India’s Landmark Data Privacy Law Takes Effect with 18-Month Rollout
The government has officially notified the Digital Personal Data Protection (DPDP) Rules 2025, setting in motion India’s comprehensive data privacy framework. While the law is now active, most compliance requirements for companies and government departments will only take effect after an 18-month transition period.
Key Takeaways
- Companies get 18 months to align with new data protection requirements
- Strict consent, breach reporting, and data deletion rules to follow
- Enhanced protection for children’s data with parental consent
- Data Protection Board to be established as digital-first regulator
What Changes After 18 Months?
Once the transition period ends, organizations must seek specific, purpose-linked consent before processing personal data. They’ll need to provide itemized descriptions of collected data, offer simple consent withdrawal mechanisms, enable grievance redressal, and delete data when no longer needed for the stated purpose.
Data breach reporting becomes mandatory – companies must inform affected users and the Data Protection Board within 72 hours of discovering a breach, detailing its nature, consequences, and mitigation steps.
Special Protection for Children
Children’s data receives heightened safeguards. Companies must obtain verifiable parental consent for processing data of anyone under 18, with measures to confirm the consenting adult’s identity and age. However, platforms can live-track underage users’ locations for safety purposes.
Stricter Rules for Major Data Handlers
Significant data fiduciaries – categorized by the government based on data volume and sensitivity – face additional obligations. These include annual data protection impact assessments, audits, and verification that their algorithms don’t endanger user rights.
Cross-Border Data Transfer Clarity
The rules permit cross-border transfer of digital personal data in general, but the Central government reserves the right to restrict transfers to specific jurisdictions or entities through separate notifications.
Three-Phase Implementation
The rollout follows a structured approach:
- Establishing the Data Protection Board as operational regulator
- Setting up consent manager registration and infrastructure
- Activating full compliance obligations and enforcement powers
Data Deletion Requirements
Platforms must delete users’ personal data once the processing purpose is fulfilled. If user accounts are deleted or remain inactive, data must be erased unless retention is necessary for legal compliance. This pushes companies to overhaul their largely self-determined data retention practices.
Industry Response and Concerns
Analysts welcome the implementation clarity and child data safeguards but note concerns about limited checks on government data use. Government officials emphasize that Rule 7 clearly defines exemptions for Centre’s data access, beyond which government agencies must handle data like corporate entities.
The 18-month window gives companies crucial time to redesign internal systems, review data-sharing agreements, re-engineer consent flows, and deploy technical safeguards required under the new law.
