Digital Personal Data Protection (DPDP) Rules, 2025

The government on November 14, 2025, released the Digital Personal Data Protection (DPDP) Rules, 2025, making operational Digital Data Protection Act, India’s first data protection law, enacted by Parliament on 11 August 2023.

Why was it needed:

For years, digital sharing meant users surrendered their data—including names, locations, and browsing habits—to companies without transparency regarding who accessed it or how it was used. Furthermore, when data mismanagement or breaches occurred, users were often kept in the dark.
Significance of new DPDP rules:
1. Rights of the Data Principal (user):

The new framework significantly empowers the individual whose data is being processed:

• They have the right to ask businesses to show what information they are holding. The right also includes seeking correction, update, or erasure of their data and withdraw consent at any time. They also have the right to effective grievance redressal if their rights are violated and also the right to nominate another person to exercise these rights in the event of death or incapacity

"The notice given by the Data Fiduciary to the Data Principal shall— (a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary; (b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data", the Rules read. 

2. Obligations for Data Fiduciaries (government entities, private platforms, and digital service providers) towards users:

a.   Platforms must obtain verifiable, purpose-specific consent from users.

b.   They must maintain strong security (encryption) and strict access controls and appoint a Data Protection Officer.

c.    Data must be deleted once its purpose is fulfilled (or consent withdrawn), but a one-year minimum retention of logs is mandatory for breach investigations.

d.   Fiduciaries must give a 48-hour prior notice to the user before erasing any personal data.

e.   Verifiable parental consent is required for children (under 18). Separate rules protect adults legally incapable of making decisions.

Obligations of Data Fiduciaries during data breaches:

a.   Affected Data Principals (users) must be notified immediately via their registered communication channel in a clear, concise way, specifying the nature of the breach, its likely consequences, and recommended safety steps for the individual.

b.   The Data Protection Board (DPB) must also be intimated immediately, and a detailed follow-up report must be submitted within 72 hours, covering the broader facts, mitigation measures, findings on the responsible entity, and steps taken to prevent recurrence.

Consent Managers:

a.   They are a new regulated category of intermediaries, introduced to enhance user control over personal data to grant, withdraw, track, or review consent across different digital platforms. "A person who fulfils the conditions for registration of Consent Managers set out in Part A of First Schedule may apply to the Board for registration as a Consent Manager by furnishing such particulars and such other information and documents as the Board may publish in this behalf on its website". the Rules note. 

Timelines:

The DPDP Rules are being rolled out over 18 months.

Penalties:

Fines can go up to INR 2.5 billion (US$28 million) per breach, depending on the severity. The system is graded to protect MSMEs (Micro, Small, and Medium Enterprises). Key triggers include failure to protect data, breach notification delays, and violation of children’s data rules.

Conclusion:

The importance of the rules gather more significance from the users’ point of view, with greater transparency, clear consent, protection from data misuse, fast action, immediate alerts and quick redressal mechanism.

___________________

Link - Inside India's DPDP rules: Shaping future of personal data privacy in digital era

Link - https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa?pageTitle=Digital-Personal-Data-Protection-Rules-2025