India’s long-awaited Digital Personal Data Protection (DPDP) Rules, 2025 officially come into force, introducing sweeping changes to how apps and online services manage personal data, The Times of India reported. The rules implement the Digital Personal Data Protection Act, 2023, and establish a consent-based framework aimed at giving users greater control over their data.
Under the new regulations, which apply to social media platforms like Facebook, Instagram and messaging apps like WhatsApp, as well as digital services such as Amazon and Flipkart, companies must obtain explicit consent before processing personal data. They must also provide users with rights to access, correct, update and delete their data. The rules set a maximum penalty of ₹250 crore for serious violations of security obligations or misuse of personal data.
Platforms must now adopt robust protections such as encryption, obfuscation or tokenization of personal data. They are also required to maintain detailed logs of access — including what data was viewed, by whom and when — for at least one year. If a user’s account remains inactive for three years without legal or business justification, companies must issue a 48-hour warning and then delete the data, unless the user reactivates the account.
For children and individuals with disabilities, additional safeguards apply: verifiable parental consent is required before processing a minor’s data, and in cases of disability, a lawful guardian must consent. The rules also enable the government to block certain categories of data from being transferred outside India — a step that may challenge global tech companies operating in the country.
The legislation replaces the earlier patchwork of privacy norms and marks India’s first full-fledged law dedicated to digital data protection, the Times reported. Implementation enforcement remains phased: companies have an 18-month transition window to comply with the new standards.
Authorities emphasized that users now have a clear recourse if their data is misused. Organizations must display contact details of a designated Data Protection Officer and respond to user requests within 90 days. Experts believe the new regulatory regime signals a shift toward greater accountability in India’s digital economy.
Need Help?
If you’re concerned or have questions about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.
