The Digital Personal Data Protection Rules, 2025: A New Digital Frontier

The Ministry of Information and Technology (“MeitY”) on Thursday, November 13, 2025 notified the Digital Personal Data Protection Rules, 2025 (the “DPDP Rules”), framed under the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). In another gazette notification published on November 13, 2025, the MeitY also enforced the provisions establishing the Data Protection Board under the DPDP Act, made effective on the date of publication. The Data Protection Board will consist of four members and be headquartered in New Delhi. The long-awaited DPDP Rules bring much needed clarity on the provisions and applicability of the DPDP Act. At the same time, it raises several questions on the purview and sweep of compliance obligations under the DPDP Act.

In a separate notification released on November 13, 2025, the MeitY also notified the provisions of the DPDP Act that were in abeyance. The implementation of the different provisions of the DPDP Act is taking a staggered approach, which is expected to somewhat help in meeting compliance obligations, with the DPDP Rules adopting a similar implementation approach. The dates for notification of the key provisions are:

1. Notice Requirements and the Rights of Data Principals.

   One area of clarification the DPDP Rules bring is by way of Rule 3 which specifies the particulars of the notice to be given to Data Principals prior to processing their personal data by a Data Fiduciary. The DPDP Rules now clarify that the notice must be given and understandable by the Data Principal independent of any other information given, or to be given, by the Data Fiduciary. It must be given in clear and plain language, accompanied with a fair estimation of the details necessary for the Data Principal to give specific and informed consent for processing of their data, including a de minimis list of activities, namely providing: (i) an itemised description of such personal data; and (ii) the specified purpose of such processing, along with specific descriptions of the goods or services to be provided or uses to be enabled by it. The notice must also provide a link to the Data Fiduciary’s website and/or app, along with details of any other method, for the Data Principal to: (i) withdraw their consent with similar ease as when it was taken; (ii) exercise their rights under the DPDP Act, including the right of correction; and (iii) make a complaint to the Data Protection Board.

   While the DPDP Rules ensure easier compliance now that Data Fiduciaries know what to put in their notices, it raises concerns on the practicality of this exercise in certain use cases. For instance, it may be easy to provide such a detailed notice while processing an online shopping order, but it would be significantly more challenging to implement it at a point-of-sale device or while making a restaurant reservation. Additionally, the requirement for providing a ‘fair account’ of the details necessary for processing personal data is ambiguous and leaves a significant amount of discretion in its interpretation.

   It also provides, in Rule 14, enabling provisions for the Data Principals to exercise their rights under the DPDP Act, including providing details of the means by which Data Principals can exercise their rights and the information required for such exercise.

2. Obtaining Consent for Protected Classes.

   Rule 10 and Rule 11 contain obligations for verifying lawful consent for processing the personal data of protected classes under the DPDP Act, namely children and people with disabilities respectively. Rule 10 provides for technical and organisational measures to be undertaken by the Data Fiduciary to obtain the verifiable consent of a parent or legal guardian before any personal data of a child is processed. It provides for certain due diligence obligations for the Data Fiduciary to verify the parents’ identity, including by way of government-issued identification documents like an Adhaar card. While age verification technology and measures are not novel ideas in the world of children’s data protection, these measures of verifying and processing the parent’s data could overwhelm smaller service providers and create additional compliance burdens.

   Though the DPDP Rules do provide for an exemption to the obligations of obtaining verifiable parental consent (provided that the Data Fiduciary does not undertake any tracking, behavioural monitoring or targeted advertisement towards the child) under the DPDP Act while processing children’s personal data, some of these exemptions, too, may not necessarily be in the best interest of the child. For instance, in a strange turn of events, no parental consent is needed to determine the real-time location of the child, if, of course, it is restricted to ensuring their safety, protection or security.

   Similarly, Rule 11 provides for how a Data Fiduciary must obtain the verifiable consent of the legal guardian for a person with a disability. Notably, Rule 11 has significantly more simple verification obligations, only requiring a Data Fiduciary to exercise ‘due diligence’ to verify that the guardian has been lawfully appointed.

3. Reasonable Security Safeguards and Data Breaches.

   More guidance has also been provided in Rule 6, which provides for the minimum amount of security safeguards a Data Fiduciary, or its Data Processor, must employ to safeguard the personal data in its possession. This includes measures like controlling access to the computer resources used to process such personal data, using protective measures like access logs to account, monitor and review any unauthorised access to the personal data, retention periods of at least one year for any access logs and personal data that could help in an investigation for unauthorised access to personal data, and ensuring that the agreement between the Data Fiduciary and the Data Processor (if any) has provisions requiring the Data Processor to take reasonable security safeguards.

   Rule 7 further provides for how intimation of personal data breaches must be made by the Data Fiduciary to each affected Data Principal. Rule 8, interestingly, provides for retention and deletion obligations with respect to personal data processed for a specific purpose for certain specified Data Fiduciaries. If, for instance, personal data (not including data to access a user account or tokenised information stored to obtain money, goods or services) is being processed by an online shopping platform with at least two crore registered users in India, the retention period is three years from the latest of either the date the Data Principal: (i) required the execution of the specified purpose; or (ii) attempted to exercise their rights under the DPDP Act and DPDP Rules; or (iii) the commencement of the DPDP Rules. Notice of data deletion must also be given to the Data Principal at least forty-eight hours before it is to be erased, with the deletion and processing logs and chain-of-command information to be retained for at least one year.

The DPDP Rules and allied notifications by the MeitY bring about significant clarity on the operation of the DPDP Act. At the same time, they have not been immune from critique. Certain provisions create additional burdens, particularly on smaller service providers, which could pose organizational and practical challenges. In the thriving start-up ecosystem of India, this could be especially worrisome for founders and smaller entities. Yet now that provisions of the DPDP Act have been operationalized, the release of the final DPDP Rules are a welcome guiding light in framing organizational and technical measures.