Introduction
The Digital Personal Data Protection Rules, 2025 have been issued under the Digital Personal Data Protection Act, 2023. These rules provide a clear framework for how personal data must be collected, processed, stored, and protected in India.
The purpose of these rules is to:
- Protect the privacy of individuals (called Data Principals)
- Set clear responsibilities for companies and organisations (called Data Fiduciaries)
- Ensure lawful, safe, and transparent handling of personal data
- Provide rights and protections to children and persons with disabilities
- Define timelines, standards, and procedures for data retention, breach reporting, and cross-border transfers
The rules came into effect in phases:
- Rules 1, 2 and 17 to 21 came into force on the date of publication in the Official Gazette (November 13, 2025)
- Rule 4 (Consent Manager registration) shall come into force one year after publication
- Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after publication
Important Definitions (Rule 2)
Key terms used across the rules include:
- Act -- Digital Personal Data Protection Act, 2023
- User account -- Any online account of a Data Principal such as email, page, profile, phone, etc.
- Verifiable Consent -- Consent that is checked and confirmed through proper methods (as specified in rules 10 or 11)
- Techno-legal Measures -- Technical and legal safeguards as referred to under rules 20 and 22
