The telecom industry in India, now classified as “Significant Data Fiduciaries” (SDFs) under the newly notified DPDP Rules 2025, has warned that several important concerns raised during public consultations remain unresolved, posing major compliance and operational challenges for operators.
Telecom companies, represented by Cellular Operators Association of India (COAI), have flagged key gaps such as the definition and parameters of the security-compliance framework, the methodology for verifiable consent for minors, and obligations around Data Protection Impact Assessments (DPIA). They argue that many provisions are either vague or not aligned with the existing telecom regulatory environment, making it difficult to comply without risking service disruptions.
A major concern is the restriction on consent management. Under the new rules, directors or key personnel of data fiduciaries are barred from associating with external consent-manager entities, an approach that COAI calls “overly stringent.” Given that telecom firms already have mature internal systems, they believe a single interoperable consent-management system (potentially shared across the industry) should be allowed, instead of forcing each company to outsource consent management.
Another point of contention is the overlapping compliance burden. Telecom firms must simultaneously adhere to the DPDP rules, existing security regulations under the IT laws, and guidelines from CERT-In or the Ministry. COAI has recommended harmonizing breach-reporting timelines and consolidating incident-notification formats to avoid duplication and confusion.
The industry has formally committed to cooperating with the government and submitted detailed feedback to the Ministry of Electronics and Information Technology (MeitY)- but insists that practical exemptions, risk-based compliance standards, and clarity in age consent, consent management and breach reporting are essential for smooth implementation.
