DPDP Act: Inactive User Data Must Be Deleted After 3 Years
The Indian government has officially notified stringent data retention rules under the Digital Personal Data Protection (DPDP) Act, requiring e-commerce platforms, social media intermediaries, and online gaming companies to delete personal data of users inactive for three consecutive years.
Key Takeaways
- Data of users inactive for 3 years must be deleted by major platforms.
- Companies must provide a 48-hour notice before data deletion.
- Significant data fiduciaries face higher compliance thresholds, including annual audits.
Who is Affected?
The new regulation applies specifically to:
- Online gaming companies with over 50 lakh users.
- Social media and e-commerce platforms with more than two crore registered users in India.
Compliance Requirements
Companies must provide inactive users with a 48-hour notice before deleting their data, warning them that their information will be erased if they don’t use the platform within that timeframe.
For digital platforms classified as “significant data fiduciaries” (those with over 50 lakh users), the Act establishes a higher compliance threshold. These organizations are required to:
- Perform an annual audit
- Conduct a Data Protection Impact Assessment
- Verify annually that their technical measures remain safe and compliant
Cross-Border Data Transfers
While the DPDP Act permits cross-border transfers of personal data, the government has clarified that these transfers must follow rules that may be communicated regularly. This is particularly relevant when user data is transferred to a foreign state or any organization under the control of a foreign government.
Broader Implementation
The new rules formally operationalise India’s first digital privacy law, setting the compliance clock ticking for companies handling user data. Under the new framework, social media sites, online gateways, and other organizations handling personal data must provide users with detailed explanations of what information is being collected and how it will be used.
“With the DPDP Rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data. The phased rollout is crucial, it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly,” said Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.
The regulations aim to strengthen data governance and improve user protection throughout India’s rapidly growing digital ecosystem, marking a significant milestone in the country’s data protection landscape.
