The DPDP Rules, 2025, have been officially notified by the Ministry of Electronics and Information Technology. The rules mandate specific actions Data Fiduciaries must take to ensure compliance with core requirements starting eighteen months.

The Narendra Modi government, through the Ministry of Electronics and Information Technology, has officially notified the Digital Personal Data Protection Rules, 2025 (DPDP Rules), marking a major step in implementing the Digital Personal Data Protection Act, 2023.
The notification, issued on 13 November 2025, sets forth specific and stringent obligations for Data Fiduciaries (platforms and entities processing personal data), covering everything from user notification standards to data retention and the handling of children’s personal data.
Staggered rollout of key obligations
To allow entities time to prepare, the DPDP Rules will come into effect in a staggered manner.
• Rules concerning the internal procedures of the regulatory body came into force immediately upon publication in the Official Gazette on November 13, 2025.
• Rule 4, which deals with the registration and obligations of Consent Managers, will come into force one year after the date of publication.
• The most significant operational obligations for Data Fiduciaries, including those covering notice requirements, verifiable consent, data retention, and the rights of Data Principals, are set to come into force eighteen months after the date of publication.
Stringent requirements for User Notice and Consent
Data Fiduciaries must adhere to clear and comprehensive standards when informing users (Data Principals) about the processing of their personal data. The notice provided by a Data Fiduciary must:
• Be understandable independently of any other information provided by the Fiduciary.
• Use clear and plain language.
• Provide a "fair account of the details necessary" for the Data Principal to give specific and informed consent.
Crucially, this notice must include an itemised description of the personal data being processed and the specified purpose or purposes and a specific description of the goods, services, or uses enabled by that processing.
The notice must also provide the user with a specific communication link or other means to:
• Withdraw consent, with the ease of doing so being comparable to that with which consent was given.
• Make a complaint to the Data Protection Board of India.
Verifiable consent mandated for children
The Rules introduce stringent standards for obtaining verifiable consent, particularly concerning the personal data of a child (defined as an individual under the age of eighteen).
• A Data Fiduciary must adopt appropriate technical and organizational measures to ensure that verifiable consent of the parent is obtained before processing any personal data belonging to a child.
• Platforms must observe due diligence to verify that the individual identifying herself as the parent is an adult.
• This identification and age verification can be achieved by referencing reliable details held by the Data Fiduciary or by details/virtual tokens voluntarily provided by the individual, often via an authorised entity or a Digital Locker Service Provider.
Strict data retention limits and erasure deadlines
The new rules impose strict data retention limits and mandate erasure timelines, ensuring personal data is not held indefinitely.
For any processing of personal data, the Data Fiduciary is obligated to retain the personal data, along with associated traffic data and other processing logs, for a minimum period of one year from the date of processing, for certain specified purposes (related to sovereignty, security, or legal compliance).
After this period, the Data Fiduciary must cause the data and logs to be erased, unless a longer retention period is required by law.
Mandated erasure deadlines for large platforms
Data Fiduciaries categorized as large consumer-facing platforms are subject to specific erasure timelines if the Data Principal has not logged in or contacted them regarding the specified purpose:
Fiduciary: E-commerce entity
Registered Users in India: Not less than two crore registered users
Erasure Deadline: Three years from the date the Data Principal last approached the Fiduciary or the commencement of the DPDP Rules, 2025, whichever is latest.
Fiduciary: Online gaming intermediary
Registered Users in India: Not less than fifty lakh registered users
Erasure Deadline: Three years from the date the Data Principal last approached the Fiduciary or the commencement of the DPDP Rules, 2025, whichever is latest.
Fiduciary: Social media intermediary
Registered Users in India: Not less than two crore registered users
Erasure Deadline: Three years from the date the Data Principal last approached the Fiduciary or the commencement of the DPDP Rules, 2025, whichever is latest.
A Data Fiduciary must notify the Data Principal at least 48 hours before the completion of the erasure period, informing them that their personal data will be erased unless they log into their user account or initiate contact regarding the specified purpose or exercise of rights.
Data Protection Board of India
The notification also announced the creation of the Data Protection Board of India. The head office of the Data Protection Board of India is located in the National Capital Region of India. The Board is mandated to consist of four members.
The Board will function as a digital office. It may adopt "techno-legal measures" to conduct proceedings in a manner that does not require the physical presence of any individual, without compromising its power to summon individuals and examine them on oath.
An inquiry undertaken by the Board must generally be completed within six months from the date of receiving the intimation, complaint, reference, or direction. This period can be extended once for a further period not exceeding three months, provided the reasons are recorded in writing.
Published: 14 Nov 2025, 12:25 pm IST
Subscribe to our Newsletter
Get Latest Mathrubhumi Updates in English
Disclaimer: Kindly avoid objectionable, derogatory, unlawful and lewd comments, while responding to reports. Such comments are punishable under cyber laws. Please keep away from personal attacks. The opinions expressed here are the personal opinions of readers and not that of Mathrubhumi.

