronts: 

1. THE PAY TO PLAY AND FREE TO PLAY CONUNDRUM

The definitions provided under the New IT Rules pave the way for ambiguity and vagueness. As per Rule 2(qa) an online game is “a game that is offered on the Internet and is accessible by a user through a computer resource if he deposits with the expectation of earning winnings“. However, this definition remains unclear regarding free-to-play games with in-app purchases. These games may start free but require later purchases, blurring the line between free and paid games.

Rule 2(qd) further complicates the matter by including non-monetary exchanges in the definitions of ‘deposit’ and ‘winnings’. This means that even games without real money involvement could be regulated under the New IT Rules. The rules fail to clearly distinguish between real money games and those without monetary deposits, leaving open questions about how deposits or winnings “in kind” should be treated. As a result, games involving only non-monetary exchanges still fall under these regulations, leading to potential over-regulation.

For instance, consider a scenario where an online gaming company offers a game on a subscription basis. Users pay a subscription fee to access different levels of the game, without any expectation of winning prizes. While the subscription fee might technically be considered a “deposit,” the absence of prize winnings means the game does not fit the definition of an “online game” under the New IT Rules. Therefore, such games may fall outside the scope of the regulations, despite the payment aspect.

2. LEGAL UNCERTAINTY OF ESPORTS 

Furthermore, due to current gaps in the law, esports gaming is likely to be considered under the definition of an online game. Therefore, categorizing esports solely as an online game may not only harm gamers’ interests but also create challenges for the gaming industry. For instance, players may purchase esports games expecting to win prizes through tournaments or special offers that incentivize game purchases. Although these games may not directly involve gambling or betting, they often include prize money. The amendment does not clearly specify whether such games fall under their jurisdiction. This ambiguity could present a significant obstacle for the gaming industry, forcing companies to be cautious about introducing incentives to promote their games. Many jurisdictions worldwide have enacted separate legislation specifically for esports.

From the above examples, it can be deduced that the amendment primarily focuses on pay-to-play games. However, a closer analysis reveals that free-to-play games can easily be converted into pay-to-play models, thereby violating the Duck Principle. The Duck Principle is violated because the rules fail to recognize that games appearing free on the surface may still function like paid games through hidden monetization elements. This suggests that the rules do not adequately address the evolving nature of gaming platforms. 

B. MARKET INTEGRITY AND CONSUMER SAFETY: IS THE TIGHTER REGULATION JUSTIFIED 

Another essential element of proportionate regulation is that the stringency of regulation should be correlated to the threats to the market integrity of the domain being regulated. A greater risk to consumers would permit a proportionately closer scrutiny by the regulators. This is rooted in an understanding of the regulation theory that regulation functions for the public interest, which requires the elimination of information asymmetries since they lead to market inefficiencies and consumer detriment. We believe that the New IT rules breach this principle on the following two fronts:

1. MARKET INTEGRITY

Market Integrity is defined as the need to ensure that markets, through regulations, operate fairly and safely in order to encourage the widest possible confidence in them, thereby promoting high levels of savings and investments. Public regulation of markets therefore looks at issues such as the integrity of price formation, the prevention of manipulative behaviour that deliberately attempts to distort this market price, the provision of a sound legal basis for financial dealings and adequate laws for customer protection.

However, in the realm of online gaming, companies often act more as publishers rather than traditional intermediaries. Interactions occur between individual players and the gaming platform, as well as among players themselves, creating a three-way interaction that does not fit the typical definition of an intermediary as a mere conduit.

If a game is classified as an online game and the intermediary (e.g., a platform like Steam) fails to comply with the regulations under the New IT Rules 2021, it could be held liable not only for its own actions but also for the games it offers. This departure from the traditional intermediary role means that the intermediary cannot rely on the “safe harbour” defence typically provided under Section 79(1) of the IT, Act. This shift in accountability could impact the confidence of developers and publishers in the regulatory environment, potentially affecting market integrity as a result.

2. CONSUMER SAFETY: ADDITIONAL DUE-DILIGENCE REQUIREMENTS 

The New IT Rules have provided due diligence requirements for Online Gaming Intermediaries. The Rules allow for the registration of online games with a self-regulatory body that is registered with MeiTY and adheres to the framework established by such bodies. Currently, two self-regulating bodies, the All India Gaming Federation [‘AIGF’] and the Federation of Indian Fantasy Sports [‘FIFS’], have issued charters to regulate online gaming for their respective members. However, there is a lack of uniformity among critical provisions in these charters, such as user restrictions, foreign payment regulations, grievance redressal mechanisms, and audit processes.

The new due diligence requirements introduced in the amendments, particularly (a) the publication of necessary additional information on websites or mobile apps and (b) the mandatory appointment of specific personnel, are positive steps toward regulating the online gaming industry and protecting users. However, the extensive Know Your Customer (KYC) requirements issued by the Reserve Bank of India (RBI) may hinder industry growth by complicating the process of onboarding new users. These KYC norms, outlined in Rule 4(11)(b) of the IT Rules, require strict compliance, including proof of possession of Aadhaar (offline mode), digital signatures, etc., which can be obstacles for new users.

