India has taken a decisive step in digital privacy enforcement by operationalizing the Digital Personal Data Protection Rules, 2025, based on the DPDP Act passed in 2023. The law mandates consent-based data processing, empowers users with control over their personal data, and sets penalties up to ₹250 crore for serious breaches. Companies must notify users of breaches within 72 hours.
The rules introduce strict protections for children’s data, requiring verifiable parental consent for processing data of individuals under 18. Behavioral tracking and targeted advertising toward children are banned, with limited exceptions for essential functions like healthcare and education. Platforms must also adopt age verification mechanisms to prevent minors from falsifying their age.
Implementation will be phased over 12 to 18 months. Immediate obligations cover consent, grievance redressal, and purpose-restricted data use. More complex requirements, such as appointing Data Protection Officers (DPOs) and establishing consent management frameworks, will roll out gradually. The Data Protection Board of India, headquartered near New Delhi, will serve as a digital grievance redressal authority.
Cross-border data transfer is permitted but subject to government restrictions, with some categories potentially mandated to localize in India. Global tech firms like Amazon and Apple have expressed concerns over compliance challenges. Companies processing data from over 5 million users face enhanced scrutiny as Significant Data Fiduciaries, including mandatory audits and impact assessments.
While the framework strengthens user privacy and data security, challenges persist in clarity over parental consent mechanisms, enforcement capacity, and compliance burdens for smaller firms. The law’s phased rollout aims to balance the urgent need for data protection with practical industry adaptation.
Also Read: How a Simple Ledger App Became a ₹100 Crore Fintech Powerhouse?
