India has notified the final rules under its Digital Personal Data Protection (DPDP) Act, marking the country’s maiden operational privacy framework, eight years after the Supreme Court recognised privacy as a fundamental right. The Ministry of Electronics and Information Technology (MeitY) published the Digital Personal Data Protection Rules, 2025 on Friday, triggering a staggered compliance schedule but leaving several core obligations deferred for up to 18 months.
The notification comes more than two years after Parliament approved the DPDP Act in August 2023. While the law is now formally in force, only limited provisions — including the establishment of the Data Protection Board of India (DPB) — take effect immediately. Most requirements for companies, such as obtaining informed consent, limiting data use to stated purposes, and mandatory breach notifications, will be phased in over the next year to year-and-a-half. Once operational, companies diagnosing a data breach must notify affected users “without delay”, providing details of the breach, its consequences and mitigation steps. The Data Protection Board must also be informed within 72 hours, and penalties for failing to prevent a breach may reach ₹250 crore. Companies are required to publish the contact details of a Data Protection Officer or an authorised representative on their websites and include that information in all user communications related to data processing.
Under the rollout plan, Rules 1, 2 and 17–21 take effect immediately, covering administrative definitions, the formation of the DPB and procedural matters. Rule 4, governing the registration and oversight of consent managers, will be operational in one year. The bulk of obligations — including notice standards, consent requirements, breach reporting, data retention limits, and safeguards for processing children’s data — will begin 18 months after publication. The DPB will serve as the central adjudicatory body for enforcement. The government separately notified that the Board will have four members and be headquartered in New Delhi. One of the immediately effective amendments limits the disclosure of public officials’ personal information under the Right to Information Act, even when disclosure may serve public interest — a provision already drawing scrutiny from transparency advocates.
The rules outline how companies should inform users before processing their personal data. Notices must be written in clear, plain language and include an itemised list of the data being collected, the exact purpose of processing, and links to relevant websites or apps. “Organisations may need to redesign their consent frameworks so that consent is specific, informed and not buried inside standard terms of use,” said Harsh Walia, Partner at Khaitan & Co. In addition to this, the rules create a new category of Significant Data Fiduciaries (SDFs) — entities whose data-processing volume, sensitivity or national-security relevance warrants enhanced oversight. Major global technology firms such as Meta, Google, Apple, Microsoft and Amazon are expected to fall under this classification. SDFs must undergo periodic audits, meet algorithmic transparency standards, and comply with a government-approved framework for cross-border data transfers.
Rule 6 prescribes more detailed security requirements than earlier drafts. Companies must implement technical safeguards including encryption, pseudonymisation and anonymisation, maintain access controls, and retain logs for one year. They must also maintain visibility into who accesses personal data and detect unauthorised access. Rule 8 introduces firm limitations on data retention, requiring companies to delete personal data once its purpose is fulfilled. E-commerce platforms, social networks, OTT services and gaming firms will be required to erase data according to timelines set for their sector. Analysts say the new retention rule will require extensive internal mapping of data flows.
The data of underage users also receives stronger protections under Rule 11, which prohibits behavioural monitoring, tracking and targeted advertising aimed at minors. Companies must obtain verifiable parental consent before processing a child’s personal data. The rules do not specify a uniform mechanism; instead, firms must create their own systems — a move welcomed by social media and gaming firms that had warned of implementation challenges.
The Tech Portal is published by Blue Box Media Private Limited. Our investors have no influence over our reporting. Read our full Ownership and Funding Disclosure →
