Madras HC allows Aadhaar checks for Online Real Money Games

By Anuradha Gandhi and Rachita Thakur

Introduction

The Hon’ble Madras High Court on June 3, 2025, in the case titled ‘Play Games 24×7 Private Limited v State of Tamil Nadu’ (hereinafter referred to as ‘Play Games Case’) [1], gave a go ahead to Tamil Nadu’s new State rules regulating Online Real Money (hereinafter referred to as ‘ORM’) Games including online games of skill which include wager or stakes. The Division bench, in an effort to strike balance between Individual Interest and General Public interest, critically evaluated key concepts of law.

Key Legal Issue pertaining to User Privacy discussed by the Court

The Court, in this case, dealt with an important legal question surrounding user privacy and autonomy being whether the imposition of restrictions like blank hours, monetary limits and mandatory Aadhaar based Know Your Customer (hereinafter referred to as ‘KYC’) checks are violative of the right to privacy of the users who play ORM Games in so far so that they should be allowed to play such games on their own accord with minimal state intervention.[2]

Overview of Legal Provisions Challenged by the Petitioners

• Section 5(2) of The Tamil Nadu Prohibition of Online Gambling and Regulation of Online Games Act, 2022 (hereinafter referred to as ‘Act 2022’)[3] – This section gives power to the government to regulate time limit, monetary limit, and age restriction or implement such other restrictions in regard to playing of online games as it may seem necessary.
• Section 14(1)(c) of Act 2022 – This prohibits any Non-local online games provider to provide any online gambling service which allows playing of any online game contrary to the regulations in Tamil Nadu.
• Regulation 4(iii) of Tamil Nadu Online Gaming Authority (Real Money Games) Regulation, 2025 (hereinafter referred to as ‘TNOGA Regulations’) – This mandates KYC Verification for the initial login with Aadhaar. This should be authenticated by a second layer verification of one time password (hereinafter referred to as ‘OTP’) sent to the phone number linked with Aadhaar number of the user.
• Regulation 4(viii) of TNOGA Regulations – This implements the restriction of blank hours for the ORM Games from 12 midnight to 5 AM and no login of the games shall be allowed during these restricted hours.

Observations of the Madras HC pertaining to User Privacy

Test of ‘Greater community interest’

The Court discussed the test of ‘Greater Community Interest’ wherein online games and entertainment are subject to regulation when they demonstrably affect public health. The determinative test for such regulation rests upon a direct nexus between the ill-effects of the online activity and public health, wherein a failure to regulate would result in serious social repercussions.[4] In such circumstances, the State is not merely an observer; it bears a responsibility to intervene when the populace is exposed to significant physical, mental, and financial risks due to prolonged engagement with specific online entertainment, games, or trade. Where outright prohibition is not feasible, a minimum level of regulation becomes imperative.[5]

Applying the K.S. Puttaswamy Judgement to balance Public Interest and Individual Privacy

The Court acknowledged the paramount importance of personal autonomy, a principle recognized globally. However, it also pointed out that personal autonomy cannot serve as the solitary determinant in matters involving grave public health concerns. The constitutional framework of this nation equally emphasizes the health and welfare of its citizens. The Court said that the assertion of the right to privacy, affirmed by the Hon’ble Supreme Court in Puttaswamy, requires careful consideration. It was observed that Puttaswamy did not establish the right to privacy as an absolute right. Rather, its elevation to a fundamental right inherently subjects it to reasonable restrictions, consistent with other fundamental rights. Consequently, the right to privacy carries inherent limitations and cannot be asserted without qualification. Therefore, the Madras High Court held that when there is a compelling public interest, it can take precedence over an individual’s right to privacy and personal autonomy in the course of judicial balancing.[6]

Upholding the validity of Aadhaar Based KYC checks by ORM Games

Madras HC, in this case upheld the validity of prescribing ORM Games to implement KYC Check through Aadhaar. As per Regulation 4(iii) of the TNOGA, KYC verification shall be mandatory for the login with Aadhaar to be authenticated by a 2^nd layer verification of OTP sent to the phone number linked with the Aadhaar number.

How will ORM Games implement E-KYC Authentication Facility through Aadhaar?

What is an E-KYC Authentication Facility?

Regulation 2(j) of The Aadhaar (Authentication and Offline Verification) Regulations, 2021 (hereinafter referred to as ‘Authentication Regulations’) states that an E-KYC authentication Facility means a type of facility where biometric information and OTP and Aadhaar number is securely submitted with the consent of the Aadhaar number holder through a requesting entity. That information is then compared against the data available in the Central Identities Data Repository (hereinafter referred to as ‘CIDR’). Subsequently, UIDAI returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction.

