BREAKING: E-commerce, Gaming and Social Media Giants can keep user data for three years after last interaction

India’s new Digital Personal Data Protection Rules, 2025 give the country’s largest digital platforms an extended runway to hold on to user data. According to the Third Schedule, e-commerce firms with over two crore registered users, online gaming intermediaries with more than fifty lakh users, and social media intermediaries above the two-crore mark can retain most personal data for up to three years from a user’s last interaction.

This three-year window applies to all purposes except two — enabling users to access their accounts and enabling access to any virtual tokens stored on the platform. For everything else, the countdown resets each time a user logs in, contacts the platform, or exercises a right. If none of those events occur, the three-year period runs from the date the 2025 Rules come into force.

Under Rule 8, once a user stops approaching the platform for the specified purpose — and no rights are exercised — the platform is required to erase that data unless retention is needed for compliance with law or for the full three-year period specified in the Schedule.

Before deletion, platforms must issue a 48-hour advance notice, informing users that their data will be erased unless they log in or reinitiate contact. This step effectively gives the platform a final opportunity to extend the retention window if the user returns.

Separately, the rules require every Data Fiduciary — regardless of category — to retain personal data, associated traffic data and processing logs for a minimum of one year after any processing activity. This sits alongside the three-year allowance for the largest e-commerce, gaming and social-media entities.

The outcome is a uniform, codified retention framework for India’s biggest digital intermediaries: a minimum one-year baseline for all processing activities, and a three-year retention window tied to user inactivity for platforms above the specified thresholds.