- \n
- The Rules are called the Digital Personal Data Protection Rules, 2025 and are issued under section 40 of the DPDPA, 2023.\u200b<\/li>\n
- Different provisions start on different timelines from the date of publication in the Gazette:\n
- \n
- Rules 1, 2 and 17\u201321: effective immediately<\/strong> on publication.\u200b<\/li>\n
- Rule 4 (Consent Managers): after 1 year<\/strong>.\u200b<\/li>\n
- Rules 3, 5\u201316, 22 and 23 (core operational obligations): after 18 months.\u200b<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
This staggered approach gives businesses a limited but important transition window to build their privacy, consent and security frameworks.\u200b<\/p>\n
Key concepts and definitions clarified<\/strong><\/p>\n
The Rules clarify several operational concepts introduced in the Act so that implementation is more uniform across sectors.\u200b<\/p>\n
- \n
- \u201cTechno-legal measures<\/strong>\u201d are referenced for running the Data Protection Board as a digital office and for conducting proceedings without physical presence.\u200b<\/li>\n
- \u201cUser account<\/strong>\u201d covers not just classic logins but also profiles, pages, handles, email IDs, mobile numbers and similar presences through which a Data Principal accesses services.\u200b<\/li>\n
- \u201cVerifiable consent<\/strong>\u201d is tied to specific standards under Rules 10 and 11 for children and persons with disabilities, including age and identity verification mechanisms.\u200b<\/li>\n<\/ul>\n
These clarifications mean that even platforms relying on phone-based or handle-based access must treat those as user accounts under the Rules.\u200b<\/p>\n
Notice and consent: front door of compliance<\/strong><\/p>\n
The Rules tighten what an acceptable privacy notice and consent flow must look like.\u200b<\/p>\n
- \n
- Data Fiduciaries must give notices that:\n
- \n
- Are understandable on their own, not buried inside other documents.\u200b<\/li>\n
- Use clear, plain language and give a fair account of the processing.\u200b<\/li>\n
- At minimum, itemise the personal data being processed and specify purposes and the related goods\/services.\u200b<\/li>\n<\/ul>\n<\/li>\n
- Notices must also clearly provide:\n
- \n
- A link and description of how to withdraw consent, with ease comparable to giving consent.\u200b<\/li>\n
- Ways to exercise Data Principal rights.\u200b<\/li>\n
- A route to complain to the Board.\u200b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
For children and certain persons with disabilities, \u201cverifiable consent\u201d from a parent or lawful guardian requires robust age\/identity checks, including use of identity details or tokens from authorised entities and Digital Locker service providers.\u200b<\/p>\n
Consent Managers: a new regulated ecosystem<\/strong><\/p>\n
One of the most significant institutional changes is formalisation of Consent Managers, who will provide interoperable platforms to manage consent across multiple Data Fiduciaries.\u200b<\/p>\n
- \n
- Only Indian companies can register as Consent Managers, and they must meet conditions such as:\n
- \n
- Minimum net worth of \u20b92 crore and adequate technical, operational and financial capacity.\u200b<\/li>\n
- Fit-and-proper management with sound financial condition and reputation.\u200b<\/li>\n
- Governance documents aligned with conditions set out in the First Schedule.\u200b<\/li>\n<\/ul>\n<\/li>\n
- Registered Consent Managers must:\n
- \n
- Act in a fiduciary capacity towards Data Principals and avoid conflicts of interest with Data Fiduciaries.\u200b<\/li>\n
- Maintain an interoperable platform through which Data Principals can give, manage, review and withdraw consent, including routing consent between Data Fiduciaries.\u200b<\/li>\n
- Keep records of consents, notices and data sharing for at least 7 years, and provide machine-readable copies on request.\u200b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
For financial services, health, and large digital platforms, Consent Managers can become the backbone for consent-based data sharing between institutions.\u200b<\/p>\n
Security, breach response and retention<\/strong><\/p>\n
The Rules provide detailed expectations for \u201creasonable security safeguards\u201d and breach management, moving from generic obligations to an operational checklist.\u200b<\/p>\n
- \n
- Security safeguards must at minimum include:\n
- \n
