The Digital Personal Data Protection Act and its 2025 Rules provide the operational framework for handling personal data in India. This overview explains what the law requires, what the new Rules introduce, when the obligations take effect, and how organizations may approach notices, consent, retention, security, and user rights with clear and structured processes.
India has fully activated its modern data protection regime. With the Digital Personal Data Protection Act, 2023 as the foundation and the Digital Personal Data Protection Rules, 2025 now finalized, organizations inside and outside India face a clearer and more structured set of responsibilities. For any business serving customers in India, whether located in California, Europe, or elsewhere, these developments mark a shift toward defined processes, user rights, documented safeguards, and predictable obligations.
The DPDPA establishes baseline expectations for how organizations process personal data. It applies to processing inside India as well as processing outside the country when goods or services are offered to individuals located in India.
Businesses are expected to present notices before collecting data, request clear and affirmative consent, allow withdrawal, follow purpose limitation, safeguard the information they hold, respond to user requests, delete information when it is no longer needed, and notify individuals and authorities of breaches.
These responsibilities apply to both Indian organizations and international companies with Indian users. Penalties can reach ₹250 crore, depending on the type and severity of the violation.
The 2025 Rules translate the Act’s principles into operational expectations.
Notices must be more specific, including itemized categories of data and a clear explanation of how the information is used.
Consent must be verifiable when dealing with children or lawful guardians, which may include confirming age tokens or checking existing records.
Security safeguards become more prescriptive, requiring encryption or masking, access controls, monitoring, and retention of logs for at least one year.
Breach notifications follow a defined sequence, including notifying individuals without delay and providing the Board with a detailed report within seventy‑two hours.
Retention obligations now include a three‑year inactivity‑based erasure requirement for certain large platforms, with a mandatory notice to users before deletion.
Data subject rights request procedures must be published and supported by identity verification steps.
Significant Data Fiduciaries must complete annual assessments, conduct audits, and apply due‑diligence measures for algorithmic tools.
Cross‑border data availability remains subject to government‑issued conditions.
International businesses operating in sectors such as e‑commerce, digital services, gaming, or social media may benefit from reviewing these additions closely since many of the new requirements affect how user data is handled throughout its lifecycle.
The Rules were published on 13 November 2025 and introduced a phased rollout.
Certain administrative rules take effect immediately on 13 November 2025, creating the initial legal framework that supports the implementation of the broader system.
The Consent Manager registration framework becomes effective exactly one year later, on 13 November 2026, allowing time for organizations and Consent Managers to prepare for technical and procedural requirements.
Most operational provisions, including notices, verifiable consent, rights requests, retention expectations, and breach‑reporting procedures, take effect eighteen months after publication, on 13 May 2027. This structure gives organizations time to review their current processes, update their policies, and plan technical and procedural adjustments before the operational requirements become enforceable.
For many organizations, the combined effect of the Act and Rules is a shift from informal privacy practices to structured governance.
Businesses must understand how personal data enters their systems, how it is catalogued and stored, where consent appears in the workflow, how identity is verified, how long information is retained, and how logs and records are maintained.
These responsibilities may require coordination between technical teams, legal teams, and customer‑facing functions. Clym’s Governance Portal can help teams bring notices, consent interactions, rights requests, and documentation together in a centralized environment, supporting more organized privacy operations.
Organizations serving individuals in India may begin by reviewing what personal data they collect and why. They may update notices so that each category of data is clearly described, review consent flows to incorporate verifiable steps when needed, evaluate security measures such as access management and log retention, and map out how rights requests are submitted and tracked.
Large platforms may assess whether they fall within the three‑year inactivity‑based erasure requirement. By treating these tasks as interconnected operational activities rather than separate one‑time actions, businesses can prepare for the phased rollout more effectively.
Managing these responsibilities across websites, applications, and internal systems can be complex. Many organizations benefit from using tools that support consistent notices across digital properties, structured consent and age‑verification flows, organized rights‑request intake and tracking, and unified user‑facing controls.
Clym’s platform brings these elements together by offering privacy policy publication features, a consent collection interface, data subject rights management, and an integrated Widget that centralizes user interactions. With such tools at hand, businesses can create clearer and more efficient privacy operations.
India’s data protection framework introduces a detailed set of responsibilities that encourage clearer communication with users, stronger governance, and more predictable data‑handling practices. As the phased rollout progresses, businesses may benefit from reviewing their notices, consent workflows, retention schedules, rights‑request procedures, and security controls. Platforms that bring these elements together in a structured environment, such as Clym’s privacy and governance tools, can support teams as they adapt to these expectations and maintain organized records across their digital properties.
Yes. The DPDPA applies whenever organizations outside India offer goods or services to individuals located in India. A company in California providing digital services to Indian users may fall within scope and may review its notice, consent, and data‑handling practices to understand how they relate to India's DPDPA.
Verifiable consent involves confirming that the person giving permission has the legal authority to do so. This often applies to situations involving children or individuals with lawful guardians. Verification methods may include checking age tokens, reviewing existing account information, or using credentials stored in the Digital Locker system. Businesses offering age‑restricted services may integrate verification steps within their consent flows.
Certain large platforms, such as major e‑commerce or social media services, must erase personal data after three years of user inactivity. Before erasing the information, they must notify the individual at least forty‑eight hours in advance. This requirement encourages businesses to maintain accurate retention schedules and review their internal data‑lifecycle processes.
Individuals may request access to their data, ask for corrections, request erasure, withdraw consent, or file grievances. The Rules require businesses to publish clear instructions for submitting these requests and to verify identities using specific identifiers, such as account information or registered contact details. Organized request‑management workflows can help teams track submissions, respond within expected timelines, and document each step for future reference.
Fines can reach up to ₹250 crore (approximately $30 million), depending on the type of violation and the harm involved. Penalties may relate to security safeguards, breach notifications, children’s data, consent requirements, or obligations tied to Significant Data Fiduciaries. The penalty structure highlights the importance of maintaining clear, documented privacy practices.
The government may impose restrictions or set specific conditions on making personal data available to foreign states or foreign‑controlled entities. These conditions depend on future government notifications. Organizations with international data flows may monitor these updates to understand how their practices interact with these rules.
A useful first step is completing a data‑mapping review to confirm what information is collected, where it is stored, and which internal systems rely on it. From there, businesses may update privacy notices, review consent and age‑verification flows, evaluate security practices, document their request‑handling process, and prepare for upcoming retention and erasure obligations. Structured tools that centralize these tasks may help create clarity and consistency across teams.
Only Significant Data Fiduciaries must appoint a Data Protection Officer. These organizations are identified based on criteria such as data volume, sensitivity, and associated risk. The DPO oversees privacy operations, communicates with the Board, and supports ongoing governance efforts.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex