The DPDP rules require companies (those collecting/ seeking the personal data and termed as data fiduciaries) to undertake reasonable security safeguards to protect personal data, including use of appropriate measures like encryption, obfuscation, masking, or virtual tokens to secure data, and monitoring and logging access to detect, investigate, and remediate unauthorised access
The government has notified detailed norms under the Digital Personal Data Protection (DPDP) Act, introducing stringent data-retention rules for e-commerce platforms, social media intermediaries and online gaming companies.
To strengthen data governance and improve user protection throughout the quickly growing digital ecosystem, the new regulations are a part of the larger operationalisation of India’s first digital privacy law.
The government notified the rules for the DPDP Act, formally operationalising India’s first digital privacy law and setting the compliance clock ticking for companies handling user data.
The DPDP Act, enacted by Parliament on August 11, 2023, establishes a comprehensive framework for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals).
It follows the SARAL design — Simple, Accessible, Rational and Actionable — using plain language and illustrations to support ease of understanding and compliance.
According to the Ministry of Electronics and IT, the Act is guided by seven core principles including consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.
The DPDP Rules provide an 18-month phased compliance timeline, allowing organisations time for smooth transition.
They also require Data Fiduciaries to issue standalone, clear and simple consent notices that transparently explain the specific purpose for which personal data is being collected and used.
To ensure stronger protection, Data Fiduciaries must obtain verifiable consent before processing the personal data of children, with limited exemptions for essential purposes such as healthcare, education and real-time safety.
For persons with disabilities who cannot make legal decisions even with support, consent must come from a lawful guardian verified under applicable laws.
Moreover, Data Fiduciaries must display clear contact information — such as that of a designated officer or Data Protection Officer — to help individuals raise queries about personal data processing.
Under the new guidelines, platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years. The regulation applies to online gaming companies with more than 50 lakh users, as well as social media and e-commerce platforms with more than two crore registered users in India.
From promptly alerting users and Data Protection Board about data breaches, to retaining all traffic data and logs for a minimum of one year, and from providing users with a 48-hour heads-up before personal data erasure, to requiring large companies to conduct impact assessments and audits every 12 months, the DPDP Rules set clear and distinct timelines that firms must rigorously follow.
Under the new guidelines, platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years. The regulation applies to online gaming companies with more than 50 lakh users, as well as social media and e-commerce platforms with more than two crore registered users in India.
Social media sites, E-commerce entities,online gateways, and any other organisations handling personal data are required by the new framework to give users a detailed explanation of the information being gathered and to make it apparent how it will be used.
These platforms will be required to erase personal data after three years of user inactivity or dormancy, except in two cases specified.
Although the DPDP Act permits cross-border transfers of personal data, the government has made it clear that these transfers must follow rules that may be communicated regularly. This is especially true if user data is transferred to a foreign state or any organisation under the control of a foreign government.
The DPDP rules also require ‘consent manager’ to maintain records of consents for at least seven years or longer where necessary.
The freshly minted DPDP Rule says that inquiry by the Data Protection Board must be completed within six months from the date of receipt of the intimation or complaint unless extended for up to three-month periods at a time, with reasons to be recorded.
There are timelines even for DPDP rule provisions to come into effect – it does so in a staggered manner, giving transition time of 18 months to companies collecting and processing personal data.
The constitution of the Data Protection Board takes effect immediately, and the consent manager framework will become operative after 12 months.
However, the remaining obligations and compliances for companies, say, notices seeking user consent, security safeguards, data principle rights, and breach notification clauses, will come into force after 18 months.
Irrespective of the category, companies will have to retain personal data and associated logs for a minimum period of one year from the date of data processing.
“In the event of a personal data breach, Data Fiduciaries must promptly inform affected individuals in plain language, explaining the nature and possible consequences of the breach, the steps taken to address it and contact details for assistance,” the rules clarify.
“With the DPDP Rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data. The phased rollout is crucial, it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly,” said Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.
The rules require companies (those collecting/ seeking the personal data and termed as data fiduciaries) to undertake reasonable security safeguards to protect personal data, including use of appropriate measures like encryption, obfuscation, masking, or virtual tokens to secure data, and monitoring and logging access to detect, investigate, and remediate unauthorised access.
In event of a personal data breach, companies must promptly inform affected individuals in clear terms about the details, potential consequences, mitigation efforts, recommended safety actions, and provide contact info for queries.
In addition, such companies must immediately notify the Data Protection Board with initial breach details, and then within 72 hours provide an updated comprehensive report detailing causes, impact, mitigation, any finding about perpetrators, and the remedial measures to prevent recurrence of such incidents.
Companies must notify the users at least 48 hours before personal data erasure, alerting them about deletion of data unless the user logs in, contacts the firm, or exercises their rights regarding the data.
“Every Data Fiduciary (firm) shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal (individual) under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data,” the Digital Personal Data Protection (DPDP) rules said.
Companies must obtain verifiable parental consent before processing a child’s personal data, ensuring the parent is an identifiable adult through use of reliable identity, age details, or authorised digital tokens issued by government or trusted entities.
The rules say: “A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child…”
A Significant Data Fiduciary must annually conduct a Data Protection Impact Assessment and audit, and report findings to the Board; it is required to ensure their technical measures don’t risk data principals’ rights.
“A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India,” the rules say.
Here ‘committee’ means a panel constituted by the Central Government, which will include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.
Government can require data fiduciaries or intermediaries (digital and social media platforms) to furnish requested information but may prohibit its disclosure to concerned individual (data principal) in the interest of sovereignty and integrity of India or security of the State.