How Should Self-Regulation of the Online Gaming Industry Be Designed?

The Indian government released a proposal to regulate online gaming last month. But it won’t actually be doing much of this regulation. That’ll be the responsibility of “self-regulatory bodies” registered with the IT Ministry under the IT Rules, 2021. It will be their job to ensure that only legitimate online gaming platforms operate in India’s markets—and offer safe and consumer-friendly games.

Enter, the Esya Centre: The Delhi-based think tank came out with a template “code of conduct” for online gaming self-regulatory bodies last week. The gist: this is “a framework that self-regulatory bodies can adopt to govern their functioning”. More importantly, “adoption of a uniform code will make the online gaming environment more standardised without creating excessive compliance requirements and barriers to entry or to innovation”. We’ve summarised the code in this piece. Our take on the code will be out soon.

Why it matters: These online gaming rules—introduced through the IT Rules, 2021—come in the wake of rising concerns over gaming-related harms. People get addicted to games. They lose lots of money while playing them. Children steal to play online. Some find themselves playing on gambling sites which are illegal. The rules try and address these concerns—but, in reality, it’s self-regulatory bodies that have to try to prevent them from arising at all. They have to operate according to a framework based on certain principles laid out by the IT Ministry. Esya’s Code is an early attempt at defining what that framework might look like. 

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today! 

How should a self-regulatory body manage all its responsibilities?

Self-regulatory bodies have their work cut out for them under the amendments. They have to verify new games and members, resolve pending consumer complaints, and ensure that their members comply with Indian laws. That’s a lot for a single body to do.

What does Esya recommend?: These bodies should appoint boards of directors or governing bodies, as the Rules mandate (and tell the Ministry of any changes to them within 15 days). But, the think tank also adds that “specialised capacity and inclusion of members with relevant experience is key to (..) meet the objectives of self-regulation”.

So, it recommends that self-regulatory bodies set up separate committees to address grievance redressal, trust and safety, and other regulatory responsibilities. Experts in mental health, law, consumer protection, data protection and other fields can be appointed to the committees. 

How should self-regulatory bodies decide which gaming platforms get to join their ranks?

These bodies also have to evaluate membership applications from online gaming platforms. This includes checking their compliance with the IT Rules and the larger IT Act. 

What does Esya recommend?: Incorporating additional evaluation criteria including: 

• Compliance with other due diligence measures listed under the IT Rules, 2021;
• Strong management of user funds and identity verification measures;
• Business integrity, including how the company manages conflict of interest, prevents unfair competition, respects intellectual property rights, and undertakes responsible advertising and consumer outreach.

Bodies should also verify if the online gaming platform is a member of or has applied to another body before considering their application. Applications from platforms rejected by other self-regulatory bodies shouldn’t be considered after 30 days of rejection, the think tank adds.

How can the application process be streamlined?

Once the rules are enacted, every gaming platform in India is going to be standing in line to join some self-regulatory body. So, these applications need to be reviewed efficiently and transparently. If things move too slowly, then platforms wait longer for their games to hit the market. If bodies are too opaque about how they function, then there’s a likelihood of unfair decision-making that harms platforms. 

What does Esya recommend?: A granular application process that includes:

• Acknowledging membership applications within five days of receipt: Within ten days, the body should enter into a contractual agreement with the applicant detailing the rights and duties of both parties.
• Accept or reject applications within 30 days of receipt: If that can’t happen, then the body should record the reasons for the delay and share them with the gaming platform. But, self-regulatory bodies shouldn’t take longer than 60 days to decide. If a decision isn’t arrived at within then, the application will be deemed to be approved.
• Publish decisions and communicate them with applicants: Also, the self-regulatory body shouldn’t maintain records of or publish proprietary and sensitive information an applicant submits.
• Inform rejected applicants, and give them 30 days to fix application: After that, if the body still isn’t satisfied, it should conduct an in-person hearing. A rejected gaming platform should wait for 30 days before applying to another body.

What happens once you’re in?

Sure, self-regulatory bodies will approve new members and make them follow their policies. But, what could that membership look like? How long would it last?  Can it be revoked? The rules are quieter on how platform membership with self-regulatory bodies will eventually evolve.

