My Data Zero

The Rules Are Out. Here’s How India’s New Privacy Law Actually Works.

India DPDP Rules 2025 Explained

Written by

newagecontent

in

On November 14, 2025, the Government of India finally pressed the “Start” button on the Digital Personal Data Protection (DPDP) Act. While the law was passed back in 2023, it was a car without an engine. The “Rules” now notified are that engine; they provide the ‘How’, ‘When’ and ‘What’ roadmap. They detail exactly how the law will be enforced, when companies must comply, and what you need to do. This article is about “India DPDP Rules 2025 Explained”.

Our team at ‘My Data Zero’ has tried to break down the 30-page notification that will reshape the Indian Internet and digital worlds.

India DPDP Rules 2025 Explained

1. The “Plain English” Mandate (Rule 3)

For Indians, the days of scrolling through 50 pages of “legalese” and blindly clicking “I Agree” are officially numbered. The new rules mandate that every request for consent must be accompanied by a Notice that is:

  • Itemized: It must list exactly what data is being collected (e.g., “We need your location,” not “We need device data”).
  • Purpose-Driven: It must explain why (e.g., “To deliver your pizza,” not “To improve user experience”).
  • Multilingual: It must be available in English and all 22 scheduled Indian languages.

The Impact: If an app wants your contacts, it can no longer hide that request inside a generic “Terms of Service” document. It must ask for it explicitly.

2. The “Parental Gate” for Minors (Rule 10)

This is one of the strictest parts of the new India DPDP Rules 2025 Explained

  • Verifiable Parental Consent: For any user under 18, companies must obtain verifiable consent from a parent or guardian.
  • No Tracking: Apps are strictly banned from tracking children or showing them targeted ads.
  • The Mechanism: The rules suggest using “Digital Lockers” or government-issued ID tokens to verify the relationship between the parent and the child.

The Impact: Social media platforms and gaming apps will now have to introduce strict age-gating. Indian gamers may find their favorite game significantly different (and ad-free) next month.

3. The 72-Hour Breach Alarm (Rule 8)

This is the rule that has corporate boardrooms in a panic. If a company suffers a data breach (like a leak of passwords or financial info), they can no longer hide it.

  • The Clock: They must notify the Data Protection Board (DPB) and the affected user.
  • The Content: The notification cannot be vague. It must explain what leaked, the consequences for you, and who to contact for help.

The Impact: Transparency. You will finally know if your data is floating around on the dark web, giving you time to change your passwords.

4. The 18-Month Timeline (The Phased Rollout)

The government isn’t forcing compliance overnight. The notification lays out a “Phased Implementation” plan:

  • Phase 1 (Immediate): The Data Protection Board is established. You can technically file complaints soon.
  • Phase 2 (12 Months): Registration of “Consent Managers” (new intermediaries that help you manage privacy).
  • Phase 3 (18 Months – May 2027): Full compliance. Big Tech and small startups alike must have their notices, grievance systems, and age-gating fully operational.

The Impact: While the rules are “live,” you might not see the “Delete My Data” buttons on every app until mid-2026 or 2027.

5. The “Digital-First” Grievance Redressal

The rules clarify that the DPB will be a “digital office.”

  • There will be no physical paperwork.
  • Complaints, hearings, and rulings will happen online.
  • This is designed to make justice cheap and fast for the average citizen.

The Controversy: What Was Missed?

While the notification clarified how companies must behave, privacy experts are pointing out what was not tightened:

  • Exemption Procedures: The rules did not add significant “checks and balances” to Section 17 (which allows the government to exempt itself). The process for a government agency to seek exemption remains largely internal and opaque.
  • RTI Friction: The rules confirm the operational shift that makes it harder to access information about public officials under the RTI Act, cementing the “privacy over transparency” shift for bureaucrats.

The Bottom Line

The November 14th notification is the start of a massive cleanup operation for the Indian internet.

  • For Companies: It is a compliance nightmare that begins now.
  • For Government: It is a new power to adjudicate the digital economy.
  • For User: It is a promise of control, but one that will arrive in installments over the next 18 months.

India DPDP Rules 2025 Explained…continued……

If you want to read the original act passed in 2023, here are the details:

India’s DPDP Act 2023: A Shield for Your Privacy, or a Sword for the State?

For years, citizens in India — let’s call them the “Rohans” of India — have lived in a digital Wild West. Their phone numbers were sold for pennies, their inboxes are flooded with spam, and they had zero clue who actually held their data.

Enter the Digital Personal Data Protection (DPDP) Act, 2023.

On paper, it’s the sheriff the Rohans of India have been waiting for. It promises to tame the reckless data harvesting by Big Tech and shady telemarketers.

But, some experts and organizations working in the realm of personal data security say that a read of the fine print shows a different story emerging. While the law builds a fortress around a citizen’s private life to keep companies out, it leaves a backdoor wide open for the government to walk right in.

With the notification of the Rules, a new public debate has broken out – is this law a privacy shield, or is it a surveillance tool?

