Legal Update – Digital Personal Data Protection Rules, 2025

After months of anticipation, the Government has now notified the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), marking a significant step toward full operationalisation of the Digital Personal Data Protection Act, 2023 ("DPDP Act"). The DPDP Rules set out comprehensive standards on notice, consent, security safeguards, breach reporting, data retention, child-specific consent protocols, and obligations of Consent Managers and Significant Data Fiduciaries, providing much needed clarity on the procedural aspects for implementation by Data Fiduciaries.

Below are a few key takeaways:

1. Phased Implementation: The DPDP Rules adopt a three-phased implementation model with (a) Data Protection Board and Tribunal-related provisions (Rules 1, 2, 17–21) coming into effect immediately; (b) Consent Manager registration and obligations-related provisions (Rule 4) coming into force one-year from the date of publication; and (c) provisions pertaining to notice, verifiable consent, security safeguards, breach-reporting, and other obligations (Rule 3, 5 to 16, 22 and 23) coming into force 18-months from the date of publication.
2. Enhanced Notice Requirements: Notices must be presented and be understandable independently, provided in clear and plain language, include an itemised description of personal data, the specified purpose, along with a specific description of goods/services enabled through such processing. Notices must also include communication links and mechanisms for (a) withdrawal of consent; (b) exercise of rights; and (c) filing complaints with the Board.
3. Consent Manager Registration: A detailed compliance framework for Consent Managers has been introduced, inter alia, (a) Qualification criteria and conditions for registration; (b) disclosures in an accessible manner; (c) prohibition on change in control without prior Board approval; and (d) mandatory audit mechanisms covering technical & organisational controls. These obligations materially increase governance expectations for Consent Managers.
4. Rigorous Security Safeguard Standards: The DPDP Rules mandate adoption of appropriate data security measures, inter alia, encryption, masking/obfuscation, access controls, mapping/logging, monitoring, backup measures, and retention of logs and personal data for one year to enable investigation and remediation of breaches, unless a longer period is required by law.
5. Data Breach Notification Requirements: The DPDP Rules require: (a) notification without delay to affected Data Principals with clear information on the breach, its consequences, mitigation steps, and contact details of a responsible officer; (b) notification to the Board without delay, followed by a detailed report within 72 hours, including facts of the incident, identity of the person causing the breach (if known), remedial measures, and copies of notifications sent to affected Data Principals.
6. Statutory Retention and Mandatory Erasure Timelines: The DPDP Rules introduce defined retention timelines for specific classes of Data Fiduciaries, i.e., (a) E-commerce entities; (b) Online gaming intermediaries; and (c) Social media intermediaries (each with substantial user thresholds). Such entities must erase personal data if the Data Principal does not access the service or exercise rights for three years, subject to exceptions (e.g., account access, virtual tokens, or legal retention). The DPDP Rules further require all Data Fiduciaries to retain personal data, traffic data and logs for specified purposes such as limited State uses, i.e., sovereignty and security functions, statutory functions or disclosures, and assessments for identifying Significant Data Fiduciaries.
7. Verifiable Parental Consent for Processing Children's Data: The DPDP Rules prescribe a detailed regime for obtaining verifiable parental consent for processing children's personal data, by verifying that the individual identifying as the parent is an identifiable adult. Such verification shall be carried out through: (a) verification of such individual against reliable identity and age information already available with the data fiduciary, or (b) details provided voluntarily by the individual or through virtual tokens issued by an 'authorised entity', including a Digital Locker service provider. The DPDP Rules also exempt certain fiduciaries, such as healthcare providers, educational institutions, crèches, etc., from obtaining verifiable parental consent and from the restriction on undertaking tracking or behavioural monitoring of children and targeted advertising directed at children where processing is limited to purposes defined under the DPDP Rules.
8. Verifiable Consent for Persons with Disabilities with Lawful Guardians: The DPDP Rules also prescribe a regime for obtaining verifiable consent of the lawful guardian of a person with disability, by relying on proof that such guardian has been appointed by a court of law, or an authority designated under the Rights of Persons with Disabilities Act, 2016, or by a local level committee, under the law applicable to guardianship.
9. State Processing Standards: The DPDP Rules permit the State to process personal data for issuing or providing any subsidy, benefit, service, certificate, licence or permit, whether under law, policy, or using public funds, subject to strict standards in the Second Schedule. These standards require lawful, necessary, accurate, limited, secure and accountable processing. The same safeguards also apply where personal data is processed for research, archiving or statistical purposes.
10. DPO/ Authorised Contact Requirement: Every Data Fiduciary must clearly publish and provide, in all rights-related communications, the business contact details of its Data Protection Officer (DPO) or another authorised person who can answer queries on personal data processing.

In comparison to the draft DPDP Rules published in January, the notified DPDP Rules adopt a more implementation-focused approach, introducing phased enforcement timelines, tightening Consent Manager governance, expanding security and breach-reporting obligations, formalising retention/erasure timelines for large platforms, and refining the framework for verifiable consent for children and persons with disabilities. These changes indicate a move from high-level principles to more prescriptive, operational requirements. This regulatory shift will require significant readiness efforts across sectors and is expected to strengthen trust and privacy-centric practices across the digital ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.