IT RULES
1.1 A summary of the key obligations under the IT Rules which the NP, as an intermediary, will be required to implement, has been set out below:
(i) Publication of key documents: Publish rules, privacy policy, and user agreement prominently on the website or app in English or any language specified in the Eighth Schedule of the Constitution.
(ii) User Information: Inform users about its rules, privacy policy and user agreement and ensure users do not host, display, upload, modify, publish, transmit, store, update, or share information that falls under the objectionable information as provided under the IT Rules.
(iii) Notice to users: Inform users at least once a year of any changes to rules, privacy policies, and user agreements in English or a language from the Eighth Schedule of the Constitution. They must also notify users annually that non-compliance with these terms may result in termination of access or usage rights of the users or removal of non-compliant information.
(iv) Disabling Information: Not store, host, or publish unlawful information that violates laws related to India's sovereignty, security, foreign relations, public order, decency, morality, contempt of court, defamation, or incitement to an offense. If such information is hosted, the intermediary must remove or disable access within 36 hours of a court order or notification from a government agency.
(v) Preservation of Records: Maintain records of content which has been removed or access to which has been disabled, for a period of 180 (one hundred and eighty) days, or such longer period as may be required by a court or duly authorised government agencies. User-information collected for registration is required to be preserved for 180 (one hundred and eighty) days after cancellation/ withdrawal of such registration.
(vi) Compliance with SPDI Rules: Take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the SPDI Rules.
(vii) Disclosure and Assistance for Compliance with Lawful Order: Provide (i) information for verification of identity; or (ii) assistance to any lawfully authorised government agency for prevention, detection, investigation and prosecution of offences or for cyber security incidents, no later than 72 hours of receiving a written order.
(viii) Modification of technical configuration of a Computer Resource: Not knowingly deploy, install or modify the technical configuration of a computer resource in a way that alters its normal functioning to circumvent any law, but may use technology to secure the resource and its information.
(ix) Reporting of Cyber Security Incidents: Report all cyber security incidents and share cyber security incident related information with the Indian Computer Emergency Response Team (“CERT-In”).
(x) Grievance Officer: The grievance officer is required to acknowledge a complaint within 24 (twenty four) hours and resolve all complaints within 15 (fifteen) days.
(xi) Grievance Redressal: Complaints for removal of "objectionable information" (as mentioned in the IT Rules), must be resolved within 72 hours. This accelerated timeline applies to all content in objectionable information, except for information that belongs to another person, infringes intellectual property rights, or violates any law.
(xii) Disabling of Explicit Content: An intermediary must remove or disable access to explicit content (e.g., nudity, sexual conduct, impersonation, or morphed images) within 24 hours of receiving a complaint from the aggrieved individual or their representative. Additionally, the social media intermediary must provide a mechanism for users to lodge such complaints.
1.2 Additionally, the following are the key obligations applicable to only an online gaming intermediary (i.e., an NP who enable the users to access any permissible online real money game):
(i) Verification: Display a demonstrable and visible mark of verification of permissible online game by an online gaming self-regulatory body.
(ii) User Verification: Identify users and verification of their identity before accepting any deposit in cash or kind from them for a permissible online real money game in line with procedure laid down for a Reserve Bank of India-regulated entity for identification and verification of a customer at the commencement of an account-based relationship.
(iii) Prohibited activities: Not provide credit or enable financing offered by third party for its users for the purpose of playing online games.
(iv) Disclosures: Inform its users of the following as part of its rules and regulations, privacy policy, terms of service and user agreements:
(a) the policy related to withdrawal or refund of the deposit made with the expectation of earning winnings, the manner of determination and distribution of such winnings and the fees and other charges payable by the user;
(b) the know-your-customer procedure followed by it for verifying the identity of the users of such online game;
(c) the measures taken for protection of deposit made by a user for such online game; and
(d) the framework for verification of the online game.