A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Disney+ Hotstar was reviewed on 2026-05-13.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Entertainment / OTT

Disney+ Hotstar

Ready Score 58/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 13 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Disney+ Hotstar’s privacy policy remains heavily influenced by the IT Act 2000 and global GDPR-style frameworks. While it offers strong security disclosures and clear data categorization, it falls short of the DPDP Act 2023’s stringent requirements for granular consent, specific retention limits, and the unique Indian statutory rights like the Right to Nominate. Its handling of 'Children’s Data' is particularly high-risk given the Act’s 18-year threshold vs. the platform's current 'Kids Mode' protections.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-13
  • Company: Disney+ Hotstar
  • Readiness score: 58/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Consent is largely bundled with the Terms of Use — lacks the 'granular' and 'separate' notice requirement of Section 5
  • No provision for the Right to Nominate a representative in the event of death or incapacity (Section 14)
  • Data retention policy uses 'as long as necessary' language instead of DPDP's specific erasure mandates upon purpose fulfillment (Section 9)
  • Definition of 'Children' in the policy is inconsistent with DPDP's age threshold of 18 years for verifiable parental consent
  • Absence of a direct link or reference to the Data Protection Board of India for grievance escalation
  • Notice does not explicitly list the rights of the Data Principal in the specific format mandated by Section 5

✅ Strengths

  • Detailed disclosure of data categories including device identifiers, behavioral data, and payment information
  • Robust security section referencing industry-standard safeguards and encryption
  • Clear identification of the Grievance Officer with dedicated contact channels
  • Transparent list of third-party categories (Ad-tech, Analytics) with whom data is shared

Overview

Disney+ Hotstar (operated by Novi Digital Entertainment) is India’s leading OTT platform with hundreds of millions of users. The platform processes highly personal ‘behavioral’ data—including viewing history, search queries, and location data—alongside sensitive financial information for premium subscriptions. Under the DPDP Act 2023, Hotstar is classified as a Data Fiduciary and likely qualifies as a ‘Significant Data Fiduciary’ (SDF) due to the volume of data and potential risk to public order, necessitating a higher standard of compliance.

DPDP Readiness: Section-by-Section Analysis

Section 5 & 6 — Notice and Consent ⚠️

Hotstar uses an “Acceptance by Use” model. By accessing the service, users are deemed to have accepted the policy. This “bundled consent” is a direct violation of Section 6 of the DPDP Act, which requires consent to be free, specific, informed, unconditional, and an affirmative action.

Gap: The current notice does not provide a clear, separate table of “What data is collected” and “For what specific purpose” as suggested by the DPDP illustrative guidelines. Users cannot opt-in to streaming while opting-out of ad-tracking at the initial consent layer.

Section 8 — Security and Accuracy ✅

The policy excels in describing its technical safeguards. It mentions administrative, technical, and physical safeguards to protect personal information against loss, theft, and unauthorized access.

Strength: Hotstar’s alignment with global Disney standards ensures high-level encryption and access controls, which satisfies the “reasonable security safeguards” requirement under Section 8(5).

Section 9 — Processing of Personal Data of Children 🔴

This is a major compliance bottleneck. DPDP Section 9 prohibits processing data of children (under 18) that is likely to cause detrimental effects and requires “verifiable parental consent.”

Gap: Hotstar’s “Kids Mode” and age-gating are designed for content filtering, not for DPDP-grade parental consent verification. Furthermore, the Act prohibits “tracking or behavioral monitoring” of children. Since Hotstar’s core business involves tracking viewing habits to recommend content, its current model for users aged 13-18 is in direct conflict with Section 9.

Section 9 — Data Retention and Erasure ⚠️

What the policy says: “We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy.”

DPDP requirement: Section 9(6) requires the Data Fiduciary to erase personal data as soon as the purpose of collection is no longer served or consent is withdrawn.

Gap: The policy lacks an “Erasure by Default” clause. It does not specify that data will be purged within a set window (e.g., 30 days) after a subscription expires or an account is deleted, relying instead on vague “business necessity” windows.

Section 11 — Rights of Data Principal ⚠️

Hotstar allows users to “access, correct or update” their information via account settings. However, it misses the newer statutory rights:

  • Right to Nominate: No mechanism to appoint a nominee.
  • Right to Erasure: While “Delete Account” exists, the policy does not explicitly guarantee the erasure of data held by third-party “Data Processors” (like analytics partners) upon the user’s request to the Fiduciary.

Section 12 — Right of Grievance Redressal ⚠️

The policy identifies a Grievance Officer, providing an email and physical address in Mumbai.

Gap: Under the DPDP Act, the Data Principal must exhaust the Fiduciary’s grievance process before approaching the Data Protection Board (DPB). Hotstar’s policy does not mention the DPB as the secondary regulatory authority, potentially misleading users about their legal escalation options.

Risk Assessment

CategoryRisk LevelDPDP Compliance Gap
ConsentHighBundled consent; lack of granularity and specific notice (Section 6).
Children’s DataCriticalTracking/behavioral profiling of minors (under 18) without verifiable consent (Section 9).
Data ErasureMediumNo defined “expiry date” for data; vague retention language (Section 9).
Principal RightsMediumMissing Right to Nominate (Section 14) and limited right to withdraw consent easily.
GovernanceLowStrong internal security and clear grievance contact (Section 8/12).

Recommendation

Hotstar must transition from a “Global/GDPR” privacy template to an “India-First” DPDP framework. Priority should be placed on implementing a Consent Manager interface that allows users to toggle specific processing activities, and a radical overhaul of how users under 18 are tracked and profiled on the platform.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call