BREAKING: DPDP final rules out: Consent managers face tight eligibility; e-commerce & social platforms get 3-year data limit
DPDP Rules detail obligations for consent managers, set three-year data retention caps for large digital platforms, and carve out exceptions for health and education sectors.
ADVERTISEMENT
The government has notified the final rules under the Digital Personal Data Protection Act, 2023, laying out a detailed compliance framework for consent managers, state bodies and large digital platforms. The rules, spanning seven schedules, define who can register as a consent manager, their obligations, and the standards for data processing across sectors.
Under the First Schedule, a consent manager must be an Indian company with a minimum net worth of ₹2 crore, robust technical and operational capacity, and a management team with a proven record of integrity.
The rules mandate that consent managers maintain seven years of consent logs, operate interoperable platforms certified by independent auditors, and publish ownership and governance details to ensure transparency. They are barred from subcontracting key functions and must avoid conflicts of interest with data fiduciaries.
The Second Schedule sets strict standards for state entities processing personal data, including purpose limitation, accuracy, retention safeguards, breach prevention, and mandatory intimation to data principals along with contact points for queries. Accountability norms are also tightened.
For major digital platforms: including e-commerce companies with over 2 crore users, social media intermediaries with a similar scale, and gaming platforms with over 50 lakh users, the Third Schedule caps personal data retention at three years from last user interaction, except for account access and virtual tokens.
Child-related processing sees carve-outs. The Fourth Schedule exempts select fiduciaries such as hospitals, allied health professionals, educational institutions and childcare providers from certain prohibitions, provided processing is strictly limited to safety, educational or medical purposes.
The Fifth and Sixth Schedules define service conditions for the Data Protection Board’s chairperson, members and officers, including salaries of ₹4–4.5 lakh per month, leave rules, travel entitlements, medical benefits and conflict-of-interest obligations.
The Seventh Schedule sets out authorised officers for state processing carried out in the interest of sovereignty, integrity or security.
