On November 13, 2025, the Government of India formally brought into effect the much-awaited Digital Personal Data Protection Rules, 2025 (Rules). The Rules enforce the Digital Personal Data Protection Act, 2023 (DPDP Act) and provide practical guidance on how to comply with certain provisions of the DPDP Act. Together, they implement binding legislation that regulates the management of digital personal data[1] in and from India.

The DPDP Act provides for a stringent consent-based regime. It is applicable not only within India but also to foreign companies who process digital personal data outside of India where such processing is in connection with offering goods or services to individuals in India. This framework mirrors GDPR, which applies to organizations outside the EU if they offer goods/services to EU residents or monitor their behavior.

Implementation

Under Section 1(3) of the Act, the implementation of India’s new data protection framework will be staggered in phases to ensure that the companies have adequate time and plan for global compliance.  Below is an overview of the timeline brought into effect by the Rules:

Stage 1: November 13, 2025, the Data Protection Board of India[2] will be instituted alongside its responsibilities and processes.

Stage 2: 12 Months (November 13, 2026): The process for the registration of Consent Managers will be implemented. These individuals serve as intermediaries for Data Principal to provide, administer, review, and revoke their consent.

Stage 3: 18 months (May 13, 2027): At this stage, the main compliance duties apply, which include notice requirements, security protocols, breach notifications, obligations for Significant Data Fiduciaries (SDFs), and protecting the rights of Data Principals.

Obligations

The Rules provide certain prerequisites that Data Fiduciaries[3] must adhere to, to uphold the rights of Data Principals[4].  We summarize several of the important ones below.

Consent

The Rules require Data Fiduciaries to comply with the DPDP Act. As flagged above, consent[5] is paramount. For example, a Data Fiduciary must give a Data Principal clear information about how their personal data will be used as necessary to enable that Data Principal to give their specific and informed consent. At a minimum, this must include:

  • An itemized description of all the personal data that is being processed.
  • The specified purpose(s) for processing such personal data and description of the goods and services which will be provided or be enabled by such processing.
  • A link to a website or app process that enables Data Principals to easily withdraw their consent, exercise their rights under the Act, or file complaints with the Board.

ACTION: Companies must evaluate the design of current consent mechanisms and user interfaces to accommodate the above requirements. Consent must now be explicitly linked to the purpose of processing and properly articulated to provide uncomplicated opt-out procedures. This last requirement to provide a website link or app is unique, as most countries simply require a contact point to do so.

The Rules also suggest that consent must be extremely granular, with each “item” of personal data tied to the “specified” purpose of processing and description of goods or services to be provided. Businesses which process large amounts of personal data for varied purposes will have to consider how to fairly frame such information to obtain valid consent and whether some bundling of consent may be permissible for related purposes.

Unlike the GDPR (which offers other grounds for processing, such as legitimate interests), consent is the primary means for processing under the DPDP Act, so these requirements are likely to have a very broad effect.

Data security

Moreover, the Rules require enhanced security protocols and strict regulations for breach reporting. These include the following:

  • Data Fiduciaries are required to enforce security protocols in respect of personal data, such as encryption and masking, for all personal data in their possession or under their control, including where processing is undertaken on their behalf (such as by a Data Processor).
  • Other required security measures include access control, access logging and monitoring, data back-ups (and other means to preserve continued processing in the event of a data breach), and other methods for detecting unauthorized access and investigating and remediating to prevent its recurrence.
  •  Agreements with Data Processors[6] must incorporate clauses mandating all reasonable security safeguards.

Just like Article 32 of the GDPR, the measures set out in Rule 6 are the minimum standards required: a Data Fiduciary, if required, must take any other reasonable security safeguards necessary to prevent personal data breach. However, the Rules are more prescriptive than Article 32. For example, Rule 6 expressly requires Data Fiduciaries to retain logs of unauthorized access (and related other information) for at least one year.

