Brand Makers
Dil Ka Jod Hai, Tootega Nahin
BREAKING: Govt notifies final DPDP Rules; sets staggered rollout with key obligations for Data Fiduciaries
Rules take effect in phases over 18 months; mandate clear notices, breach reporting, child-data safeguards, data-retention limits, and stricter duties for Significant Data Fiduciaries.
The notification follows public consultation on the draft rules issued in January this year, with objections and suggestions now incorporated by the government.
The Ministry of Electronics and Information Technology (MeitY) has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, laying out the operational framework for India’s data protection regime under the DPDP Act, 2023.
The notification follows public consultation on the draft rules issued in January this year, with objections and suggestions now incorporated by the government.
Phased Implementation
Rules 1, 2 and 17–21 take effect immediately. Rule 4 (Consent Manager registration) will apply one year from publication. Rules 3, 5–16, 22 and 23 come into force 18 months from publication.
Key Highlights of the Rules
Clear, Independent Privacy Notices (Rule 3)
Data Fiduciaries must issue standalone, plainly worded notices detailing:
- Itemised personal data collected
- Specific purposes of processing
- Direct links for consent withdrawal, rights exercise and complaint filing.
Consent Manager Registration Framework (Rule 4)
Consent Managers must meet conditions in the First Schedule and will be registered by the Data Protection Board (DPB). The DPB can suspend or cancel registrations for non-compliance.
Government Data Processing Standards (Rule 5)
Any personal data processed for government subsidies, benefits, services, licences or permits must follow standards in the Second Schedule, covering activities under law, policy or public-fund expenditure.
Security Safeguards (Rule 6)
Data Fiduciaries must adopt minimum safeguards, including:
- Encryption, masking, obfuscation and tokenisation
- Access controls and activity logs
- One-year retention of logs and personal data for breach detection
- Backup and continuity measures.
Contracts with Data Processors must include mandatory security clauses.
Mandatory Breach Notification (Rule 7)
Fiduciaries must promptly notify:
- Affected users — with details on breach nature, consequences, mitigation steps, and a contact person.
- The Board — initial intimation immediately; detailed report within 72 hours.
Data Retention Limits (Rule 8)
- For certain categories listed in the Third Schedule, data must be erased if the user does not engage within a specified time, unless retention is required by law.
- Fiduciaries must warn users 48 hours before erasure.
- A minimum one-year retention of traffic logs and processing logs is compulsory.
Mandatory Contact Details Publication (Rule 9)
All Data Fiduciaries must prominently display contact information of the Data Protection Officer or designated representative.
Verifiable Consent for Children (Rule 10)
Before processing child data, fiduciaries must obtain verifiable parental consent, validated through:
- Existing identity/age data with the platform
- New identity/age details voluntarily provided
- Tokens issued by authorised entities or Digital Locker service providers.
Consent for Persons With Disabilities (Rule 11)
Fiduciaries must verify legal guardianship through authorities designated under the Rights of Persons with Disabilities Act, 2016, or National Trust Act, 1999.
Exemptions for Child-Data Processing (Rule 12)
Certain fiduciaries and specified purposes (Fourth Schedule) receive exemptions from Section 9(1) and 9(3), subject to conditions.
Additional Obligations for Significant Data Fiduciaries (Rule 13)
Significant Data Fiduciaries (SDFs) must:
- Conduct annual Data Protection Impact Assessments and audits
- Ensure algorithmic and technical measures do not harm user rights
- Adhere to data-localisation requirements for categories the government notifies
- Submit findings to the Board.
User Rights Framework (Rule 14)
Fiduciaries and Consent Managers must clearly publish:
- Methods for exercising rights
- Identifiers needed
- A grievance redressal system responding within 90 days
- Mechanisms for users to nominate representatives.
Cross-Border Data Transfers (Rule 15)
Permitted, subject to restrictions notified by the Central Government regarding foreign states and entities.
Research and Archiving Exemption (Rule 16)
Processing for research, archiving or statistical purposes is exempt from the Act if compliant with Second Schedule standards.
Governance and Board Appointments (Rules 17–21)
A Search-cum-Selection Committee headed by the Cabinet Secretary will shortlist candidates for Chairperson of the Data Protection Board. A separate committee chaired by the MeitY Secretary will recommend Board Members.
Salaries and service conditions are defined in the Fifth Schedule. The Chairperson will set meeting procedures and authenticate official orders.
The notification marks India’s most detailed step yet toward implementing the DPDP Act, laying out extensive obligations for companies, tight deadlines for breach reporting, and stronger safeguards for children and vulnerable users. The staggered rollout gives industry up to 18 months to achieve full compliance.
SPOTLIGHT
"The raucous, almost deafening, cuss words from the heartland that Piyush Pandey used with gay abandon turned things upside down in the old world order."
Read MoreThe new face of the browser: Who’s building AI-first browsers, what they do and how they could upend advertising
From OpenAI’s ChatGPT-powered Atlas to Microsoft’s Copilot-enabled Edge, a new generation of AI-first browsers is transforming how people search, surf and interact online — and reshaping the future of digital advertising.