DPDP Act Compliance for Telecom Operators in India

Monetising SIM-Linked Data Without Crossing the Red Lines 

Prosoll Law Insight on the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025

Under India’s evolving data protection framework, particularly the Digital Personal Data Protection Act, 2023, how do you see telecom operators navigating their dual role as connectivity providers and emerging data intermediaries for advertising? What are the key compliance risks and regulatory guardrails under DPDP Act compliance for telecom operators that will shape their ability to monetise SIM-linked identity, KYC-verified identity data and user data?

India’s telecom sector sits on one of the richest pools of identity data in the country and that is exactly why DPDP Act compliance for telecom operators has become a board-level priority. With the Digital Personal Data Protection Act, 2023 now operationalised through the DPDP Rules, 2025 (notified on 13 November 2025), every operator that processes subscriber data must rethink how it collects, retains, shares and monetises that data.

Key Takeaways

• Telecom data is not “ordinary” personal data. It is SIM-linked, KYC-verified identity data, which raises the compliance threshold sharply.
• Most large operators will be classified as Significant Data Fiduciaries (SDFs), triggering audits, Data Protection Impact Assessments and a Data Protection Officer.
• Monetising user data for advertising requires clear, specific and informed consent. KYC data cannot be silently repurposed.
• There is a real tension between telecom retention mandates and DPDP purpose limitation that operators must manage deliberately.
• Penalties run up to ₹250 crore for security failures making privacy-by-design a commercial necessity, not a compliance afterthought.

Why Telecom Operators Face a Higher Compliance Bar

Telecom operators occupy a uniquely sensitive position in India’s data ecosystem. The data they hold is SIM-linked, KYC-verified identity data such as subscriber details, identity proofs, device mapping, location and usage metadata, all tied to a verified individual. That verification layer is what elevates the telecom data protection threshold above almost every other sector.

Under the Digital Personal Data Protection Act, 2023, such data cannot be repurposed for advertising or profiling without clear, specific and informed consent. Given their scale and the nature of the data processed, most operators are also likely to be designated as Significant Data Fiduciaries (SDFs), attracting heightened obligations around security, auditability and accountability.

What SDF status means in practice

Under the DPDP Rules, 2025, a Significant Data Fiduciary must:

• Appoint a Data Protection Officer (DPO) based in India and accountable to the board;
• Conduct periodic Data Protection Impact Assessments (DPIAs) and independent audits;
• Demonstrate algorithmic accountability where automated processing affects data principals;
• Maintain robust breach notification and record-keeping systems.

Operators should treat May 2027 (when the substantive obligations under Rules 3, 5–16, 22 and 23 take full effect) as a firm project deadline and work backward from it.

Telecom Retention vs DPDP Purpose Limitation

A structural tension runs through the regime. Telecom regulations mandate retention of subscriber and usage data for security and lawful-interception purposes, while data protection principles require purpose limitation and deletion once the purpose is fulfilled, unless retention is legally mandated.

The real risk arises where data collected for SIM verification or service delivery is quietly repurposed for commercial use. In such cases, even anonymization offers limited protection.  Telecom datasets, by their very nature, are often capable of re-identification. A location trail tied to a device is rarely as “anonymous” as it looks.

Retention obligation vs purpose limitation

The Emerging Compliance Model for Data Monetisation

Operators have already started recalibrating. The emerging data monetization compliance model is to strictly ringfence SIM/KYC identity data and rely on consent-driven frameworks supported by tokenisation, hashing and controlled environments.

Monetisation is increasingly structured around aggregated or cohort-level insights rather than disclosure of identifiable data. Crucially, the operator remains the Data Fiduciary throughout and cannot contract out of its statutory obligations. For instance, outsourcing processing to an ad-tech vendor does not outsource liability.

Four-step framework

1. Ringfence identity data. Isolate SIM/KYC data in a controlled environment with strict access controls.
2. Layer consent. Obtain clear, specific, informed and withdrawable consent under the DPDP Act for any advertising or profiling use, integrated with a registered Consent Manager.
3. De-identify and aggregate. Use tokenisation and hashing; monetise cohort-level insights, not individuals.
4. Govern continuously. Run DPIAs, audits and breach drills; document everything to evidence privacy-by-design.

What Telecom Operators Must Never Do

A telecom operator should never:

• Use SIM-linked or KYC data for advertising without valid consent;
• Engage in opaque data sharing or linkage with third parties;
• Rely on weak anonymisation that permits re-identification;
• Build profiles based on usage patterns without a lawful basis.

If the data can be traced, directly or indirectly, to a SIM-verified individual, it remains regulated personal data. In effect, telecom operators are not merely data holders but custodians of a verified identity layer. Their ability to monetize such data will depend not on access but on whether they can demonstrate strict adherence to consent, purpose limitation, and privacy-by-design.

Penalties for Non-Compliance Under the DPDP Act

The financial stakes make DPDP compliance a commercial imperative. The Schedule to the Act sets out maximum penalties imposed by the Data Protection Board of India:

•  ₹250 crore — failure to maintain reasonable security safeguards;
• ₹200 crore — failure to notify a personal data breach;
• ₹150 crore — failure to fulfil additional SDF obligations;

Notably, there is no cure period. The Board can penalise without a grace window, though it must grant a hearing first.

How Prosoll Law Helps Telecom Operators Stay Compliant

Prosoll Law’s Data Protection & Privacy practice advises telecom operators, OTT platforms and ad-tech partners on the full DPDP Act compliance lifecycle from data mapping and consent architecture to SDF readiness, DPIAs, vendor contracts and breach response. We translate the law into operational, defensible frameworks that let businesses monetize data responsibly while staying firmly inside the regulatory guardrails.

If your organization processes SIM-linked or KYC-verified data, speak to Prosoll Law about a DPDP gap assessment before the May 2027 obligations bite.