What The Internet Freedom Foundation Has to Say

The Internet Freedom Foundation (IFF) issued its initial statement on the DPDP Rules, 2025:

Key Points:

  • Concerns Raised by IFF
    • Transparency & Consultation: Rule-making lacked openness and ignored civil society feedback.
    • Weak Protections: Rules fail to mandate disclosure of recipients, retention periods, or safeguards for cross-border transfers.
    • Data Retention: Rules require storing personal and traffic data for at least one year (up to three years for significant data fiduciaries), undermining the principle of data minimization.
    • State Powers: Rule 23 allows government agencies to demand personal data without consent, citing vague reasons like “national security,” with no oversight or transparency.
    • Executive Control: The Data Protection Board is structured under government control, lacking independence compared to global best practices.
  • IFF’s Recommendations
    • Restore Balance: Amend laws to protect journalism, research, and RTI from being undermined by privacy claims.
    • Independent Oversight: Reconstitute the Data Protection Board as an autonomous regulator with transparency obligations.
    • Limit State Exemptions: Narrow government surveillance powers, require judicial authorization, and ensure independent oversight.

IFF argues that the DPDP Rules, 2025 entrench state control over personal data while failing to provide a rights-centered framework for individuals. They call for legislative amendments to align India’s data protection regime with constitutional and international privacy standards.

India DPDP Rules 2025 Explained…continued……

Face One: The Shield (Regulating the Private Sector)

This is the good news. If you are tired of spam and data leaks, this part of the law is a massive win.

For the first time, Indian companies (Data Fiduciaries) are legally bound to respect people’s digital boundaries. The days of “pre-ticked” consent boxes are over.

1. The Death of “Implied Consent”

Under the new rules, companies must ask for your permission in clear, plain language. They can only collect data that is necessary for the service.

  • Example: A flashlight app can no longer ask for your contact list. If they do, they face heavy penalties.

2. The Right to Erasure (The “Forget Me” Button)

Indians finally have the power to scrub their digital footprint. If a citizen closes a bank account or deletes a shopping app, he/she can legally demand they erase your personal data from their servers. They cannot hoard it “just in case.”

3. Financial Muscle

The law isn’t just a polite suggestion; it has teeth.

If a company fails to protect your data and it leaks, they face penalties of up to ₹250 Crore. This forces boards of directors to finally take cybersecurity seriously.

Face Two: The Sword (Empowering the State)

Here is where things shift. While the law tightens the leash on private companies, it effectively hands the government a pair of scissors to cut through those same protections.

This is the part that has privacy experts and activists worried.

1. The “Sovereignty” Loophole (Section 17)

This is the most controversial section of the Act. Section 17 allows the Central Government to exempt any of its agencies from the entire law.

The grounds for this exemption are broad: “Sovereignty and integrity of India,” “Security of the State,” “Friendly relations with foreign states,” and—most worryingly—”Public order.”

  • The Risk: “Public order” is a vague legal term. Could a peaceful protest be labeled a disruption of public order, allowing the police to harvest the data of everyone attending without a warrant? Under this law, the answer leans toward yes. There is no requirement for judicial oversight (like a judge’s warrant) before the state accesses this data.

2. The RTI Dilution (Section 44)

For two decades, the Right to Information (RTI) Act has been a powerful tool for citizens to question the government.

Previously, a government official could only deny information if it invaded privacy without serving a larger public interest.

  • The Change: The DPDP Act amends Section 8(1)(j) of the RTI Act. It removes the “public interest” test entirely.
  • The Risk: Now, corrupt officials can potentially hide behind “privacy” to refuse to disclose their assets, degrees, or suspicious appointment records. Transparency takes a backseat to secrecy.

3. The Referee is Chosen by the Player

If the government violates your privacy, you complain to the DPB.

  • The Problem: The Board’s Chairperson and members are appointed solely by the Central Government. Their terms and salaries are also decided by the government.
  • The Question: Can a Board appointed by the government fairly investigate the government?

Sidebar: A Tuesday in Mumbai – The Reality Check

Does this law actually change “Rohan’s” life? Let’s walk through a hypothetical day.

09:00 AM (The Shield Works):

Rohan gets a spam call from a bank he never signed up with. He uses the new Consent Manager dashboard to revoke permission. The bank, fearing a ₹50 crore fine, immediately purges his number.

Score: Rohan 1, Spammers 0.

02:00 PM (The Sword Strikes):

Rohan is investigating a delayed road project in Andheri. He files an RTI to see which officer signed off on the budget. The request is rejected. The reason? The officer’s name and signature are now “Personal Data” protected by the DPDP Act. The “public interest” argument no longer applies.

Score: Secrecy 1, Rohan 0.

08:00 PM (The Grey Area):

Rohan posts a tweet criticizing a government policy. Because of Section 17 exemptions, a government agency could potentially demand his user data from the platform to profile him. Unlike a private company, the agency doesn’t need to notify him or ask for consent.

Score: Uncertainty.

Conclusion: A Law of Two Halves

The DPDP Act may be a landmark moment for India. For the consumer, it is a massive upgrade. They are safer from the prying eyes of corporations and scammers.

But for the citizen, the waters are murkier. By exempting itself from the rules it enforces on others, the State has created a system where privacy is a fundamental right against the market, but a privilege against the government.

For Rohan in Mumbai, the digital world is now cleaner, but the walls have ears.

Reference

News & Media Coverage

Legal & Policy Analysis

Educational & Civil Society Analysis

More posts