Digital Personal Data Protection Rules, 2025

India's Digital Personal Data Protection (DPDP) Rules, 2025 mark a positive step in operationalizing the DPDP Act of 2023. The rules create a robust framework for safeguarding its citizens' digital personal data. It was notified by the Ministry of Electronics and Information Technology (MeitY) on November 13, 2025. These rules emphasize consent, transparency, and accountability to foster a trusted digital economy.

• The DPDP Act, 2023, was enacted to address rising data breaches and privacy concerns in India's rapidly advancing digital landscape, where over 900 million internet users generate vast personal data.
• It adopts a ‘SARAL’ approach- Simple, Accessible, Rational, and Actionable-focusing solely on digital personal data & defined as any data about an identifiable individual.
• The 2025 Rules provide the operational power, detailing compliance mechanisms after years of debate over earlier drafts such as the 2018 PDP Bill.
• They balance innovation with protection, imposing duties on ‘Data Fiduciaries’ (entities determining data processing purpose) while empowering ‘Data Principals’ (individuals whose data is processed).
• An 18-month phased compliance window eases the transition for businesses.

• Personal data excludes anonymous data or publicly available information.
• Data Fiduciaries include e-commerce giants, social media platforms, and government entities handling digital data.
• ‘Significant Data Fiduciaries’ (SDFs) are those with large user bases (lets say 2 crore+ users), sensitive processing, or high-risk activities- face stricter obligations such as annual audits and Data Protection Impact Assessments (DPIAs).
• Children and persons with disabilities get special safeguards: verifiable parental consent through unique identifiers (e.g., Aadhaar-linked) is mandatory, with tracking tools prohibited for minors.
• Consent Managers (as India-based entities) act as neutral intermediaries for managing consents.

• Consent forms the bedrock of the rules that require ‘free, specific, informed, unconditional, and unambiguous’ affirmative action required for each data purpose.
• Notices must be clear, multilingual itemized (what data, why collected & rights exercise), with a prominent withdrawal option as easy as granting it.
• For example, an app must display: ‘We collect your location to personalize ads- withdraw anytime via [link].’
• Deemed consent is applicable narrowly, such as for legal compliance or emergencies.
• Consent Managers must register themselves with the Data Protection Board (DPB), maintain verifiable logs, and enable seamless revocation.

• Citizens gain strong rights such as access to data held, correction or erasure (‘right to be forgotten’), nomination for posthumous management, and complaint filing.
• Requests must be responded to within timelines (72 hours for breaches).
• Organizations must provide data portability in machine-readable formats.

• Upon awareness, notify the affected principals ‘without delay’ (plain language on breach, impact, mitigation) and the DPB immediately, followed by a detailed report in 72 hours.
• Penalties for non-reporting may reach to Rs 200 crore.
• This contrasts with prior vague or unambiguous laws, aligning with global standards like GDPR.

• The Rules establish a digital-first DPB with a chairperson and members selected transparently, funded by government grants and penalties.
• It handles inquiries, imposes fines (up to Rs 250 crore for serious breaches), and offers an online portal or application for complaints- trackable in real-time.
• Appeals will go to Telecom Disputes Settlement and Appellate Tribunal.

• E-commerce, fintech, and social media must overhaul consent flows, invest in tech (e.g. tokenization), and train their staff.
• Startups get lighter touch, but non-compliance risks may fine crippling operations.
• Significant Data Fiduciary (SDF) examples: Add-to-cart platforms with 2 crore users, gaming apps, intermediaries.
• They must notify DPIA results publicly if systemic risks are found.

• Over-reliance on consent burdens users & no independent oversight risks government overreach via exemptions.
• Localization mandates could hike costs without reciprocity.
• The enforcement capacity of DPB can be questioned amid 1.4 billion population.
• Critics seek more on non-personal data surveillance reform.​
• The privacy advocates praise user-centricity but suggest amendments for journalist or academic exemptions.

What are the DPDP Rules, 2025?

These rules operationalize the DPDP Act, 2023, detailing consent, rights, fiduciary duties, and enforcement for digital personal data protection in India.​

Who qualifies as a Significant Data Fiduciary (SDF)?

SDFs include entities processing data of 2 crore+ users, children's data, sensitive processing, or high-risk activities.

How does consent work under the rules?

Consent must be free, specific, informed, via clear multilingual notices with easy withdrawal. ​

What happens in a data breach?

Fiduciaries notify affected principals without delay and DPB within 72 hours, detailing impact and mitigation. Further, fines up to Rs 200 crore for lapses may be imposed.​

What protections exist for children?

Verifiable parental consent mandatory for children under 18 years of age. No tracking, ads, or behavioral monitoring.