New law for digital data privacy in India: What social media users need to know

Indian citizens going online will now have guaranteed control over their personal data, with the government formally notifying the rules needed to operationalise the Digital Personal Data Protection (DPDP) Act.

The law, passed in August 2023, brings in new safeguards across social media, e-commerce, gaming, banking, payments and government services.

Under the new rules, companies will need verifiable parental consent before processing the data of minors, promptly report any breaches to affected users and the Data Protection Board, and adhere to strict data security and storage requirements.

With a phased rollout over 12–18 months, the DPDP Act aims to strengthen transparency, accountability and citizen rights in India’s rapidly growing digital ecosystem.

A key requirement is directed at Big Tech: platforms such as Facebook and Instagram must secure verifiable parental consent before onboarding anyone under 18. 

Consent-led framework for all digital services

The rules introduce a consent-based model for personal data processing. Companies that violate the provisions face penalties of up to ₹250 crore for major security lapses or breaches. They must also notify affected users and the newly created Data Protection Board in clear, simple language, outlining what happened and the steps being taken to fix it. 

Phased rollout for companies

Implementation will be gradual. To allow for major backend upgrades, the government has provided an 18-month transition window. The rules reaffirm the Act’s seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability.

Safeguards for children and vulnerable users

Stricter rules for minors

Child data has been one of the most debated areas. The final rules require verifiable parental consent before processing any personal data belonging to children, with narrow exemptions for essential services such as healthcare, education and real-time safety.

For persons with disabilities who cannot make legal decisions, consent must come from a lawful guardian. Companies must also implement mechanisms to prevent minors from faking their age and ensure that anyone identifying as a parent is a verifiable adult.

Data localisation and overseas transfers

Limits on sending certain data abroad

The government now has the power to restrict the transfer of specific datasets outside India — a move expected to affect global tech giants. Significant Data Fiduciaries must ensure designated categories of personal data remain within India, including associated traffic data. A government-appointed committee will determine which datasets fall under these restrictions.

Stronger user rights and corporate accountability

Full control over personal data

Individuals will be able to access, correct, update or erase their personal data. They may also nominate someone to exercise these rights on their behalf. Companies must respond to such requests within 90 days and display clear contact details of a responsible officer or Data Protection Officer.

Higher obligations for large platforms

Firms that handle large volumes of data will face stricter conditions, including independent audits, data protection impact assessments and enhanced due diligence on their technology. They must comply with any government-mandated restrictions on specific categories of sensitive data, including localisation requirements.

New digital-first Data Protection Board

Online complaints and appeals

The rules pave the way for a fully digital Data Protection Board, allowing citizens to file and track complaints online through a dedicated platform and mobile app. Appeals against Board decisions will go to the Appellate Tribunal (TDSAT).

The final rules comprise 23 provisions and seven schedules, covering everything from consent notices to breach reporting and Board governance. Implementation will be staggered over 12–18 months, with some elements coming into effect immediately.

Key features of the DPDP Rules 2025

Clearer consent and transparency

• Data fiduciaries must provide concise, standalone notices before collecting personal data.

• Notices must list data categories, purposes, service details, withdrawal options and grievance channels.

• Consent managers will be formally registered to help users manage permissions.

Better protection against spam and misuse

• The rules are expected to curb spam calls and prevent unauthorised access to personal information.

• Individuals can trace how their data was leaked, with penalties for unlawful disclosure.

Mandatory security safeguards

• Companies must implement strong measures such as encryption, firewalls and access controls.

• Users must be informed immediately after a breach, with clear details on the impact and corrective steps.

Strict limits on data storage

• Personal data cannot be kept for longer than a year unless legally required.

• Users must be notified 48 hours before deletion, except when retention is necessary for continued use of a service.

Enhanced protection for minors and vulnerable users

• Verifiable parental or guardian consent is mandatory for anyone under 18 or unable to provide informed consent.

Transparency requirements for all platforms

• Every data fiduciary must publish contact details of the person responsible for data-related queries.

What to expect next

Experts say the next phase of the rollout may include:

• Stronger independence and transparency for the Data Protection Board.

• Higher penalties to improve deterrence.

• Clear guidelines for government access to personal data.

• Templates and toolkits to help organisations comply.

• Wider public awareness programmes around digital rights.

• Alignment with constitutional principles such as necessity and proportionality.

Bottom line

The DPDP Rules 2025 mark a significant shift in India’s digital governance, bringing the country closer to global privacy standards while reflecting national priorities such as localisation and controlled state access. Their success will depend on transparent enforcement, an independent regulatory ecosystem and sustained public participation to ensure meaningful protection of citizens’ digital privacy.