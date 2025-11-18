The Digital Personal Data Protection (DPDP) Rules, 2025, notified on 13 November 2025, mark a pivotal moment in India’s privacy journey. While the DPDP Act, 2023 laid down broad principles, these rules operationalize them converting intent into enforceable obligations. Crucially, the final version reflects public feedback, closing interpretational gaps from the draft, and signals a shift from merely procedural compliance to a regulated, ethical data ecosystem.



Strengthening Notice & Consent

One of the most significant refinements is in how consent must be obtained. Data Fiduciaries are now required to issue itemized, independently understandable notices, detailing exactly what personal data is collected, for what purpose, and what goods or services that enables. This clarity empowers individuals Data Principals to make truly informed decisions.



Consent Managers: A Regulated Layer

Perhaps the boldest addition is the formalization of Consent Managers not just intermediaries, but regulated entities with clear obligations. These managers must register with the Data Protection Board, maintain a minimum net worth (₹ 2 crore), and keep consent logs for at least seven years. They also need to avoid conflicts of interest, for example, they must not be able to read the personal data being shared through their platform. By elevating consent governance to a service layer, the Rules institutionalize user agency rather than relegating consent to a mere checkbox.



Retention, Erasure, and Predictability

The rules bring more structure to data retention. Once the purpose of processing is complete, personal data must be deleted but not before giving the Data Principal a 48-hour prior intimation.



Read More -Gold Extends Fall On Firm Dollar, Easing Fed Rate-Cut Bets



For large platforms like e-commerce sites, social media intermediaries, and online gaming companies there’s now a uniform three-year deletion rule (from the last interaction) for user data, unless retention is mandated by law. This predictability helps both users and businesses plan better.



Interestingly, while data must be deleted, logs and processing metadata must still be retained for at least one year, enabling audit, breach investigation, and oversight.



Vulnerable Groups: Children and Persons with Disabilities

The Rules refine how to obtain verifiable consent for minors and persons with disabilities. The approaches include identity-linked tokens, Digital Locker-based validation, or other authorized methods. Yet, the Rules also recognize practical realities: for education and healthcare providers, there are sector-specific exemptions to avoid overburdening socially essential services.



Breach Reporting: Tightened Obligations

On security, Data Fiduciaries are mandated to implement “reasonable safeguards” such as encryption, access controls, logging, continuous monitoring, and backup systems. In case of a data breach, the rules require immediate notification to affected individuals, plus a detailed report to the Data Protection Board within 72 hours.