India’s Data Privacy Rules: What Your Business Needs to Know

Firm Publication

On November 13, 2025, India’s Ministry of Electronics and Information Technology finalized the Digital Personal Data Protection Act (DPDP) Rules (Rules), allowing the DPDP to come into effect. While most provisions are expected to take effect 18 months after the Rules are passed, India’s Data Protection Board (DPB) stated these timelines may be accelerated to require companies to comply with the Rules sooner. Because the DPDP diverges from other global data privacy laws and introduces novel concepts such as the “consent manager” construct, companies that process data in India or of individuals residing in India will want to review and update their privacy compliance measures to address the new requirements of the DPDP and Rules. For an overview of the requirements of the DPDP itself, please refer to our previous article here.

Implementation

Below is an overview of the timeline brought into effect by the Rules:

  • November 13, 2025 – The DPB was created.
  • November 13, 2026 – Registration for consent managers becomes mandatory, and the associated obligations outlined below come into effect.
  • May 13, 2027 – The following operational requirements will take effect, unless they are accelerated to require compliance earlier: (1) consent and notice requirements; (2) processing of personal data relating to children; (3) significant Data Fiduciary obligations; (4) rights of Data Principals; (5) obligations surrounding cross-border data transfers; and (6) research exemptions.

Consent and Notice Requirements

The DPDP generally requires Data Fiduciaries to obtain consent from Data Principals to process their personal data (except in certain circumstances where a “legitimate use” exists, such as for medical emergencies, threats to public safety, and as required to perform functions under the law or to comply with a legal judgment, among other reasons). In order to collect specific and informed consent, a Data Fiduciary must give a Data Principal clear notice at the time of collection on how the personal data will be used. The Rules set forth the requirements for the format and content of that notice, which include:

  • A clear, itemized description of the personal data to be processed.
  • The specific purposes of, and specific description of the goods or services to be provided or enabled by data processing or uses to be enabled by, such processing.
  • A link to the website or app or description of other means, if any, where the Data Principal may withdraw their consent, exercise their rights under the DPDP, or make a complaint to the DPB.
  • The notice must be understandable and presented separately from the other information provided to the Data Principal (such as terms of use or end user license agreement).

Data Fiduciaries will need to evaluate their current consent collection practices to ensure that the notices they provide to Data Principals at the time consent is collected meet the requirements outlined above.

Consent Managers

Under the Rules, Consent Managers are intermediaries who help individuals whose data are being collected (Data Principals) manage, review, and withdraw their consent to the processing of their personal data across multiple online services. Consent Managers must be registered with the DPB; incorporated in India; have a minimum net worth of ₹2 crore (roughly $222,500 USD); and meet specified technical, operational, and governance standards. For example, they must operate independently and avoid conflicts of interest with any person who alone or in conjunction with another person determines the purpose and means of processing the personal data (parties determining the purposes and means of processing personal data are called Data Fiduciaries). Consent Managers are also required to maintain comprehensive records of consent for a minimum of seven years while ensuring privacy by refraining from accessing any personal data provided through these records.

While a Consent Manager is not mandatory to use, it is intended to ease the compliance burden on Data Fiduciaries by streamlining the consent process. Engaging a Consent Manager shifts the operational burden for providing the Data Fiduciary’s notice, managing consent withdrawal, and potentially grievance filing mechanisms to the Consent Manager. It also provides a Data Fiduciary access to auditable records regarding consent. While it remains to be seen how much more efficient using a Consent Manager will actually be, businesses building their consent management framework will want to consider whether integrating with a Consent Manager will reduce compliance costs.

Cyber-Breach Response Times

A Data Fiduciary must report a breach to the DPB “without delay” upon becoming aware of the breach. The first report must include the nature, extent, timing, and location of the occurrence and its likely impact. Within 72 hours of becoming aware of the breach (which suggests that “without delay” means less than 72 hours), or a longer period if approved by the DPB, the Data Fiduciary must submit a second notice to the DPB. In the second notice, the Data Fiduciary must update the information given in the first notice and present broad facts relating to the events and cause of the breach, the implemented or proposed measures to mitigate the risks going forward, any findings regarding the person who caused the breach, and a report of notifications that have been provided to Data Principals. The DPDP does not include any explicit data breach reporting requirements for data processors; however, Data Fiduciaries are required to include in their contract with such processors appropriate provisions “for taking reasonable security safeguards,” so Data Fiduciaries will need to include breach reporting requirements in their data processing agreements.