What does Esya recommend?: Outlining terms and conditions like: 

• Validity: This essentially means the duration of the registration and when it’ll expire by.
• Renewing registrations: Renewal can be applied for 90 days before its membership expires. Self-regulatory bodies should renew membership after considering the IT Rules’ standards and any other of the body’s policies.
• Cancelling registrations for violations of the body’s policies: This should happen only after an investigation and hearing. Records of these should be maintained and prominently published by the body. 
• Provisional 90-day memberships for new gaming platforms: This can be granted provided that they haven’t applied for membership to it or any other body. Provisional membership can be used to collect “evidence for the purpose of complying with the requirements under the Rules and the self-regulatory body’s membership requirements”. But, no platform can be granted provisional membership unless a “legal practitioner” confirms that they fulfil their due diligence requirements under the IT Rules, 2021.

Which online games should make the cut?

The proposed amendments are clear—self-regulatory bodies can only verify games brought by their members. It shouldn’t involve gambling or harm India’s wide security interests. It also shouldn’t harm consumers or young gamers—one of the key reasons that prompted the amendments in the first place. But, operationalising evaluation criteria for such broad concerns is easier said than done. 

What does Esya recommend?: Developing tests for specific concerns, like: 

• Criteria for game testing framework: Self-regulatory bodies should consider the following features of a game:
  • Whether the game’s outcome is determined by probabilistic logic: It also should not involve wagering betting or gambling. 
  • Existence of user harm safeguards: The game may include harms that facilitate violence, bullying, abuse, hate speech, and more. 
  • Existence of child harm safeguards: These include the game’s parental controls, age verification methods, age appropriate ratings, content warnings, and guidance for parents. 
  • Existence of  financial loss safeguards: These include measures like time-based and monetary-threshold warnings, transparent use of random number generators, self-exclusion and time out setting, transparent rules and disclosure on user fund disbursal and in-game purchases, guidance for users on financial risk. 
  • Existence of fraud safeguards: These include identity verifications measures, transaction data collection to comply with regulatory requirements, and consumer awareness measures on fraud and financial best practices.
• Appointing auditors and testors: A self-regulatory body can also appoint agencies to test, verify, and audit games. Criteria to be considered, include:
  • Prior experience testing and auditing online games;
  • Availability of relevant manpower and facilities;
  • Data protection and information security practices;
  • The agency’s “pecuniary or fiduciary relationships” that could impact its impartiality.
• Best practices: Self-regulatory bodies can mandate that online games follow best practices too for issues like:
  • Cyber and information security: Including compliance with legal standards for data protection, privacy, and cyber incident reporting.
  • Integrity mechanisms: Like preventing executives and employees with “sensitive information” from competing with other users. 
  • Trust and safety: Content moderation tools, reporting and blocking features, and referrals to local mental health experts. 

How should bodies review applications for online games? 

Similar to platform membership applications, online games need to be reviewed efficiently and transparently. In this case, delays in decision-making can financially cost companies, especially those that are just starting out. Also, as some have noted, this reviewing process can also lead to the intellectual property of gaming platforms being leaked, hurting their competitive advantage. 

What does Esya recommend?: Aside from familiar provisions on acknowledging applications, specifying validity, and cancelling games’ verifications, new recommendations include:

• Provisional registration: An online game can be granted “provisional registration” for up to 90 days. This can be granted to new formats of online games to collect evidence on their compliance with the IT Rules and the self-regulatory body’s game verification framework. Separate verification marks should be assigned to these games which should be prominently displayed to users. The game shouldn’t be previously registered under the IT Rules 2021, or have another registration application pending before the self-regulatory body or any other body. The body should maintain and display a record of these games and their visible marks. If the game doesn’t fulfil the evaluation criteria within the time period, the provisional registration verification mark will be revoked and online platforms will be directed to stop offering the game. The body may extend the provisional registration period if “it is satisfied that testing and evaluation of the online game could not be completed due to factors beyond the online gaming intermediaries’ control”.
• Reporting to the IT Ministry: A report should be sent to the IT Ministry within five days of approving an online game. It should contain details on the gaming platform and its compliance with India’s IT laws, the game’s format, and the results of the game’s testing and verification.
• Notifying changes in online games: Bodies should create reporting mechanisms for gaming platforms to communicate “fundamental” changes to their online games within 72 hours of them being made. The body should specify which fundamental changes require re-verification. A fundamental change is something that:
  • Substantively changes the game’s format and materially impacts its outcome;
  • Includes a change in random number generation, winnings calculations, or other factors determining a game’s outcome;
  • Includes changes to accommodate new regulatory requirements.

