BREAKING: DPDP Act goes live with phased implementation over next 18 months

The Ministry of Electronics and Information Technology (MeitY) has officially kicked off the implementation of the Digital Personal Data Protection (DPDP) Act, 2023, issuing a notification that lays out a clear, phased timeline for the law’s enforcement.

BREAKING: Govt notifies final DPDP Rules; sets staggered rollout with key obligations for Data Fiduciaries

The move sets the stage for India’s long-awaited privacy regime to become fully operational over the next 18 months.

According to the notification issued on 13 November 2025, several foundational provisions of the law, including definitions, duties of the Data Protection Board, penalties, and rule-making powers, come into effect immediately upon publication in the Gazette.

12-Month Deadline

A second set of provisions, including Section 6(9) dealing with consent withdrawal and Section 27(1)(d) relating to data fiduciary obligations, will come into force one year from now. This window gives companies time to build processes around consent revocation and data management protocols.

BREAKING: DPDP final rules out: Consent managers face tight eligibility; e-commerce & social platforms get 3-year data limit

18-Month Enforcement Phase

The most extensive set of obligations-including core compliance requirements, consent norms, children’s data rules, data fiduciary duties, significant data fiduciary classifications, data transfer rules, and grievance redressal-will become effective 18 months from the notification date.

This includes Sections 3 to 17, Sections 28 to 34, and parts of Section 44, forming the backbone of India’s data protection architecture. The extended timeline signals the government’s recognition that businesses, especially startups and large-scale platforms, need sufficient time to redesign data systems and governance frameworks.

DPDP Rules carve out key exemptions for healthcare providers, schools and childcare services processing children’s data

With the countdown now officially underway, companies across sectors, from tech and finance to healthcare, e-commerce, education and mobility, will have to accelerate compliance roadmaps. The staggered rollout also indicates that enforcement will be calibrated, giving the Data Protection Board room to establish operational mechanisms before full-scale penalties kick in.

The notification marks a significant milestone for India’s digital governance framework, finally bringing the DPDP Act out of the legislative books and into implementation mode.