The Digital Personal Data Protection (DPDP) Rules 2025 operationalise the DPDP Act 2023 and establish a clear, citizen-centric privacy framework. These rules ensure that every individual knows what personal data is collected, why it is collected, and how it is used.
The DPDP Rules create predictable and transparent practices for data handling. Example: When you install a learning app, it must clearly state what student information it collects and the purpose of using it.
Data Fiduciaries must offer short, standalone consent notices written in plain, easy-to-understand language. Example: A hospital registration app must explicitly say, “We need your phone number to send appointment reminders,” instead of hiding consent inside long forms.
Only data necessary for a specific purpose may be collected. Example: A school bus-tracking app cannot collect parents’ income details; it only needs the child’s route and a contact number.
Data must be accurate and retained only for as long as needed. Example: An online grocery app must delete your saved delivery address if a cancelled order no longer requires it or if you request deletion.
Processing a child’s data requires verifiable consent from a parent or guardian. Example: A gaming platform must confirm parental approval before creating an account for a user below 18 years.
If a person cannot legally provide consent even with support, only a lawful guardian may do so. Example: A disability-care app must accept consent exclusively from the verified guardian for sensitive health-related updates.
In the event of a data breach, users must be informed quickly in simple, clear language. Example: If a coaching app loses user email IDs, it must notify: “Your email ID may have been exposed. We have blocked unauthorised access and strengthened security.”
Larger entities designated as Significant Data Fiduciaries must conduct regular audits, perform impact assessments, and ensure advanced technological safeguards. Example: A major fintech platform handling millions of records must undergo independent security audits frequently.
Individuals can access, correct, update, or erase their personal data. They may also nominate someone to exercise these rights on their behalf. Example: You may ask a payments app to delete an old KYC file or update your address. The platform must respond within 90 days.
Citizens can file grievances online through a portal or mobile app, making redressal accessible and paper-free. Example: If an ed-tech company refuses to erase your data, you can submit a complaint digitally without visiting an office.
Only Indian entities can run consent management platforms. Example: A unified dashboard showing all apps you have given permissions to must be operated by an India-based company.
Organisations are given an 18-month period to comply with the new rules. Example: A small healthcare startup gets adequate time to set up proper consent systems and strengthen its data-security processes.
Kutos : AI Assistant!
