November 14 was an important date in India’s digital journey, marking a milestone by bringing to life a comprehensive framework that fundamentally changes how companies handle personal data. One of the major things that changes with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025—at least in theory—is the way an individual’s browsing history, e-commerce trail, or social media use can be used by advertisers. We are all used to privacy policies posted on these platforms, though hardly anyone reads them. What’s critical for the layman to note is that the DPDP framework transports privacy from a constitutional promise to enforceable rights and duties.
The good news is that companies can no longer hide behind impenetrable legal jargon. There has to be a clear and understandable request from the person determining the purpose and means of processing personal data (data fiduciary), for consent from the person whose data is being processed (data principal). The request shall be accompanied by a notice informing the principal of the purpose for processing the personal data, the way the principal can withdraw or modify consent, the grievance mechanism available, and the way complaints can be raised against the data fiduciary.
The rules provide timelines for data fiduciaries to maintain records before erasing them from their system. It is also significant to note that the rules apply to processing personal data outside India if it is in connection with offering goods or services within India.
The rules also provide for registration of ‘consent managers’, entities that play the role of a trusted intermediary between data principals and data fiduciaries, by assisting the data principal to manage their consents through a given platform. Consent managers have certain obligations too, such as implementing reasonable technical and organisational measures to prevent personal data breaches, and maintaining detailed records of every consent given, denied, or withdrawn, along with related notices and data sharing.
Ultimately, the consent must be a clear affirmation of an agreement to process personal data for a specific purpose. This shows a fundamental shift in power by placing the individual—data principal—at the centre of the framework. The DPDP rules that convert the framework into day-to-day obligations.
The DPDP framework also takes data breaches seriously. The haunting stories of password leaks, personal photos getting exposed, and bank details stolen cannot be dealt with silently by companies accountable for the breach. There is a mandatory requirement for them to report to the Data Protection Board without delay, and the board will thereafter have to take note of the steps taken by the company to remedy the wrong or mitigate the risk. The board is designed to be entirely digital. This means filings, hearings, and decisions are all expected to be done online.
Another important point to note (especially if you are a parent) is that your children are protected. Data fiduciaries cannot process your child’s data without your verifiable consent. Companies cannot track your child’s behaviour or show them targeted advertisements.
The penalties that the Board can impose range from ₹10,000 (for data principals who provide wrong information or impersonate another person through the data they provide) to ₹250 crore (for violations of the Act by data fiduciaries). These fines are designed for body corporates to take notice. However, not all body corporates are treated the same way; the central government’s department for promotion of industry and internal trade-recognised startups have lighter compliance mandates. Further, the rules provide softer tools, such as mediation and voluntary undertakings.
There are also certain legitimate uses that are exempted. For example, in case of a medical emergency that poses a threat to life or immediate health of the data principal, or in taking measures to prevent an epidemic. The central government itself has been given a wide range of exemptions. It can process data for ‘security’ or ‘public order’. While the government maintains that public interest overrides privacy concerns to the worry of critics, the exemptions granted to them remain a concern, as they reignite the debate over unchecked surveillance and abuse of power.
Unlike the General Data Protection Regulation, 2018 , which is the comprehensive data privacy law enacted by the European Union, which demands strict necessity, proportionality, and independent oversight, India’s DPDP leaves these boundaries unclear, echoing the longstanding constitutional worries.
Importantly, a recent notification states that the law will be rolled out in a staggered manner. While some provisions take effect immediately, the main compliance requirements for companies will take effect after 18 months. While this appears to be extremely practical, the most crucial citizen facing rights, such as informed consent, breach notification, data correction and erasure, and grievance redressal, are deferred for 18 months. The Data Protection Board, scheduled to be set up in the next one year for digitally accessible grievance redress, faces scrutiny for potentially limited independence—appointments and removals are tightly managed by the central government.
In any event, the notification of the DPDP marks a transformative moment and plays a crucial role in India’s growing digital economy. Its success shall inevitably rest on the shoulders of the citizens, corporates and the regulators in creating an ecosystem that is both secure and inclusive.
Atul N Menon | Lawyer at the Supreme Court of India
(Views are personal)