A Project by Meridian Bridge Strategy
Book Consultation
📱

DPDP Compliance for Telecom Companies

Telecom operators are India's largest data processors by volume — call records, location data, browsing history, and Aadhaar-linked identities. DPDP transforms how telcos handle subscriber data.

50/100 Avg. Score
2 Analyzed
13 Gaps Found

Telecom: India’s Largest Data Fiduciaries

India’s telecom operators — Jio, Airtel, Vi, and BSNL — collectively hold personal data on over a billion subscribers. Every call, text, and internet session generates metadata that reveals intimate details about subscribers’ lives. Under DPDP, telecom companies face the unique challenge of being both heavily regulated by TRAI and now subject to comprehensive data protection law.

The Call Data Record Problem

Call Detail Records (CDRs) contain:

  • Who you called and when (social graph mapping)
  • Call duration (relationship intensity)
  • Cell tower data (precise location tracking)
  • SMS metadata (communication patterns)

TRAI requires CDR retention for law enforcement purposes, but DPDP requires clear disclosure to subscribers about how long this data is kept and who can access it. Most telecom privacy policies don’t distinguish between mandatory regulatory retention and business-choice retention.

Location Data: The Most Sensitive Asset

Telecom operators have the most comprehensive location data of any industry. Through cell tower triangulation, they know where every subscriber is, 24/7. This data:

  • Reveals home and work addresses
  • Tracks daily movement patterns
  • Can identify religious worship locations visited
  • Shows hospital visits and sensitive venue attendance

Under DPDP, using this location data for advertising, analytics, or third-party partnerships requires explicit, informed consent — not buried in a 40-page terms document.

Aadhaar Linkage Complexity

Telecom subscribers’ SIM cards are linked to Aadhaar numbers. This creates a unique DPDP challenge — the combination of Aadhaar ID + location data + communication patterns creates one of the most comprehensive individual profiles possible. Any breach of this combined dataset would have extraordinary consequences.

Value-Added Services Data Creep

Modern telcos aren’t just connectivity providers — they offer payments (Airtel Payments Bank, Jio Financial), entertainment (JioTV, Wynk), and messaging services. Each additional service adds new data processing activities that must be separately consented to under DPDP.

Telecom Company Analyses

Telecom

Airtel

48

Airtel's privacy policy, updated in June 2024, makes an effort towards transparency but doesn't fully align with the DPDP Act 2023. Key gaps include ambiguous data retention, lack of explicit cross-border transfer details, and broadly defined legitimate uses which could fall short of DPDP's specific consent requirements.

⚠️ Vague data retention periods — 'as long as necessary' language
⚠️ Lack of explicit DPDP Act 2023 references throughout
+5 more gaps detected
Mar 2026 View Report
Telecom

Reliance Jio

51

Reliance Jio's privacy policy, while comprehensive in listing data categories, falls short on explicit DPDP Act 2023 alignment. Key areas like granular consent, specific data retention, and DPDP-mandated grievance escalation need significant updates to mitigate regulatory risk for its vast user base.

⚠️ No explicit DPDP Act 2023 reference
⚠️ Consent often implied, not 'freely given' or granular
+4 more gaps detected
Mar 2026 View Report
📞 Free Consultation