EACH TIME YOU check your bank balance, book a delivery slot or upload a photograph, a trail of personal information moves across servers. For years, India debated how that data should be handled and that gap has now begun to close. The government has notified the Digital Personal Data Protection Rules 2025, which transform the broad promise of the Digital Personal Data Protection Act into obligations that companies must follow and a framework the state can enforce. A statutory Data Protection Board now has the authority to examine breaches and impose penalties.
This move completes the structure created by the Act of 2023, which followed the Supreme Court’s recognition of privacy as a fundamental right in the Puttaswamy judgment in 2017. But some gaps remain. For example, the benchmark for “verifiably safe” under section 9(5) is still missing. The new rules define the practical steps that govern everyday interactions. They specify what a consent notice must contain, how long logs must be preserved and how soon a breach must be reported. They set out duties for firms that handle large volumes of personal data and clarify how the state may process information while delivering public services.
The rollout takes place in phases. The Data Protection Board and some procedural provisions take effect immediately. A new class of intermediaries called consent managers will start applying for registration after one year. These entities allow users to manage permissions across different platforms. The rest of the framework, including notice requirements, security safeguards, breach reporting, retention norms, rules for children’s data, cross-border data transfer conditions and obligations for significant data fiduciaries (large entities handling substantial, sensitive data), becomes binding 18 months after notification.
The clearest shift for users will be in how online services seek consent and respond to user requests. Consent notices must now be short and written in plain language. They must explain what data is collected, why it is collected and which services depend on that use. They must also offer simple ways to withdraw consent, request access to data, correct it or seek deletion once the data is no longer needed.
This change will touch every major online service. If a breach occurs, companies must inform affected users without delay and notify the Data Protection Board within 72 hours. Children receive particular attention. Anyone under 18 must have verifiable parental consent to access many online services. The new rules permit identity and age checks through existing documents and Digital Locker credentials. Parents may track a child’s location in specific circumstances, which the rules treat as narrow exceptions within the broader protection for children’s data.
Two concerns will shape how this new regime settles into real use. The first relates to artificial intelligence. AI systems rely on large volumes of information, much of which is scraped from public sources. The law allows an exemption for publicly available personal data, but the scope of this category is uncertain. Companies cannot assume that data visible online is exempt from consent. They must determine whether the individual made that information public herself or whether a third party published it under another legal mandate. Information shared by an employer, an online platform or a news outlet may appear public but may not meet the conditions required for exemption, which makes it difficult for AI developers to train or fine-tune AI models in India for Indian users.
The second issue relates to users who depend on intermediaries for transactions. Many people still rely on travel agents, ticketing platforms or service providers who complete bookings on their behalf. The new rules do not yet explain how valid consent should be captured when the user is not the person entering information into the system. All third party service providers such as gifting and matchmaking platforms would be adversely affected because of the lack of additional grounds of processing, since they will have no legal basis to process the data of non-users that has been supplied by users of such platforms.
For businesses, the new rules make privacy a core obligation and governance issue. Every data fiduciary must adopt basic security practices such as encryption or masking and regular monitoring. Data retention now has fixed standards and some logs must be kept for at least one year. Large platforms such as social media, gaming and e-commerce services must delete inactive user data after three years and give a 48-hour advance notice to affected users.
Companies must also create processes for handling user rights requests and reporting every breach, regardless of the perceived harm. For many mid-sized Indian firms, these requirements will demand new technology, new training and a more structured internal workflow. The clearer framework may, however, reduce uncertainty and help companies demonstrate trustworthiness in domestic and global markets.
Significant data fiduciaries face higher scrutiny. They must carry out yearly data protection impact assessments, undergo regular audits, appoint senior officers responsible for compliance and ensure that their systems do not undermine user rights.
India now has a functioning privacy system that defines rights, obligations and penalties that can go up to Rs250 crore for serious failures. Consent rules are clearer and breach reporting has strict timelines. This sets in motion a phase in which courts and regulators will define the limits of what the law permits. The choices made in this period will determine whether the framework becomes a genuine safeguard or a set of procedures that companies follow without meaningful protection for individuals.
Rizvi is founding director of The Dialogue, a public policy think tank. Sharma is a senior research associate with The Dialogue.