8 Key Takeaways: The Digital Personal Data Protection Rules, 2025

Vikram Jeet Singh and Kalindhi Bhatia

More than two (2) years since the notification of the Digital Personal Data Protection Act, 2023 (“DPDPA”, “Act”), the Act has now been implemented by way of the Digital Personal Data Protection Rules (“Rules”) notified on November 13, 2025. This comes as welcome relief and clarity to Indian businesses who have been seeking to align their data practices.

The Rules mark an end to India’s long journey of developing a standalone privacy law, ever since the 2017 Puttaswamy judgment called for one. The focus now shifts to the establishment of the data regulator, the Data Protection Board, that will be charged with implementing and enforcing the DPDPA.  

Here are 8 Key takeaways for businesses from the Final Privacy Rules:

1. Staggered Implementation of Major Compliances

The compliances required of businesses will come into force eighteen (18) months from the date of the notification of the Rules (i.e., on May 14, 2027). These include the provision and content of privacy notices, emplacing reasonable security safeguards, intimation of personal data breaches, obtaining verifiable parental consent, etc. This gives a good period of time for businesses to align their data practices and prepare for implementation.

For clarity, the process for constituting the Data Protection Board has been kick started as on the date of these Rules’ notification, i.e., November 13, 2025. In addition, certain ‘consent manager’ related parts of the Rules will come into force one year (12 months) from the date of publication (i.e., on November 14, 2026). 

2. Privacy Notices – Clear, Simple, Accessible

The Rules reiterate the requirement for privacy notices provided to Data Principals to be presented and understandable independently. In addition, these notices will need to be presented in ‘clear and plain language’. At minimum, an itemized description of personal data, and specific purposes for collection or use of such data, has to be provided in these notices. Finally, the notice should also contain a link to the relevant website/application, and point out how consent can be withdrawn, and also how a Data Principals’ rights can be exercised (including the right to complain to the Data Privacy Board). 

3. Processing Children’s Data, with some exemptions

The requirement under the DPDPA to obtain ‘verifiable parental consent’ for processing children’s data remains ‘technology-agnostic’ – Data Fiduciaries can adopt any ‘appropriate technical and organisational measure’ for this. This can be done by looking up the details already available with the Data Fiduciary, or through a ‘virtual token’ mapped to such details that is issued by an ‘authorised entity’ (e.g., a Digital Locker service provider).

The accompanying Illustrations in the final Rules have been modified to include (without limitation) various methods of verifying the relevant parent/adult’s age and identity (voluntary provision of identifiers, virtual token, usage of Digital Lockers, etc.). Further, the Rules also exempt certain Data Fiduciaries, such as hospitals and educational institutions, from obtaining verifiable parental consent and for certain specified purposes when collecting children’s data (for example, collecting their location for safety or protection reasons).

4. Detailed ‘Reasonable Security Safeguards’

The Rules outline seven (7) security measures that every Data Fiduciary must adopt, at a minimum, in order to prevent breaches of personal data. These include safeguards like encryption or masking, controls that limit access, regular data backups, and maintaining access logs to identify potential breaches. Data fiduciaries must keep these logs for one year and ensure that their contracts with Data Processors include appropriate data-security obligations.

5. Data Breach Reporting Timelines Clarified

A Data Fiduciary is required to intimate affected Data Principals (and the Data Protection Board) of data breaches, ‘without delay’ on becoming aware of such breach. While the Rules do not provide for any set time limit here, a limit of 72 (seventy-two) hours has been specified for reporting such breaches to the Data Protection Board. A list of details that have to be provided with each such notification are set out in Rule 7 of the Rules. However, the ‘format’, template, or procedure for making such intimations has not been specified. 

6. Varying Data Retention Periods

The Rules contain a detailed explanation of the data retention timelines allowed to different categories of Data Fiduciaries. The Third Schedule in these Rules prescribes specific retention periods for viz., e-commerce companies, online gaming platforms, and social media companies, and also describes the purposes for which such data can be retained. In addition, Data Fiduciaries will need to give a 48 hour notice to Data Principals before erasing their personal data. The traffic data and other logs related to such processing also need to be erased within one (1) year of processing, unless retention is required under other law in force. 

7. Additional Obligations on ‘Significant’ Data Fiduciaries

The Rules carry on the additional compliances placed on Significant Data Fiduciaries from their draft version. These obligations include undertaking a Data Protection Impact Assessment once every twelve (12) months, and an audit to demonstrate compliance with the privacy law. In addition, due diligence should be undertaken to ensure that any algorithmic software (which may also include AI tools) deployed by them do not pose risks to Data Principals. (You may recall that there are (separate) draft rules mooted to require online platforms to label AI generated information (see here). For clarity, that proposal is separate from these data privacy focused Rules.)

8. (Almost) No Restrictions on Cross Border Data Transfers

As was clarified in the Act and the draft Rules, there are no restrictions on the transfer of personal data outside India. However, the Central Government continues to retain the power to specify restrictions in cases where such personal data is made available to any foreign State, or any instrumentality of a foreign state. 

What Happens Next: 

Provisions relating to the constitution of the Data Protection Board will come into force with the notification of the Rules, i.e., on November 13, 2025. 

Provisions with respect to the registration of Consent Managers will be activated one year from the Rules’ notification date, i.e., November 14, 2026. 

Businesses / Data Fiduciaries have been granted a grace period of eighteen (18) months (i.e., until May 14, 2027) for compliance with various obligations under the Act and the Rules (provision of a privacy notice, instating reasonable security safeguards, intimation of breaches, etc.).