NewKerala.com

India's Digital Privacy Era Begins: New DPDP Act Rules Notified

The government has officially notified the rules for India's first digital privacy law. Companies now have up to 18 months to meet the new compliance requirements for handling user data. Users will gain significant rights including easy consent revocation and complaint mechanisms through the Data Protection Board. The new framework establishes clear timelines for implementation and creates a digital-first adjudicatory system for data protection enforcement.

Key Points: Government Notifies DPDP Act Rules for Digital Privacy Law

  • Companies handling personal data must provide detailed data collection explanations to users
  • Users gain easy consent revocation rights and can complain to Data Protection Board
  • Data fiduciaries must report breaches within 72 hours to DPB and affected users
  • Consent managers must be India-based entities with 12-month registration deadline
2 min read

Centre notifies DPDP Act rules, operationalises India's 1st digital privacy law

India's first digital privacy law operationalised with new DPDP Act rules. Companies get 18 months compliance deadline, users gain consent revocation rights and Data Protection Board established.

"In sum, the one-year deadline for Consent Managers effectively pre-positions the consent infrastructure for DPDP compliance - Vinay Butani, Partner, Economic Laws Practice"

New Delhi, Nov 14

The government on Friday notified the rules for the Digital Personal Data Protection (DPDP) Act, formally operationalising India's first digital privacy law and setting the compliance clock ticking for companies handling user data.

Social media sites, online gateways, and any other organisations handling personal data are required by the new framework to give users a detailed explanation of the information being gathered and to make it apparent how it will be used.

According to the regulations, users must have an easy way to revoke their consent or complain to the Data Protection Board (DPB) about infractions.

While consent managers, which are organisations authorised to act on behalf of users, have 12 months to register with the DPB, companies will have up to 18 months to fulfil the administrative compliance requirements.

Any business that wants to function as a consent manager must have its headquarters in India, apply to the Board, and fulfil its responsibilities consistently; otherwise, its registration might be revoked.

The DPB, which has its headquarters in New Delhi and consists of four members, including a chairperson, will operate as a fully digital adjudicatory body in accordance with the guidelines that have been notified. Its duties include enforcing the law, investigating data breaches, and levying fines.

The regulations also categorise digital intermediaries according to the type of services they offer and specify when user data must be deleted, unless there are laws that mandate its retention.

Within 72 hours of learning about a data breach, data fiduciaries must notify the DPB and the impacted user.

Alongside the regulations, the Ministry of Electronics and Information Technology (MeitY) released a separate notification announcing the DPB's creation. The Parliament passed the DPDP Act in August 2023, and the final rules were issued after months of consultation following the draft's publication in January 2025.

"In sum, the one-year deadline for Consent Managers effectively pre-positions the consent infrastructure for DPDP compliance. By the 18‑month enforcement date, a network of certified, neutral consent-service providers will be ready to handle opt-in/out mechanics, easing the shift to the new regime," said Vinay Butani, Partner, Economic Laws Practice.

- IANS

Share this article:

Reader Comments

R
Rohit P
Good move but implementation will be key. Many small Indian startups might struggle with compliance costs. Hope the government provides adequate support and guidance.
A
Arjun K
About time we had proper data protection laws! Foreign companies have been taking our data for granted for too long. The requirement for consent managers to be based in India is a smart move.
S
Sarah B
While I appreciate the intent, I'm concerned about the Data Protection Board being fully digital. What about citizens who aren't tech-savvy? We need physical grievance redressal mechanisms too.
V
Vikram M
The 18-month compliance period gives companies enough time to adapt. This shows the government is being practical rather than rushing implementation. Well thought out! 👍
K
Kavya N
As a mother, I'm happy my children's online data will be better protected. Hope this reduces those annoying marketing calls and spam messages we keep getting!

We welcome thoughtful discussions from our readers. Please keep comments respectful and on-topic.

Leave a Comment

Minimum 50 characters 0/50