- Encryption, obfuscation, masking or tokenisation of personal data.\u200b<\/li>\n
- Access control on computer resources and monitoring of who accesses personal data.\u200b<\/li>\n
- Logging, monitoring and review for detecting unauthorised access, with retention of logs and related personal data for at least one year unless another law requires more.\u200b<\/li>\n
- Backup and continuity arrangements so processing can continue if confidentiality, integrity or availability is affected.\u200b<\/li>\n<\/ul>\n<\/li>\n
- On becoming aware of a personal data breach, Data Fiduciaries must promptly notify:\n
- \n
- Each affected Data Principal with a description, likely consequences, mitigation measures, suggested safety steps, and a contact point.\u200b<\/li>\n
- The Board without delay, and then share fuller details (scope, causes, measures, responsible persons, and intimation report) within 72 hours or a longer period allowed by the Board.\u200b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Retention is also addressed through a mix of minimum logging requirements and sector\/class-based auto-erasure triggers.\u200b<\/p>\n
Auto-erasure and minimum log retention<\/strong><\/p>\n
The Third Schedule introduces a structured approach to when purposes are deemed no longer served and when data must be erased.\u200b<\/p>\n
- \n
- For specified classes of large digital entities (e-commerce, online gaming, and social media intermediaries above certain user thresholds) the Rules require erasure after 3 years from the last interaction, except for:\n
- \n
- Access to the user account.<\/li>\n
- Access to virtual tokens used to obtain money, goods or services.\u200b<\/li>\n<\/ul>\n<\/li>\n
- Independently, all Data Fiduciaries must retain personal data, traffic data and other logs relating to processing for at least one year for purposes set out in the Seventh Schedule, after which they must erase it unless another law requires longer retention.\u200b<\/li>\n
- Data Fiduciaries must inform Data Principals at least 48 hours before erasing data under the auto-erasure rule, giving them a chance to re-engage or exercise their rights.\u200b<\/li>\n<\/ul>\n
This combination pushes digital businesses towards formal data retention schedules instead of indefinite storage.\u200b<\/p>\n
Special treatment of children\u2019s data<\/strong><\/p>\n
Children\u2019s data remains a focus area, but the Rules also create calibrated exemptions where strict consent requirements would harm welfare-centric processing.\u200b<\/p>\n
- \n
- Verifiable parental consent is mandatory for processing personal data of a child, with strict checks to ensure:\n
- \n
- The person claiming to be parent is an identifiable adult.<\/li>\n
- Identity\/age is confirmed via records already with the Data Fiduciary or via authorised entities\/Digital Locker tokens.\u200b<\/li>\n<\/ul>\n<\/li>\n
- Exemptions from certain obligations in section 9 for children\u2019s data apply to:\n
- \n
- Healthcare providers and allied health professionals, limited to protecting the child\u2019s health.\u200b<\/li>\n
- Educational institutions and transport providers, limited to educational activities and safety\/behavioural monitoring.\u200b<\/li>\n
- Certain public-interest purposes such as welfare schemes, statutory functions, and safety-related processing like location tracking.\u200b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
These carve-outs are tied to tight purpose limitation and necessity conditions, ensuring processing remains proportionate.\u200b<\/p>\n
Significant Data Fiduciaries: enhanced obligations<\/strong><\/p>\n
For Significant Data Fiduciaries (SDFs), the Rules convert many high-level duties from the Act into specific recurring compliance tasks.\u200b<\/p>\n
- \n
- SDFs must, every 12 months:\n
- \n
- Conduct a Data Protection Impact Assessment and a data protection audit.\u200b<\/li>\n
- Submit a report with significant observations from both to the Board.\u200b<\/li>\n<\/ul>\n<\/li>\n
- SDFs must ensure that their technical measures, including algorithmic software used for hosting, storing, updating and sharing personal data, do not pose risks to Data Principals\u2019 rights.\u200b<\/li>\n
- For certain categories of personal data designated by the Central Government, SDFs must ensure that both the data and traffic data related to its flow are not transferred outside India.\u200b<\/li>\n<\/ul>\n
