Excerpt from Times of India Article, Published on November 18, 2025
India has put its first comprehensive privacy framework into action with the rollout of the Digital Personal Data Protection (DPDP) Rules 2025. This marks the operational launch of the country’s long – planned data protection regime and formally activates the provisions of the Digital Personal Data Protection Act, 2023.
According to the new rules, any organization that gathers or processes digital personal data — whether it is a social media platform, banking service, e – commerce site, or mobile app — must comply with stricter standards. These include collecting only necessary information, defining the purpose of data use clearly, and limiting how long the data can be stored. Companies are also required to strengthen their internal security practices through measures such as encryption, access controls, masking, and detailed logging to reduce the risk of misuse.
A key shift brought by the DPDP Rules is the mandated handling of data breaches. If a breach is detected, the organization must inform affected individuals within 72 hours in simple, direct language that explains the incident and the corrective actions underway.
Oversight will be led by the newly established Data Protection Board (DPB), based in New Delhi. The board will function entirely through digital channels, allowing citizens to submit grievances online or through mobile interfaces.
Special safeguards have been introduced for minors. Platforms must secure verifiable parental approval before processing data belonging to anyone under 18. Likewise, individuals with certain disabilities will require consent from legally recognized guardians.
The rules also tighten restrictions on sending specific categories of personal data outside national borders, reinforcing data sovereignty principles.
Data retention has been addressed with new limits: companies must erase a user’s personal data after three years of inactivity unless legally required to keep it. Users will receive a 48 – hour notice before deletion and may choose to reactivate or retrieve their data. As the new system is being introduced in stages, certain components — such as the registration of consent managers and full activation of user – rights tools — will be implemented gradually.
For everyday users, these changes promise stronger control, clearer rights, and better protection of digital personal information.
To delve deeper into this topic, Visit Times of India article.
