The DPDP Rules, 2025 protect users’ personal data by making the data collecting companies get consent from their users for collecting and storing the data.
Digital Personal Data Protection (DPDP) Rules, 2025 are meant to protect the private data shared by users on various digital platforms. With the widespread use of digital platforms for all day-to-day activities such as shopping, education, entertainment, payments etc, users are sharing a lot of personal data on these platforms, some of which can be quite sensitive. Instances of this data being shared widely, often for money, is also rampant.
The rules aim to grant people the right over their private data, to put in place a legal framework in a phased manner to make companies that handle personal data take consent from users, be responsible with the data and to act promptly to inform the users if their data is leaked or stolen.
Though the Act was passed in the Parliament in August 2023, without the rules being formalised and notified, the act largely remained on paper. The DPDP Rules 2025 make the act operational.
Data Principal: The individual whose personal data is collected.
Data Fiduciary: Any entity that collects personal data.
Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary.
Consent Manager: An entity that provides a single, transparent and interoperable platform through which a Data Principal may give, manage, review or withdraw consent.
The DPDP Rules, 2025 protect users’ personal data by making the data collecting companies (data fiduciaries and data processors) get consent from their users for collecting and storing the data. The consent must be obtained by using clear, simple words which let users know that their personal data is being collected. The notice seeking consent should specify what data of the users are collected by them. There should also be an easily available tool to withdraw the given consent.
These rules, along with the heavy penalty that they entail, would force companies to collect only the bare minimum data needed to provide service. The collected data would also be safe as these rules demand that the data remains encrypted, stored with proper security controls, and are deleted once the purpose of data collection is fulfilled or after one year of inactivity. The rules also make it mandatory that the users are immediately told if there is a data breach or data leak.
Once fully implemented, users will have an option to easily access their personal data collected by any data fiduciary and ask for it to be removed. Users can also make corrections to such data that is collected and nominate someone on their behalf to access the data once they are no more.
Children under 18 are protected well as the DPDP Rules along with the act demand that a verifiable parental consent is obtained before they are allowed to access their services. In addition, children’s data or activity should not be tracked and there should not be any targeted ads.
Data fiduciaries (basically any app, website or company that collects users’ personal data) have to put strong encryption and security controls in place to protect data. The companies need to keep usage logs of the data for at least one year and appoint grievance officers to address any issues raised by the users.
The companies must also promptly delete the data after the purpose of data collection is fulfilled or after one year of inactivity. The companies must also report any breach to you immediately and to the Data Protection Board within 72 hours.
Bigger platforms (addressed as Significant Data Fiduciaries in the rules) have to conduct regular audits and do impact assessments. If they fail at any step, they can be fined up to ₹250 crore per violation. So, the rules put the full legal responsibility — and cost — of keeping your data safe squarely on the companies.
The DPDP Rules, 2025 allows businesses time to comply with the DPDP Act, 2023 through its phased implementation with most obligations starting only after 18 months (May 2027). The implementation happens in three phases.
Immediate Effect -Establishment and functioning of the Data Protection Board of India (DPBI) – the complaint redressal and enforcement body begins operations right away.
Within 12 months - Registration and operationalisation of Consent Managers (intermediaries that let users manage consents across platforms)
Within 18 Months -
In the case of day-to-day usage, a person might not see a big change in how they share their personal data. However, once the act is fully enforced, a person would get notifications seeking approval to collect data, easier methods to withdraw consent and prompt breach alerts if the data is compromised. There would be a better tool in the form of ‘Consent Manager’ which lets users control the data they share across apps, which would be similar to a Permissions Manager in smartphones. The DPDP Act and the rules ban targeted ads on children. So, in theory, children are better protected from the targeted ads and tracking.
The digital services providers would have to invest heavily in data security, encryption, and other security systems to protect users’ data. They may not be able to collect unlimited and unchecked amounts of users’ data as they need to get consent. In case there is a breach, penalties can reach up to ₹250 crore per instance.
The 18-month phased implementation is actually a scheduled delay which comes on top of the two years that have already lapsed since the passage of the Act in the Parliament. This delay translates to a continued period of vulnerability of personal data.
The broad exemptions to the government is also a concern as it could enable a surveillance regime and higher governmental oversight. For example, if a government seeks information about a person, the data fiduciary is not required to reveal that their data is shared to the government as per Rule 23.
The rules also do not categorise data based on their sensitivity. For instance data on personal health and wealth is sensitive and these need to be handled with lot more caution.
Published on November 20, 2025
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。