99

India on November 14 notified the long-awaited Digital Personal Data Protection (DPDP) Rules, 2025, finally shifting its privacy law into enforcement mode and triggering an 18-month compliance countdown for companies, platforms and government departments. 

While the government hailed the move as a landmark in digital governance, lawyers and industry specialists warned that the new regime could impose heavy compliance burdens and leave businesses navigating unresolved grey zones.

The rules, issued by the Ministry of Electronics and IT (MeitY), operationalize the DPDP Act, 2023, and set up the Data Protection Board of India (DPBI). The Board will oversee inquiries and levy penalties that can go up to ₹250 crore (about $30 million).

For India’s $250-billion (₹21 lakh crore) digital economy, the shift represents the biggest privacy overhaul since smartphones went mainstream. Yet behind the celebration is a regulatory framework carrying significant ambiguity — one that companies fear may be as costly as it is consequential.

A Phased Rollout with a Tight Compliance Clock

Some provisions take effect immediately, but the critical obligations arrive in 12 to 18 months.

Effective now:

• Constitution of the DPBI
• Appointment rules and digital-office operations
• Six-month inquiry completion deadlines

By November 2026:

• Registration of Consent Managers; eligibility requires a net worth of ₹2 crore (about $240,000)

By mid-2027:

• Plain-language consent notices
• Unbundled, explicit consent
• Mandatory 72-hour breach reporting
• Auto-deletion for inactive users
• Parental-verified consent for minors
• Encryption, tokenization and one-year access-log retention
• Higher obligations for Significant Data Fiduciaries (SDFs)

A staggered rollout, experts note, is helpful — but also compresses massive system changes into a narrow window.

Supratim Chakraborty, Partner at Khaitan & Co, said the structure gives companies some breathing room but not enough to be complacent.

“The Government has opted for a phased rollout. Businesses have an 18-month window to comply with core obligations such as privacy notice, consent, transfer obligations, security safeguards and children’s data handling. This staggered approach gives critical breathing space, but organizations must move quickly to identify and close compliance gaps before the obligations kick in.”

Rights Strengthened, But Operational Details Still Murky

The rules expand user visibility into data practices: companies must justify what they collect, retain data for no longer than a year of inactivity (unless required by law), and notify users 48 hours before erasure.

Children’s data receives strict protections — no behavioral profiling, no targeted ads, and only after verifiable parental consent. This alone will require major changes in content-moderation, age-verification and ad-tech systems.

Security obligations have tightened as well: companies must maintain access logs, deploy encryption and tokenization, and ensure continuity even after a breach.

But several operational blanks remain:

• No clarity on DPBI inquiry procedures
• No requirement for publishing enforcement orders
• No triage mechanism for breach notifications
• No published criteria yet for Significant Data Fiduciaries

Rashmi Deshpande, Founder of Fountainhead Legal, said the rules answer many long-pending questions but leave two critical areas unresolved.

“With these Rules, questions around the Board’s functioning, consent management, security measures and child-data rules now stand settled. But restrictions on cross-border transfers will be addressed only through a separate order, and SDF criteria will also be notified later. These two points will directly shape compliance strategies, so organizations must watch them closely.”

Expert View: Rights-Based, Predictable — But Demanding

Prashant Phillips, Executive Partner at Lakshmikumaran & Sridharan Attorneys, said the notification preserves India’s core privacy principles.

“What stands out is the continuity of the core principles — transparency, accountability and user-centric processing — which remain intact from earlier drafts. The government has strengthened the framework with clearer grievance-redressal timelines and enhanced safeguards for children’s data. These refinements improve practical usability without altering the foundation. Overall, this signals India’s commitment to a predictable, rights-oriented protection system that balances regulatory clarity with strong individual protections.”

Consent Frameworks May Need a Full Rebuild

The rules tighten conditions for obtaining consent, requiring notices to be in clear, plain language and independent of standard terms-of-service bundles.

Harsh Walia, Partner at Khaitan & Co, warned that many platforms will need significant rewiring.

“The Rules mandate consent notices be independently understandable and distinguishable from generic Terms of Use. Organizations may have to reassess their entire consent architecture to ensure it is specific, informed and clearly separable from other agreements.”

The role of Consent Managers — intermediaries that will provide users a dashboard to manage permissions across services — is expected to become central from 2026. But if poorly regulated, these entities could introduce bottlenecks or even new vulnerabilities.

Breach Reporting: High Penalties, Short Deadlines

Companies must notify affected users “without delay” and file detailed breach reports within 72 hours. Failure can attract fines of up to ₹200 crore ($24 million) for non-reporting and ₹250 crore ($30 million) for inadequate safeguards.

Cyber-security experts argue that 72 hours is frequently too short for meaningful forensics, raising the risk of incomplete or confusing disclosures.

Cross-Border Data Transfers: Freedom With Caveats

India has adopted a “blacklist by exception” model — data transfers are allowed unless specific countries are restricted. But another rule empowers a government panel to bar offshore storage of certain categories of data, effectively creating a localization lever without naming it.

Tech multinationals warn that such ambiguity could delay cloud-expansion and AI-processing decisions.

The Road to 2027: Heavy Lifting Ahead

Friday’s notification ends years of drift and begins a race toward compliance. For many companies, this means overhauling data-flows, rewriting consent systems, retraining teams and redesigning storage practices — all under the shadow of steep penalties.

The next 18 months will determine whether the DPDP becomes a workable safeguard or a sprawling compliance maze.

Either way, the clock has started — and it isn’t slowing.