Bengaluru: Two years after the Digital Personal Data Protection (DPDP) Act was passed by parliament, the Centre notified the long-awaited administrative rules that are required for putting the law into effect on Friday. They will regulate the processing, protection and governance of personal data in the country.

The privacy law in the world’s largest data market with over 800 million internet users has been 15 years in the making. Several provisions of the Act became effective Friday, while others will come into force in a graded manner over the next 12 to 18 months.

“On May 13, 2027, when the DPDP Act, 2023, comes into force, India will finally join the ranks of countries with a comprehensive data protection law,” said Rahul Matthan, founding partner of law firm Trilegal, who drafted one of the early versions of the bill.

Given the rapid pace of India’s digitisation, its powerful digital public infrastructure and the rapid adoption of new technologies such as artificial intelligence, the law will give India an enforceable data governance framework to address privacy concerns, he said.

Data fiduciaries face heavy penalties in the event of any failure to report or plug breaches of personal data. This covers the protection of information related to children and upholding the rights of data principals when it comes to accessing, correcting and erasing records.

The law also establishes the all-powerful Data Protection Board of India (DPBI), armed with powers to impose penalties ranging from ₹10,000 to a hefty ₹250 crore, to be paid to the Consolidated Fund of India.

Clear Roadmap for Industry

After full implementation of the law, users will have the right to seek deletion of data. Organisations that handle user data will have to follow clear guidelines for its storage and processing. They will also have to delete the data after one year and inform users 48 hours before starting the scrubbing exercise. In case of a breach, organisations will be duty bound to inform the DPBI within 72 hours and users at the earliest. The rules also mandate verifiable parental consent for processing children’s data and bans advertising targeted at those below 18.

The draft rules were published in January this year and contained a provision which said that a government constituted committee will decide if any kind of data can’t be taken outside the country. The provision, which had met with criticism from industry groupings and internet companies, has been retained.

“The government’s notification of the DPDP Rules 2025 marks a significant milestone in India’s ongoing journey to strengthen its personal data protection architecture,” said the National Association of Software and Service Companies (Nasscom) and the Data Security Council of India (DSCI) in a joint statement. “With the rules now in force, the industry has a clearer and more actionable roadmap.”

The rules mandate that consent notices should be in clear and plain language and capable of being independently understood by users.

“Organisations may need to reassess their consent frameworks to ensure that consent is specific, informed, and clearly distinguishable from the standard terms of use that users typically auto-accept,” said Harsh Walia, partner at law firm Khaitan & Co. Stakeholders must now prepare for a comprehensive overhaul: redesigning consent architecture, strengthening security controls and operationalising compliance mechanisms well ahead of the 12 May 2027 deadline, he said.

Key provisions include the establishment of a framework for verifiable consent, especially with regard to children and persons with disabilities, procedural requirements for notices sent by data fiduciaries, and the registration and obligations of consent managers, who facilitate consent-based data sharing.

The Act distinguishes between regular data fiduciaries and Significant Data Fiduciaries (SDFs), which face additional, stricter obligations due to the greater volume and sensitivity of data they process, besides the higher risk posed to the rights of individuals and the national interest. However, the classification is open for now, with the Act stressing that the Centre will notify individual data fiduciaries or a class of such entities as SDFs.

Certain matters raised by the industry during consultations arise from the architecture of the Act itself and could not realistically be addressed through subordinate legislation, said Nasscom and DSCI.

“These include the overarching structure of parental consent, the statutory age threshold for children and the requirement that all personal data breaches be notified,” they said.

Under the DPDP Act, data fiduciaries are generally prohibited from tracking or behaviourally monitoring children or directing targeted advertising at them.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCIO industry right on your smartphone!