These requirements effectively mandate continuous privacy risk management and localised processing for notified datasets.\u200b<\/p>\n
Rights of Data Principals and grievance redressal<\/strong><\/p>\n
The Rules strengthen practical enforceability of Data Principal rights by focusing on discoverability and timelines.\u200b<\/p>\n
- \n
- Every Data Fiduciary must:\n
- \n
- Prominently publish, on its website\/app, the contact details of the Data Protection Officer (if applicable) or another responsible contact person.\u200b<\/li>\n
- Clearly explain the modes and identifiers (e.g., customer ID, email, mobile, licence number) Data Principals should use to exercise rights.\u200b<\/li>\n<\/ul>\n<\/li>\n
- Grievance redressal systems must:\n
- \n
- Be clearly disclosed on websites\/apps.\u200b<\/li>\n
- Be structured to respond within a reasonable period not exceeding 90 days.\u200b<\/li>\n<\/ul>\n<\/li>\n
- Data Principals can also nominate individuals to act on their behalf to exercise rights, in line with terms of service and applicable law.\u200b<\/li>\n<\/ul>\n
These safeguards make it harder for organisations to hide behind complex processes or unclear contact points.\u200b<\/p>\n
Cross-border transfers, research and State use<\/strong><\/p>\n
The Rules also address some of the most debated topics under the DPDPA: international transfers, research exemptions, and State use of data.\u200b<\/p>\n
- \n
- Personal data can be transferred outside India by Data Fiduciaries, but if data is being made available to a foreign State or its agencies, they must meet conditions specified by the Central Government through general or special orders.\u200b<\/li>\n
- The Act does not apply to processing necessary for research, archiving or statistical purposes, so long as it complies with standards in the Second Schedule, which emphasise lawfulness, necessity, accuracy, security and accountability.\u200b<\/li>\n
- When the State or its instrumentalities process personal data under clause b of section 7 or clause b of section 17(2), they must follow standards in the Second Schedule and can only use authorised officers listed in the Seventh Schedule for tasks such as using data for sovereignty\/security or calling for information from Data Fiduciaries.\u200b<\/li>\n<\/ul>\n
This tries to balance operational flexibility for the State and researchers with baseline privacy safeguards.\u200b<\/p>\n
Board, appeals and digital-by-design enforcement<\/strong><\/p>\n
The enforcement architecture is explicitly designed as digital-first to match the nature of data processing being regulated.\u200b<\/p>\n
- \n
- The Data Protection Board will function as a digital office and may use techno-legal measures so proceedings do not require physical presence, though it retains powers like summoning and examining persons on oath.\u200b<\/li>\n
- The Board should ordinarily complete inquiries within 6 months of receiving a complaint\/intimation\/reference, with limited scope for written extensions of up to 3 months at a time.\u200b<\/li>\n
- Appeals against Board orders go to the Appellate Tribunal in digital form, with fees aligned to those under the Telecom Regulatory Authority of India Act and payable through UPI or other authorised digital payment systems.\u200b<\/li>\n<\/ul>\n
This model is intended to make enforcement faster and more accessible, especially for digital-first businesses and Data Principals.\u200b<\/p>\n
- Every Data Fiduciary must:\n
- SDFs must, every 12 months:\n
- Verifiable parental consent is mandatory for processing personal data of a child, with strict checks to ensure:\n
- For specified classes of large digital entities (e-commerce, online gaming, and social media intermediaries above certain user thresholds) the Rules require erasure after 3 years from the last interaction, except for:\n
- Security safeguards must at minimum include:\n
- Only Indian companies can register as Consent Managers, and they must meet conditions such as:\n
- \u201cUser account<\/strong>\u201d covers not just classic logins but also profiles, pages, handles, email IDs, mobile numbers and similar presences through which a Data Principal accesses services.\u200b<\/li>\n
- Rule 4 (Consent Managers): after 1 year<\/strong>.\u200b<\/li>\n
- Rules 1, 2 and 17\u201321: effective immediately<\/strong> on publication.\u200b<\/li>\n
![\"pdf](\"https:\/\/www.sgcms.com\/regulatory-updates\/wp-content\/uploads\/2024\/09\/pdf-icon-210x300.png\"){kind=icon}