In the event of any data breach, a Data Fiduciary must promptly inform the data privacy authorities and submit a comprehensive report within 72 hours[7],  which will be difficult for many organizations, who may only just have come to grips with the nature of the breach. It is vital to notify affected Data Principals without delay of the breach and its potential consequences as well.

Unlike breach reporting laws in the EU, UK, and Australia, the Rules provide no threshold to determine whether a breach needs to be reported. In other places, it is common that there is a likelihood of serious harm to individuals, for example, before notification if required. On a strict reading of the law, any personal data breach will need to be reported. It is possible that the Board will provide further clarity on how to comply with this and other practical issues with the DPDP obligations in time.

ACTION: Companies must ensure proper data security across all systems managing the personal information of the Data Principal. This may require that companies establish a continuous incident response team specifically for India. Any failure to disclose violations in a timely manner may result in substantial penalties of up to INR 200 crores (about USD 22 million). 

Companies may also need to review and revise their contracts with Data Processors to ensure that they include mandatory obligation under Rule 6, as well as measures to ensure that the Data Processor adequately supports the Data Fiduciary’s obligation to notify data breaches. This obligation is in line with GDPR Article 28 requiring Data Controllers to oblige Data Processors. However, unlike the EU, which provides a required set of Standard Contractual Clauses, the Rules provide none. Expect negotiation – and for prominent Data Processors to put forward their own standards as to what complies with Rule 6 and the DPDP Act.

Mandatory data erasure for specific entities

Additional data retention and new obligations are imposed on ‘Large-scale Data Fiduciaries’, which include the following:

  • E-commerce platforms with more than 20 million Indian users
  • Online gaming platforms boasting a minimum of 5 million Indian users
  • Social media platforms with more than 20 million Indian users

 These platforms are required to erase personal data after three years, except where necessary for account access or necessary for compliance with law. These platforms are also required to maintain records for a minimum of one year and to inform consumers of impending data deletion at least 48 hours prior, so that they could log into their user account or otherwise stop deletion.

ACTION: This is an extremely significant uplift for the companies captured. They will require substantial operational changes, such as re-engineering their lifecycle data management systems and setting automatic deletion and data principal communication workflows. Mandatory deletion is also highly likely to affect other functions within an organization. For example, trust and safety teams rely on user activity data to detect and prevent unlawful conduct or minors accessing the platform.

To the extent that personal data is shared with Data Processors, Data Fiduciaries must also ensure that their contracts with such Data Processors mandate deletion of personal data as well as notification to the Data Fiduciary of its deletion, so that Data Principal notification may be done.

Consent Managers

The new law creates a Consent Manager framework to establish entities that can serve as an intermediary between users and companies. To be eligible as a Consent Manager, companies must satisfy certain criteria, including having offices in India and possessing a minimum net worth of INR 2 crore (@USD 200,000).  They are prohibited from subcontracting their obligations or engaging in conflicts of interest with Data Fiduciaries. Furthermore, they must maintain comprehensive records of consent for a minimum of seven years while ensuring privacy by refraining from accessing any personal data provided through these records.

To comply, Data Fiduciaries must develop systems that interface with registered Consent Managers while adhering to the seven-year data retention regulations. Though this process introduces complexity per se, it aims to enhance compliance under the DPDP Act.

ACTION: The concept of a Consent Manager is unique to the DPDP Act and reflects the importance of consent as the primary means for processing personal data. While a Consent Manager is not mandatory to use, any Data Principal who uses one will impose another layer of obligations on Data Fiduciaries when managing individuals’ personal information. It is likely that Data Fiduciaries will have to build additional functionality into their systems to interact with different Consent Managers. Given the amount of data that Consent Managers hold on Data Principals’ behalf, it also imposes another vulnerability in relation to data security.

