For nearly a decade, the right to privacy has primarily relied upon the Puttaswamy v. Union of India verdict by the Supreme Court in 2017. But as we step into 2026, it has shifted from the courtroom to smartphones. With the Digital Personal Data Protection (DPDP) Rules, 2025, now fully operationalized, the rules of the game for Big Tech, the government, and 900 million Indian internet users have been rewritten.
We are currently in the "Grace Period"—an 18-month window that began in late 2025. While companies have until May 2027 for total systemic compliance, the "digital-first" enforcement era has officially begun.
Remember the days when we had to click "accept" on a fifty-page document just to use a basic flashlight app? Those days are now numbered. According to new DPDP rules, companies are mandated to provide a standalone notice that is clear and itemized. These notices must also be available in all 22 scheduled languages mentioned in the Indian Constitution.
The Consent Manager
2026 sees the rise of a new entity—the Consent Manager. Registered with the newly formed Data Protection Board, these platforms will act as your "privacy dashboard," allowing you to see, manage, and withdraw consent across multiple apps in one place.
The Right to be Forgotten
The DPDP framework introduces a "business inactivity" threshold. According to this, if you do not interact with a service for more than 3 years, then the company is generally required to erase your data, thereby avoiding permanent "digital ghosting."
Protection for children
The rules for children (under 18) are among the strictest globally. Apps must now use "verifiable" methods—potentially linked to Digital Lockers or tokenized ID systems—to ensure a parent has actually approved a child's data use. Additionally, targeted advertising and behavioral tracking of children are strictly prohibited under DPDP Rules 2025. For a generation that grew up "online," this creates a protected space to develop without being algorithmically profiled from birth.
The critics
Despite these advantages, this rule has also invited criticism. The primary critique revolves around the amendment made to the Right to Information (RTI) Act of 2005. By removing the "public interest" override in Section 8(1)(j) of the RTI Act, the government has essentially made all personal information held by the state off-limits to citizens. Critics argue this turns a "right to know" into a "right to deny," potentially shielding corrupt officials under the guise of "privacy."
Furthermore, the Union Government retains the power to exempt "State instrumentalities" from major parts of the law for reasons of national security. In a digital age, the line between "public safety" and "mass surveillance" remains thin and blurry.
Enforcement and fines
The Data Protection Board (DPB) is now active. Operating as a "digital-first" adjudicatory body, it has the power to levy staggering fines: up to Rs 250 crore for data breaches. Companies must notify the Board within 72 hours after a breach. For the first time, privacy in India has a price tag that even the world's largest tech giants cannot ignore.
As we navigate this "Phase 1" of implementation in early 2026, the power balance has shifted. We are no longer just "users"—we are Data Principals. While the state's exemptions remain a concern for civil liberties, the era of companies treating our personal data as their private property is coming to an end. The next 12 months are critical. Will the DPB truly stand as an independent guardian of our digital lives, or will state surveillance shadow all the benefits of the law?