Purposes for which Private Entities may use Aadhaar based Authentication

Rule 4(2) of the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020 (hereinafter referred to as ‘Good Governance Rules, 2020’)[8] allows any entity which is desirous of utilizing Aadhaar authentication to submit a proposal to the concerned Ministry or Department of Appropriate Government justifying that the purpose of utilizing the authentication facility falls within one of the following specified purposes:

• Using digital platforms to promote efficient, transparent and accountable governance
• Promoting ease of living of residents and enabling better access to services for them
• Prevention of dissipation of social welfare benefits
• Enablement of innovation and the spread of knowledge

Key Stakeholders involved in the e-KYC Authentication Setup[9]

1. Aadhaar Number holder – An Individual who has been issued a unique Aadhaar number.
2. Authentication Service Agency (hereinafter referred to as ‘ASA’) – A licensed entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by the Authority.
3. Requesting Entity/ Authentication User Agency (hereinafter referred to as ‘AUA’) – An entity that uses the authentication facility provided by the Authority.
4. Authority – For the purpose of these regulations, UIDAI is the authority
5. CIDR – Centralized database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals.
6. Client Application/ Authentication Devices – These user facing interfaces/ devices collect Personal Identity Data (hereinafter referred to as ‘PID’) from Aadhaar number holders. They encrypt the PID block and transmit the authentication packets to the AUA. The also receive the authentication results. These are deployed and managed by AUAs. An authentication device can be a PC, kiosk, handheld device etc.

Operationalization of Aadhaar based KYC Checks in ORM Games

Mechanisms which ORM Gaming entities may adopt to implement Aadhaar Authentication.

ORM Games can function within the Aadhaar authentication ecosystem through two main mechanisms:

1. Integrating AUA’s Client Application with the ORM Game: ORM Games will have to integrate a user interface or client application managed by an AUA wherein the user will input the relevant details for the purpose of authentication. ORM Games, in this case, would play a passive role in the ecosystem.
2. ORM Gaming Entity can register as an AUA within the Ecosystem: ORM Games can submit a proposal to the relevant ministry of department of the appropriate government under Rule 4(2) of the Good Governance Rules, 2020. If the Central Government and the UIDAI are satisfied that the purpose of authentication falls squarely within the scope of prescribed purposes, the ORM Gaming entity may be allowed to function as an AUA.

How would the Personal data flow through ORM Gaming Entities?

1. Accessing the Gaming Application – The user would trigger the gaming application on the personal device. If the user is accessing the relevant game for the first time, she will be instructed to sign up using the relevant details post which a prompt for age verification shall pop up. The user will enter the relevant age post which she will be redirected to an external link hosted by an AUA i.e., the client application, where she will have to feed her Aadhaar number. An OTP will be sent to the phone number linked with the Aadhaar number. The user shall enter this OTP to complete the process at her end.
2. Transmission to AUA’s server: After the user has provided the Aadhaar number and the OTP, the client application will package and encrypt the details into a PID block. This PID block is sent securely to the AUA’s server.
3. Transmission to CIDR – After validating the information, AUA’s server will send the Authentication request to the CIDR. This transmission will happen through the server of an ASA. The authentication request will be digitally signed by the AUA or the ASA.
4. CIDR validates and responds – The CIDR will then validate the input parameter form the Aadhaar number holder’s authentication request against the data it holds. It will return a digitally signed ‘Yes’ or ‘No’ authentication response or a digitally signed e-KYC authentication response with encrypted e-KYC data along with technical details. The same will reflect on the user’s device as successful or unsuccessful. Based on this validation, the user will be allowed or disallowed to access the ORM Game.

Applicability of the Data Protection Framework

Status of ORM Gaming Entities for the Purpose of Aadhaar based authentication

ORM Games will neither be a data processor nor a data fiduciary for the purpose of Aadhaar based authentication, unless the ORM Gaming Entity registers itself as an AUA with UIDAI. It can either partner with a registered AUA or register itself as an AUA. In the former, no obligations under the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’) shall apply to such entity for the purpose of Aadhaar based authentication. However if the ORM Gaming Entity decides to register itself as an AUA with UIDAI, DPDPA shall apply on such entity for functioning as data processor for the purpose of Aadhaar Based authentication.