How should gaming bodies deal with consumer complaints?

The Rules direct gaming platforms to set up their own grievance redressal mechanisms for consumers. But, they also mandate registered self-regulatory bodies to set up their own grievance redressal complaints to address pending complaints quickly. 

What does Esya recommend?: Fleshing out the timelines and processes to get things done:

• Acknowledging complaints within 24 hours of receipt.
• Resolve complaints within 15 days of receipt: Specific complaints related to the proviso of Rule 3(2) of the IT Rules, 2021,  should be resolved within 72 hours. Consumers and member platforms should be allowed to submit physical and digital evidence and documents. The body can also arrange a hearing between the consumer and gaming platform. 
• Appealing the Government Appointed Committee: Bodies should develop and maintain the necessary infrastructure to allow consumer appeals to the “relevant Government Appointed Committee”. Gaming platforms and the body can collaborate to build a unified digital portal to file and appeal complaints. Appeals can be made within 30 days of the body’s decision. 
• Reporting grievance redressal: Bodies should publish a quarterly report online detailing the number of appeals:
  • Received against member platforms;
  • Resolved by the body within the stipulated time;
  • Escalated to the Government Appointed Committee;
  • Pending and unresolved by the self-regulatory body. 

How can self-regulatory bodies operate transparently?

“How will a caged parrot hold its masters accountable?” asked someone at our event on the gaming rules last month. What they mean: self-regulatory bodies are usually funded by large gaming platforms. It may not be in their interests to operate fairly—which can disadvantage smaller platforms or new entrants to the market. So, transparent and ethical governance is necessary to prevent these anti-competitive practices from coming to life. 

What does Esya recommend?: Keeping most things in public view, like: 

• Publishing policies, guidelines, and codes of conduct: Within one month of registering with the IT Ministry, self-regulatory bodies should publish on their website:
  • Internal Code of Conduct for member platforms;
  • Evaluation guidelines for platform membership applications including appellate mechanisms;
  • Policies on protecting sensitive and proprietary information;
  • Guidelines for testing and verifying online games including timelines;
  • Guidelines for harm assessment of online games, with specific provisions for harms to children. Should include an indicative list of measures that can be taken to address these harms;
  • Guidelines on grievance redressal for online gaming platforms. 

• Quarterly reports: These should cover:
  • Ownership patterns third party investments: Including “any potential conflicts of interest with member online gaming intermediaries”;
  • Financial health, assets and liabilities, tax compliance;
  • Overall track record of compliance;
  • List of member platforms: including new members, and exits/removal of members;
  • Rejected registrations, reasons for rejection, and subsequent appeals;
  • Consumer grievance redressal;
  • Registered games and their verification marks; 
  • Annual financial statement. 

In what ways can self-regulatory bodies cooperate with each other? 

“A multi-stakeholder approach and collaboration between self-regulatory bodies holds the key to industry-led standard formulation and sectoral growth,” says Esya. Creating mechanisms that lead to uniform standards on game testing, data sharing, fraud detection, and capacity building is key. To prevent duplicated regulatory actions, self-regulatory bodies can jointly work together to enforce and investigate their policies. 

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Read More

• How Will India’s Proposed Self-Regulators Protect Online Gamers And Ensure Responsible Gaming?
• “How Will A Caged Parrot Hold Its Masters Accountable?”: Self-Regulation In India’s Gaming Industry #NAMA
• “A Farrago Of Confusing And Contradictory Provisions”: Jay Sayta’s 5 Concerns With India’s Online Gaming Rules
• Summary: What Are India’s Proposed Rules For Online Gaming Platforms?