India Notifies DPDP Rules 2025, Begins Rollout of New Data Protection Regime
The rules operationalise the “Digital Personal Data Protection Act, 2023”, more than two years after it was passed in Parliament.
India Notifies DPDP Rules 2025, Begins Rollout of New Data Protection Regime
India has officially notified the “Digital Personal Data Protection (DPDP) Rules, 2025”, marking a major milestone in the country’s transition towards a modern data-protection framework. The rules operationalise the “Digital Personal Data Protection Act, 2023”, more than two years after it was passed in Parliament.
The Ministry of Electronics and IT (MeitY) has laid out a “phased implementation timeline”, giving companies between “12 to 18 months” for full compliance with the new obligations. Core provisions—such as basic transparency norms and the establishment of a Data Protection Board—come into effect immediately.
Clearer Consent and User Rights
Under the new rules, any organisation that collects personal data must provide a “clear, itemised privacy notice”. Users must be informed about:
What data is being collected,
Why it is being used, and
How they can withdraw their consent.
The rules require platforms to make consent withdrawal simple and accessible. If a user feels their data rights have been violated, they can file a complaint with the newly operational “Data Protection Board (DPB)”.
72-Hour Breach Reporting & Stronger Security Norms
Companies that experience a personal-data breach must notify both the user and the DPB “within 72 hours” of becoming aware of the incident. They must also provide details about the nature of the breach, its impact, mitigation efforts, and steps users should take for safety.
The rules strengthen security obligations for organisations handling personal data, including the adoption of “reasonable technical and organisational safeguards” such as encryption, masking, and access controls.
Special Protection for Children
For users under 18, companies must obtain “verifiable parental consent” before processing personal data. Certain exemptions exist—particularly in scenarios related to real-time safety of children—but profiling or targeted advertising to minors remains restricted.
Consent Managers & Data Fiduciaries
The rules formalise the structure for “Consent Managers”, who will act as intermediaries authorised to manage user permissions. These entities must register with the DPB within “12 months”.
“Significant Data Fiduciaries” — Large platforms or services handling sensitive or vast amounts of user data—will face more stringent compliance obligations, including periodic assessments and audits.
Cross-Border Transfers & Classification
The DPDP Act adopts a “blacklist” approach” for cross-border data transfers. Personal data can be stored or processed in other countries except those specifically restricted by the government.
Digital intermediaries will also be classified based on the nature of their services, and must delete personal data once it is no longer needed—unless retention is mandated under another law.
Why This Matters
The notification of the DPDP Rules lays the foundation for a safer digital environment in India. For businesses, the next 18 months will be crucial for transitioning into a compliance-ready model. For users, the rules strengthen privacy rights, transparency, and control over personal information.
India’s data-protection regime now moves closer to global standards, without disrupting the operational realities of digital-first companies.