Status of ORM Gaming Entity as an AUA/ Data Processor

UIDAI determines the scope and purpose of collection of Personal Data

UIDAI operates the CIDR which is a central repository for all Aadhaar related data. When an AUA transmits a PID block containing Aadhaar related data to CIDR through the servers of an ASA for verification and validation, the AUA functions as a data processor which collects the relevant data and processes the data for the purpose of encryption as per the instructions of UIDAI. The ASA acts as a technology intermediary providing the AUA with the relevant IT infrastructure to carry out the process. In this whole process, UIDAI acts as the data fiduciary which determines the scope of data collected and the purpose for which such data is processed by the AUA. AUA has no autonomy or decisional autonomy in processing personal data of Aadhaar number holders for any other purpose which is not prescribed by UIDAI.

Managerial Control of UIDAI over the operations of AUA

As per AUA Agreement Version 6.0[10] (hereinafter referred to as ‘Agreement’) released by UIDAI, it exercises certain level of managerial control over the operations of the AUA as well. This includes the right to removal or replacement of a human resource employed by AUA upon satisfaction that such removal or replacement is necessary to safeguard the interests of the Aadhaar number holders and proper functioning of the Aadhaar ecosystem. The Agreement also binds the AUA to provide a report of the grievances handled by it to UIDAI and the failure to implement a grievance redressal mechanism as prescribed by UIDAI would be considered as a material breach of the agreement resulting in its termination. Considering such control of UIDAI over the operations of an AUA, if a ORM Gaming Entity decides to register itself as an AUA, its shall act as a data processor as per the directions and guidelines prescribed by UIDAI.

Brief Overview of Data Security Measures in the Aadhaar Ecosystem

UIDAI provides and updates the compliance audit checklists for the AUAs and ASAs from time to time. [11][12] The Authentication Regulations lay down responsibilities and code of conduct for AUAs and ASAs.[13] Some of the important measures include:

• Data Localization – AUAs and ASAs shall have their servers used for Aadhaar authentication request formation and routing to CIDR, to be located within data centres or cloud storage centres located in India.
• Secured Transmission of Authentication Requests – ASAs shall estabilish dual redundant, secured leased lines or Multiprotocol Label Switching (hereinafter referred to as ‘MPLS’) connectivity with the data centers of the Authority.
• Access Controls – AUAs shall use appropriate license keys to access the authentication facility provided by the Authority only through an ASA over secure network.
• Data Retention periods – The logs of authentication transactions shall be maintained by the AUA and ASA for a period of two years. Subsequently, these logs shall be archived for a period of 5 years post which it shall be deleted unless required to be retained upon the order of a Court not below the level of a High Court.
• Right of User to access personal data – An Aadhaar number holder shall have the right to access the logs of authentication transactions retained by the AUAs and ASAs.
• Audit by an Information System auditor – ASAs shall ensure that its operations are audited by an information systems auditor certified by a recognized body on an annual basis, and provide a certified audit report, to the Authority, confirming its compliance with the policies, processes, procedures, standards, or specifications, issued by the Authority.
• Disclosure Obligations in cases of Investigations – In case of investigations relating to authentication related fraud or dispute, the ASA shall extend full cooperation to the Authority or any other authorized investigation agency. The ASA shall provide access to its premises, records, systems, personnel, infrastructure, any other relevant resource or information and any other relevant aspect of its authentication operation.

Prateek Chandgothia, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.

[1] Play Games 24×7 Private Limited v State of Tamil Nadu, 2025 SCC OnLine Mad 2615

[2] Para 18, Play Games Case

[3] https://prsindia.org/files/bills_acts/acts_states/tamil-nadu/2023/Act9of2023TamilNadu.pdf

[4] Para 60, Play Games Case

[5] ‘X’ v. Hospital ‘Z’, (1998) 8 SCC 296

[6] Para 64, Play Games Case

[7] https://upload.indiacode.nic.in/showfile?actid=AC_CEN_37_85_00001_201618_1517807328460&type=rule&filename=swik_rules_-english_version.pdf

[8]https://upload.indiacode.nic.in/showfile?actid=AC_CEN_37_85_00001_201618_1517807328460&type=rule&filename=swik_rules_-english_version.pdf

[9]https://uidai.gov.in/en/ecosystem/authentication-ecosystem/operation-model.html

[10] https://uidai.gov.in/images/AUA-KUA_Agreements_Versions_60.pdf

[11] https://uidai.gov.in/images/resource/ASA_Audit_Compliance_Checklist_V3_0.pdf

[12] https://uidai.gov.in/images/Compliance_checklist_for_certifying_compliance_with_controls_that_the_AUAKUA_is_required_to_have_in_place.pdf

[13] https://uidai.gov.in/images/Compliance_checklist_for_certifying_compliance_with_controls_that_the_AUAKUA_is_required_to_have_in_place.pdf