India notifies its sweeping Digital Personal Data Protection rules

India has officially notified its Digital Personal Data Protection (DPDP) Rules, 2025, as it moves to regulate the processing and governance of personal data. The rules operationalize the DPDP Act, 2023, giving the country data protection laws in line with other regimes such as the EU’s GDPR and Singapore’s Personal Data Protection Act, 2012.

The DPDP Act was passed in India’s parliament in August 2023, with the draft of the rules released for consultation in January 2025 and notified on November 14, 2025. The Act sets out standards for how companies (“data fiduciaries”) handle user data (“data principals”), such as mandating access control and encryption and security audits for large companies (“significant data fiduciaries”).

The framework permits cross-border transfers of personal data unless specifically restricted by the government, offering more flexibility than the EU’s GDPR. This could reduce costs and speed up international data flows, though sector-specific localization obligations remain.

Implementation will be staggered. DPB provisions take effect immediately, the consent manager framework after 12 months, and broader compliance obligations after 18 months, giving companies time to adapt.

The framework introduces verifiable consent requirements, especially for children and persons with disabilities, and lays out procedures for notices and the registration of consent managers. Organizations must adopt safeguards such as encryption and access controls, and are required to notify both affected individuals and the Data Protection Board (DPB) in the event of a breach.

Rules on retention and erasure mandate deletion of personal data after specified periods unless legally required, while transparency measures include publishing contact details of data protection officers and grievance systems.

Significant data fiduciaries face stricter compliance, including annual audits, algorithmic risk assessments and possible restrictions on transferring certain personal data outside India. Exemptions apply for research, archiving and statistical purposes. The DPB has been empowered to function digitally, streamlining hearings and enforcement, with detailed service conditions for its members.

CMS Induslaw Partner Shreya Suri explained the implications of the Digital Personal Data Protection Act (DPDPA) for businesses and Indian internet users, both children and adults, in a Biometric Update webinar on “Age Verification in India: Technology, Policy, and the Digital Personal Data Protection Act.”

DPDP subordinate rules emphasize consent, children’s protection

India’s Digital Personal Data Protection Act (DPDP) is now backed by detailed subordinate rules that set out how organizations must handle personal data and safeguard individual rights. The framework includes two key roles: data fiduciaries, the entities that decide how and why personal data is processed, and data principals, the individuals to whom that data belongs.

The rules strongly emphasize consent. Companies must provide clear, plain-language notices that explain what data is being collected, why it is being processed, how complaints can be raised, and how consent can be withdrawn as easily as it was given.

To support this, the law introduces the concept of a consent manager — a registered platform that allows individuals to give, manage or withdraw consent across authorised organizations. These managers are subject to strict duties and oversight by the Data Protection Board.

Security is another key piece. Organizations are required to implement safeguards such as encryption, access controls, monitoring and backups. In the event of a data breach, companies must immediately inform affected individuals in straightforward terms, outlining the consequences, mitigation steps and contact details.

They must also notify the Data Protection Board without delay, followed by a comprehensive report within 72 hours. Failures can attract penalties of up to ₹200 crore (US$22.58 million), pushing firms to establish round-the-clock incident response systems.

The rules also address data retention and erasure. Large platforms such as ecommerce sites, online gaming companies and social media networks must erase personal data after three years of user inactivity, unless exceptions apply. Users must be warned at least 48 hours before deletion, and all companies must retain data and logs for at least one year after processing.

Special protections apply to children and persons with disabilities. Verified parental consent is mandatory before processing child data, with parents required to prove they are adults through reliable identity checks or digital tokens. Certain healthcare and educational uses are exempt under specific conditions.

For significant data fiduciaries (SDFs) — typically large-scale digital platforms — compliance obligations are even tighter. They must conduct annual data protection impact assessments and audits, ensure that algorithms do not compromise individual rights, and prepare for possible data localization requirements, which could restrict certain categories of personal data from leaving India. This goes beyond the European Union’s GDPR, creating an India-specific compliance burden.

The DPDP rules should push organizations operating in India to adopt a culture of transparency, accountability and security. From informed consent to breach reporting and child protection, the framework is designed to give individuals stronger control over their personal data while holding companies to rigorous standards.

Protecting children with adult identity checks

India’s new Digital Personal Data Protection Rules, 2025, place particular emphasis on safeguarding children’s data. Platforms must obtain verifiable parental consent before processing the personal information of anyone under 18.

Parents are required to prove they are adults through identity checks, existing account details, or government-issued digital tokens, and children themselves must now declare who their parent is, with platforms verifying that relationship.

The rules prohibit tracking or behavioural monitoring of children unless the central government grants exemptions for platforms deemed “verifiably safe” or for specific purposes. Exemptions have been carved out for organizations whose work directly relates to child safety and welfare.

Healthcare providers, schools, childcare centers and transport services are permitted to process or track data without parental consent, but only within tightly defined limits such as ensuring health services, monitoring educational activities or tracking travel routes for safety.

Real-time location tracking is explicitly allowed when it serves the child’s protection, for example during school transport. Companies may also process data to confirm whether a user is a child or to verify the identity of someone claiming to be a parent. Additional safeguards ensure children are shielded from harmful content, including advertisements that could negatively affect their well-being.

These requirements will take effect in 18 months, giving platforms time to adapt their systems.

In the event of a data breach

The finalized DPDP Rules, 2025, strengthen India’s framework for handling data breaches. Companies must immediately inform the Data Protection Board (DPB) of the likely impact and details of any breach including its nature, extent, timing and location. Within 72 hours, they are required to provide an updated account covering the circumstances, remedial measures, mitigation steps, and findings about the cause, as well as evidence of notifications sent to affected individuals. Extensions may be granted if requested in writing.

A breach is defined broadly under the DPDP Act, 2023, as any unauthorized processing or accidental disclosure, alteration, destruction or loss of access that compromises confidentiality, integrity or availability of personal data. Failure to report can attract fines of up to ₹200 crore ($22.58 million), while inadequate security safeguards may lead to penalties of up to ₹250 crore ($28.22 million). These measures will take effect in 18 months.

To comply, companies must adopt strong security safeguards such as encryption, masking, obfuscation, access controls, logging and backups. Logs and personal data must be retained for at least one year to aid detection and investigation. Firms must also ensure continuity of processing through backups and organizational measures.

Affected individuals must be notified promptly in clear, plain language. Companies are required to explain the breach’s timing, nature and extent; outline potential consequences, describe mitigation steps, suggest safety measures and provide contact details for further queries.

Article Topics

data privacy  |  data protection  |  Digital Personal Data Protection (DPDP) Act  |  India  |  legislation