DPDP 2025 rules explained as they come into effect: What they mean for you

AI-generated image for representation purpose

The Ministry of Electronics and Information Technology has notified the Digital Personal Data Protection (DPDP) rules 2025. The new rules lay down the operational framework for implementing the Digital Personal Data Protection Act, 2023. The rules provide a framework for social media sites, online gateways, and other organisations handling personal data, giving users a detailed explanation of the information that these companies will collect and use the data. The government has also outlined a phased rollout of the new DPDP 2025 rules that are aimed to give citizens more control over their data and protect their privacy in digital space.The DPDP Rules 2025 outlines the roles of data principal and data fiduciary.

DPDP Rules 2025: Key provisions explained

As mentioned above, the DPDP Rules 2025 lay out how personal data must be collected, processed, protected and handled by the government and private entities. The rules specify strict safeguards for personal data, obligations on data fiduciaries, and additional protections for children’s data. Here are major highlights from the rules

Strong security safeguards mandatory for all Data Fiduciaries

The rules require every Data Fiduciary (entities that decide how your data is processed) to implement reasonable security safeguards to prevent data breaches. This includes:

In the event of a breach, data fiduciaries must inform affected users immediately, explaining what happened, potential risks, steps taken, and whom to contact. They must also notify the Data Protection Board within 72 hours.

Verifiable parental consent mandatory for processing children’s data

The rules impose strict requirements for processing the personal data of children under 18 years of age. As per the new DPDP 2025 rules, Data Fiduciaries must ensure that verifiable parental consent is obtained before collecting or processing any child’s data.They must verify that the person giving consent is indeed an adult parent or guardian, using reliable identity details or a verified virtual token issued by an authorised entity.The rules state that Digital Locker–verified identity can also be used for this purpose. This ensures that companies cannot process a child’s data without clearly confirming the identity and age of the parent giving permission.

Transfer of personal data outside the territory of India

The rules states that any personal data processed by a Data Fiduciary under the DPDP Act may be transferred outside the territory of India subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.

DPDP Rules 2025: Enforcement timeline

While the government has notified the DPDP 2025 rules, not all provisions will come into effect starting today. As defined in the official notification, provisions of sub-section (2) of section 1, section 2, sections 18 to 26 sections 35, 38, 39, 40, 41, 42, 43, and subsections (1) and (3) of section 44 of the said Act have come into force immediately. While sub-section (9) of section 6 and clause (d) of sub-section (1) of section 27 of the said Act shall come into force a year after the date of publication. Provision of sections 3 to 5, sub-sections (1) to (8) and (10) of section 6,sections 7 to 10, sections 11 to 17, section 27 except clause (d) of sub-section (1) of the said section, sections 28 to 34, 36, 37 and sub-section (2) of section 44 of the said Act shall come into force 18 months after publication.