The KYC requirements, aimed at preventing minors from accessing gambling platforms, fail to address broader issues such as gambling addiction. Without ongoing monitoring, minors can bypass these checks by using verified parental accounts. Additionally, the reliance on technological solutions like DigiLocker may exclude certain segments of the gaming community, hindering inclusivity. Furthermore, strict penalties without proportional enforcement mechanisms could adversely impact gaming platforms, affecting market presence and stakeholder ecosystems. These issues highlight the limitations of the current KYC norms in managing broader regulatory challenges effectively. A balanced enforcement approach is crucial to maintaining a healthy online gaming environment.

Given the specific challenges faced by the online gaming industry, a tailored approach to KYC requirements is recommended. This could involve implementing KYC processes exclusively for high-value deposits and winnings, while adopting simpler KYC checks for low-value transactions. An example of this approach is Toggle, which emphasizes adaptable KYC procedures suited to different gaming models, such as online casinos, betting platforms, and fantasy sports. This approach aims to protect the interests of gamers and third-party contributors while addressing industry-specific challenges, reducing friction in onboarding, and fostering responsible growth in the online gaming ecosystem.

C. FINANCIAL STABILITY: FUNCTIONAL AND RISK-WEIGHTED REGULATION

The business model of big techs rests on enabling direct interactions among a large number of users on digital platforms, such as e-commerce, search and social media. An essential by-product is their large stock of user data, which they use to offer a wide range of services and exploit natural network effects, generating further user activity. Building on the self-reinforcing nature of the data- network-activities loop, some big techs have ventured into financial services. The entry of Big Tech into finance promises efficiency gains and greater financial inclusion. At the same time, it introduces new risks associated with market power and data privacy. The nature of the new trade-off between efficiency and privacy will depend on societal preferences, and will vary across jurisdictions. 

Under the New IT Rules there is no specific section that mentions the collection of data by these platforms. An intermediary under Section 2(1)(w) of the IT Act would include gaming platforms as they store, transmit, and receive the data of the users. This makes Section 72A of the IT Act, which penalizes the disclosure of information in breach of lawful contracts, relevant. However, this provision only establishes liability for third-party entities, and it remains uncertain whether existing contracts sufficiently protect minors’ interests and address the sale of personal information on gaming platforms.

Internationally, gaming platforms are legally obligated to process players’ data securely. This duty has been recognized in international jurisdictions. In United States of America v. Epic Games, the Federal Trade Commission (FTC) fined Epic Games Inc. $520 million for violating data protection laws by breaching children’s privacy while playing Fortnite. Similar to international practices, such as HIPAA in the USA (which protects patient information) and GDPR in Europe (specifically Article 32, which mandates secure and lawful data processing), the New IT Rules should include a dedicated section for data protection, eliminating reliance on Section 72A of the IT Act for online gaming platforms.

This dedicated section is essential for improving financial stability and user safety. Key improvements should include a clear data protection framework, protection of minors, transparency in data practices, specific purposes for data usage, stringent security standards, user-friendly consent mechanisms, data ownership and deletion policies, and effective redressal mechanisms. These measures would align Indian regulations with global standards, prioritizing consumer well-being. While it can be argued that the Digital Personal Data Protection Act (‘DPDP’) addresses these concerns, there are three key issues with the DPDP that remain overlooked:     

First, the DPDP imposes additional obligations on companies processing children’s data, requiring parental consent. However, the vague criteria for what constitutes “verifiably safe” create inconsistent standards. A graded approach is essential, as a seventeen-year-old and an eight-year-old should not be treated the same. Second, under the DPDP companies are not required to disclose who the data will be shared with or for what purposes when obtaining consent. They only need to specify what personal data is collected and its intended use. Additionally, companies are no longer obligated to reveal data storage duration, third-party sharing, data sources, or cross-border transfers.. Third, the DPDP allows for delegated legislation, enabling the government to issue rules later without the same parliamentary scrutiny as the original bill. This raises concerns of overreach and potential policy changes, similar to issues with the 2021 IT Rules, potentially leading to information asymmetry.

Therefore, a dedicated framework within the New IT Rules could be introduced which would be treated as lex-specialis to ensure consistency and transparency, providing greater clarity for stakeholders.

CONCLUSION

The proposed amendments to India’s IT Rules seek to regulate the rapidly growing online gaming industry. While the intent is to protect players, concerns have been raised about consumer safety, privacy, and market competition. The stringent regulations may not be proportionate, as they redefine gaming companies as intermediaries, potentially compromising market integrity. Striking a balance between regulation and innovation is crucial. Digital marketplaces in India—such as OTT platforms, eCommerce giants, and now online gaming platforms—are consistently under government scrutiny. Therefore, any new regulation should be based on principle-based regulatory practices to ensure fairness and adaptability.

**Anay Mehrotra and Puneet Srivastava are 4th year law students, studying at the West Bengal National University of Juridical Sciences (WBNUJS), Kolkata.

Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.