Significant Data Fiduciaries

The new law creates a new category entitled Significant Data Fiduciaries[8] (SDFs). These are entities appointed by the Central Government based on the volume of data processed, sensitivity of the personal data handled, and/or its impact on sovereign or national interests. Any such entities may also fall within the class of organizations with specific data erasure obligations listed above. If appointed, an SDF must comply with several obligations, including the following:

  • Conduct annual evaluations, including a Data Protection Impact Assessment (DPIA) and audits.
  • Observe due diligence to ensure that technical measures used (including any algorithmic software used to manage personal data) are not likely to pose a risk to the rights of Data Principles.
  • Ensure that specific categories of personal data (as notified by the government) are not transferred outside India without governmental approval.

ACTION: None for now – but we note that this is significantly more onerous than the GDPR, which does not single out any group of Data Controllers in this way (although it does require having a data protection officer for certain processing activities). No SDFs have yet been designated by the Government, so we recommend keeping a close eye on further actions. 

Data transfers

The DPDP Rules adopt a more lenient approach to cross-border data transfer[9] as compared to prior regulations or GDPR. Personal data processed under this Act may generally be transferred outside India, albeit with restrictions based on government directives concerning specific blacklisted countries or entities only. In contrast, under Article 44 of the GDPR, data transfers outside of the European Economic Area are generally restricted unless the conditions set out in Chapter V are met.

However, it is worth noting that the Indian approach gives the Government great political discretion in the countries whom it may designate as “blacklisted.” It will be important to monitor any further clarity provided as to implementation of this Rule.    

Under Section 2(6) of the Act, all data transfers must comply with the consent-based regime and other obligations of the Act.

ACTION: None for now, but please monitor as this area may change as clarifications are made.   

Children’s personal data

When handling data pertaining to children under the age of 18 or individuals with disabilities, obtaining verifiable parental consent is essential. Thus, companies must have rigorous mechanisms for age and identity verification prior to processing such data. However, certain sectors such as healthcare and child protection sectors may receive exemptions when processing is essential for delivering health services or otherwise safeguarding children.

ACTION: Companies are required not only to implement parental consent workflows into their systems, but also to take steps to assess if an individual truly is the parent or guardian of a child. This mirrors Article 8(2) of the GDPR, which requires a controller to make “reasonable efforts” to verify that consent is provided by the holder of parental responsibility over the child.

In terms of technology, the Rules specifically name virtual identity tokens as way to comply with Rule 10. Other options may be available. For example, many social media platforms use family pairing or similar ways to obtain parental consent. A common issue under all laws (including the GDPR) is the difficulty of establishing a parental connection, while continuing to adhere to data minimization principles – the Rules do not solve this issue.

Conclusion

The administration of personal data in India has undergone substantial transformation due to the implementation of the new Rules. Due to the obligatory nature of compliance deadlines, companies must prepare ahead of time. Given the phased implementation approach, companies have time to assess their policies and carefully prepare to comply with this new era of privacy in India.

Although the Rules provide helpful clarity on several matters, other provisions – like the requirements in respect of personal data breaches and mandatory data erasure obligations – remain very onerous and will challenge how Indian businesses, as well as those handling personal data from India, run their operations.

Should you desire assistance with this, please do not hesitate to reach out to your Squire Patton Boggs contact or one of the authors above.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

[1] Section 2(11): “Personal data means any data about an individual who is identifiable by or in relation to such data.

[2] Section 18

[3] Section 2(12): “Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

[4] Clause 2(16) – Data Principal: “Data Principal means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.”

[5] Section 2(6) defines consent as the free, specific, informed, unconditional and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.

[6] Section 2(13) – Data Processor means any person who processes personal data on behalf of a Data Fiduciary.

[7] Section 8(6) – Refers to breach reporting

[8] Section 10 refers that the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary, having regard to the volume and sensitivity of personal data processed, risk to rights of Data Principals, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.

[9] Section 16 – Data Fiduciary may transfer personal data to such country or territory outside India as may be notified by the Central Government, subject to such terms and conditions as may be specified.