The government on Friday notified the Digital Personal Data Protection (DPDP) Rules 2025, thus setting in motion the phased rollout of the Digital Personal Data Protection Act, 2023. Most of the compliance obligations affecting both consumers and companies will only take effect 18 months from the date of notification, giving firms across digital sectors, ranging from social media and e-commerce to fintech and telecom, a transition time to align their platforms, consent systems and data-retention practices with the law.
Once that 18-month window ends, companies and government departments will be required to seek specific, purpose-linked consent before processing personal data; provide users with itemised descriptions of the personal data being collected; offer simple mechanisms to withdraw consent; enable grievance redress; and delete personal data when it is no longer needed for the stated purpose unless its retention is necessary for compliance with any law in force.
Firms will also have to report a personal data breach to the affected user and to the Data Protection Board within 72 hours of becoming aware of it, disclosing the nature, extent and timing of the breach, the consequences of the breach, the mitigation steps undertaken and the precautions the user should take. Children’s data has been placed under heightened protection, with companies required to obtain verifiable parental consent for processing data of any person under 18 through measures that confirm the identity and age of the consenting adult. However, platforms have been allowed to live-track the location of underage users for safety purposes only.
Significant data fiduciaries, a category to be notified by the government based on volume and sensitivity of data handled, will face additional obligations, including annual data protection impact assessments and audits, and verification that their algorithms and software do not endanger the rights of users.
The rules also bring clarity on the transfer of personal data outside India. Cross-border transfer of digital personal data is permitted in general, but the Central government may, through a separate notification, restrict transfers to specific jurisdictions or to persons or organisations within such jurisdictions. The default rule therefore allows overseas data flows, subject to the power of the Centre to impose country-specific or entity-specific prohibitions in the future.
Although the most visible effects of the data privacy law will begin only after the 18-month compliance period expires, parts of the framework are already in force starting immediately. These rules do not impose duties on businesses but activate the enforcement institution that will later regulate them. With the notification, the government needs to constitute a search-cum-selection committee to recommend names for the chairperson and members of the Data Protection Board. The Board, which will be headquartered in the Capital, will function entirely as a digital office, with filings, hearings, evidence certification and orders issued electronically. With the concurrence of the Union government, the Board will be able to appoint its own officers and staff.
Another major element of the DPDP architecture — the consent manager regime — has been placed in a separate implementation bucket. Consent managers will have 12 months to register with the Data Protection Board once the relevant rule comes into force, and the registration framework itself will be activated on a later date to be separately notified. To operate as a consent manager, a company must be incorporated in India and satisfy the conditions laid down by the Board. Consent managers will be required to run interoperable platforms that allow users to give, manage and withdraw consent across digital services. Failure to fulfill obligations may lead to suspension of registration. The sequencing indicates that the government intends to first establish the regulator, then set up the registration channel for consent managers, and only after that activate the compliance responsibilities for companies that process personal data.
The rules also prescribe timelines under which platforms must delete users’ personal data once the purpose of processing has been fulfilled. If the user account is deleted or remains inactive and the purpose of processing no longer exists, the data must be erased unless its retention is necessary to comply with any law in force. This is expected to push platforms to overhaul data retention architectures that until now have been largely self-determined and seldom time-bound.
In short, the rules will be implemented in three steps. First, the regulator becomes operational. Second, the consent-management infrastructure is plugged into the system. Third, full compliance obligations and enforcement powers take effect.
According to analysts, the 18-month period will allow companies to redesign their internal systems, review data-sharing agreements, re-engineer user consent flows and deploy technical safeguards mandated under the law.
Analysts broadly welcomed the clarity on implementation timelines, lighter compliance requirements, and the added safeguards for children’s data. However, some were of the view that the rules lack clear checks on government data use and could leave industry carrying more obligations than the State. However, government officials said that Rule 7 of the Act clearly mentions exemptions under which the Centre can access personal data and beyond that, there is no scope for any government agency to handle personal data different from a corporate entity.
