1. Background

Two years after the enactment of the Digital Personal Data Protection Act, 2023 (“DPDPA”), the Indian government has notified the Digital Personal Data Protection Rules, 2025 (“Rules”), which operationalise and clarify key provisions of the law.

Alongside the Rules, the government has also published additional notifications that set out a phased approach for the implementation of the law together with a framework for establishing the Data Protection Board of India (“Board”), which will serve as the primary regulator under the law.

2. Transition Periods

The DPDPA and the corresponding rules will come into effect in a tiered manner. Timelines are as follows:  

1. Provisions regarding the establishment and constitution of the Board have come into force effective immediately.
2. Requirements regarding registration of consent managers will come into force in November 2026.
3. All other provisions, which include consent collection, data principal rights, reporting of personal data breaches, implementation of appropriate security measures, and enforcement mechanisms will come into force in May 2027.

3. Continued Reliance on Consent

Many stakeholders had anticipated – or rather, hoped – that the Rules would expand the grounds for processing personal data under the DPDPA. However, the consent-centric framework under the law remains unchanged, as the Rules do not introduce or clarify additional non-consent processing grounds for private businesses. Instead, the Rules reinforce the consent-first approach, providing new guidance on privacy notices. For example, notices must now be presented separately from other information, requiring a shift from current practices of bundling consent with acceptance of EULAs or terms and conditions.

Privacy notices must contain an itemised lists of personal datasets they process along with a description of the purposes for which the data will be processed. 

To meet these requirements, businesses should prioritise creating comprehensive data inventories. This will help in identifying the types of datasets processed and the associated purposes for processing.

Privacy notices must also include links to portals where data principals can withdraw consent and exercise other rights. This will require a redesign of user onboarding and creation of data management processes.

4. New Opportunities for Consent Managers

The DPDPA introduces a new class of entities called consent managers, distinct from data fiduciaries or data processors. These entities provide interoperable platforms enabling data principals to manage their consent preferences. Consent managers must register with the Board and meet specific conditions, including a local presence and a net worth of at least INR 20,000,000 (approximately USD 230,000). The Board has broad oversight powers, including prescribing standards for the consent management platform, requiring disclosures during registration, cancelling registrations, and approving changes of control or mergers involving consent managers.

Consent managers are expected to onboard data fiduciaries, facilitate consent requests from data fiduciaries to data principals, enable data principals to share consent and personal data through their platforms, and support the exercise of data principal rights. Critically, consent managers must remain “data-blind”, ensuring no access to personal data. This structure is similar to the account aggregator ecosystem regulated by the Reserve Bank of India (“RBI”) in the financial sector. However, it remains unclear whether and how the RBI-regulated ecosystem will integrate with the DPDPA’s framework for consent managers.

Engagements between consent managers and data fiduciaries will require careful structuring. Alongside technical integration, consent managers must prevent conflicts of interest, including those related to promoters, overlapping directorships, or material commercial relationships with data fiduciaries.

Interestingly, the Rules clarify that consent managers act in a fiduciary capacity toward data principals but are distinct from other data fiduciaries. The implications of this distinction, including additional compliance burdens, remain to be seen. Nevertheless, the government’s support for consent managers, coupled with the inability of many small and medium enterprises to manage consent in-house, signals new business opportunities in this space.

5.Children’s Data: A New Layer of Complexity

Under the DPDPA, data fiduciaries must obtain verifiable parental consent to process a child’s personal data. Similarly, processing personal data of a person with a disability requires verifiable consent from the person’s guardian.

Many had anticipated that the Rules would clarify key issues, such as the types of data fiduciaries that would need to obtain verifiable parental consent, practical mechanisms to implement such consent, and scenarios where services not directed at children inadvertently process their data – for example, due to misrepresentation by a child. Instead, the Rules largely reiterate the DPDPA’s requirement for verifiable consent. They mandate that businesses, through due diligence, ensure that individuals identifying as parents are adults. While the Rules suggest using government portals and regulated digital lockers for identity verification, they also permit other reliable mechanisms. To process the personal data of persons with disabilities, businesses face an additional requirement: verification must confirm that the guardian providing consent has been legally appointed under applicable laws. As with consent frameworks, these provisions will compel data fiduciaries to rethink and redesign user onboarding processes.

Separately, the DPDPA prohibits processing personal data that could harm a child’s well-being, behavioural monitoring of children, and targeted advertising directed at children. The Rules, however, introduce exemptions for certain data fiduciaries in specific contexts; for instance, tracking the real-time location of a child in the interest of ensuring their safety.

6. Data Breaches

Read with the DPDPA and existing Indian laws, data fiduciaries that suffer a personal data breach will have to, upon becoming aware of the incident, report its details to the Board “without delay”, and provide a more detailed report about the incident within 72 hours. This timeline may be extended by the Board upon receipt of a written request. This obligation exists in addition to:

1. the existing 6-hour window to report security incidents (including personal data breaches) to the Indian Computer Emergency Response Team (“CERT-In”);
2. reporting security incidents by financial institutions to the relevant financial sector regulators (where the reporting window starts, in certain cases, at 2 hours);
3. sending a copy of the report filed with the CERT-In to the Insurance Regulatory and Development Authority of India, for insurers;
4. informing the Unique Identification Authority of India of Aadhaar-related breaches; 
5. reporting to the National Critical Information Infrastructure Protection Centre in respect of security incidents that impact critical information infrastructure; and
6. reporting obligations of public listed companies to report incidents to stock exchanges.

In addition, data fiduciaries will, to the best of their abilities, have to inform impacted data principals of personal data breaches, the consequences likely to arise out of the breach, and among other details, the contact information of an individual within the data fiduciary’s organisation that can respond to questions. 

In practice, this will require data fiduciaries to revisit existing SoPs that exist for multiple reporting timelines and regulators, and create a sophisticated response system that can effectively react to both, the incident at hand and differing regulatory requirements. 

7. Other Notable Takeaways

1. Government Access to Personal Data: Through the Rules, the government has a broad right to seek personal data from data fiduciaries and internet intermediaries for purposes that include national security, Indian sovereignty and integrity, performance of its functions under applicable laws, and for assessing data fiduciaries. This is a fairly broad right that stems from existing provisions under the DPDPA, and may impact cross-border data transfers, especially from the EU and the UK to India.
2. Reasonable Security Safeguards: The Rules set out a minimum standard for the reasonable security safeguards that must be implemented by data fiduciaries, including access control controls, minimum retention periods of 1 year, and backup and disaster recovery mechanisms. The Rules also recommend encryption, obfuscation, or other methods to mask personal datasets. These security measures will need to be contractually imposed on data processors as well. Companies with existing certified systems may find these standards easier to comply with.
3. Potential New Localisation Requirements: While neither the DPDPA nor the Rules prescribe localisation obligations, the Rules refer to the government’s power to require significant data fiduciaries to store data in India as well as limit sharing of personal data with foreign regulators. This is likely to impact cross-border data transfers as well as investigations, though its scope remains to be seen.
4. Data Principal Requests: Data fiduciaries and consent managers are required to respond to grievances and requests submitted by data principals within 90 days.
5. Significant Data Fiduciaries: The Rules do not clarify the types of entities that may be classified as significant data fiduciaries. However, they do prescribe additional compliance obligations, including conducting data protection impact assessments and audits every year and using due diligence to ensure that technical measures, including algorithmic software that they deploy, do not risk the rights of data principals. Definitions of algorithmic software and clarity on the risk of harm remain unclear.
6. Data Retention Periods: E-commerce entities with more than 20,000,000 registered users, social media intermediaries with more than 20,000,000 registered users, and online gaming intermediaries with more than 5,000,000 registered users will have to comply with specific data retention periods of 3 years.
7. Exemptions for Research, Archiving and Statistical Purposes: The Rules prescribe specific measures and principles that need to be met to avail these exemptions. Compliance with these standards would exempt businesses that process personal data for research, archiving, and statistical purposes from the scope of the DPDPA.

8. The Way Forward

The release of the Rules marks a much-awaited step towards the eventual enforcement of India’s data law, but is a mixed bag in respect of compliance. While the flexibility offered to data fiduciaries to define their own consent protocols is a welcome step, the lack of clarity on non-consent related grounds of processing,  localisation requirements, and added compliance around processing of children’s data will require companies to create internal solutions and strategies to achieve compliance.