Data Fiduciaries must notify Data Principals of a breach “without delay” by providing a description of the breach (including its nature, extent, and the timing of its occurrence), the consequences relevant to the Data Principals, the implemented or proposed measures to mitigate risks, safety measures to protect their interests, and the contact information of the Data Fiduciary.  The DPDP is not clear on what constitutes “without delay,” but these are relatively short response times. Unlike several other countries, the Rules do not provide a likelihood of harm threshold to determine whether a breach needs to be reported; therefore, all personal data breaches (whether harmful or not) must be reported to the DPB and affected Data Principals.

Data Fiduciaries should establish an incident response plan specific to the DPDP and assess whether their own data processing agreements include language supporting the obligation to report. Given the short timeframes and steep penalties, businesses should evaluate whether additional measures, such as a continuous response team in India, are appropriate.

Security Requirements

The DPDP establishes security safeguards that a Data Fiduciary must take to protect personal data under its control against unauthorized use. These safeguards include, at a minimum: securing personal data through encryption, obfuscation, masking, or virtual tokens; controlling access to computer resources; maintaining visibility through logs; and monitoring to detect and investigate unauthorized access. Additionally, a Data Fiduciary must take reasonable measures, such as using data-backups, for continued processing in the event of a compromise to the confidentiality, integrity, or availability of such personal data. Further, Data Fiduciaries must retain logs and personal data for a period of one year unless otherwise required by law.

Because the Rules are more prescriptive than many other countries’ data protection laws, Data Fiduciaries must pay close attention to their contracts with entities that process personal data on their behalf (Data Processors) to ensure that these specific security provisions are included. Given the specificity required by the Rules, it is likely that the obligations could become a focus in negotiating contracts involving data transfers, and companies may need to point to the Rules as justification.

International Data Transfers

The Rules permit cross-border transfers, subject to any requirements to be set forth by the central government. While such transfers still must comply with consent-based requirements of the law, this approach is currently much more permissive than other international privacy laws, pending any forthcoming restrictions from the central government. However, the DPDP itself explicitly mentions that the central government may wholesale prohibit the transfer of personal data to a country or territory without being required to provide any justification for its decision.

Data Fiduciaries should continuously monitor government notifications for restricted countries, prepare to comply with any future conditions, and update contracts as necessary to enforce compliance with the cross-border data transfer requirements.

Parental Consent Requirements

Before processing the personal data of a child under the age of 18 or individuals with disabilities, the DPDP requires that a Data Fiduciary obtain verifiable consent from the parent or guardian of the child/individual. This requires Data Fiduciaries to implement age and identity verification mechanisms prior to processing such data. The Rules describe that the Data Fiduciary must use “appropriate technical and organizational measures” to ensure that verifiable consent of the parent is obtained. This requirement parallels Article 8(2) of the EU’s GDPR, which requires the use of “reasonable efforts” and “available technology” to verify parental consent; however, the Rules go further and also include certain steps for conducting due diligence.

Specifically, to verify the identity of the individual identifying themselves as a guardian, Data Fiduciaries must do one of the following:

  1. Use reliable details of identity and age that are available to the Data Fiduciary (e.g. reliable identity and age details previously provided to the Data fiduciary or identity and age details issued by an entity entrusted by the law or government with maintenance of such details).
  2. Use a virtual token mapped to such details, issued by an authorized entity.

Data Fiduciaries will need to implement technical and organizational measures that include either of the following:

(1) Requesting reliable age verification information from individuals identifying themselves as guardians providing consent on behalf of Data Principals who are children.

(2) Pulling such verification information from publicly available sources.

Exemptions for Research, Archiving, and Statistical Purposes

The DPDP carves out an exemption for research, archival, and statistical purposes if the data processing aligns with certain standards detailed in the Rules. These safeguards include ensuring that the data processing is carried out lawfully and not used to make decisions about the Data Principal specifically, and implementing security safeguards and mechanisms to prevent data breaches and ensure accuracy. Entities that process personal data for such purposes should consider whether their processing fits within the standards detailed in the Rules to lessen their compliance burden.

Next Steps for Businesses

The above is a high-level overview of the most impactful aspects of the Rules, which will require compliance review by businesses subject to the law. Because the timeline for implementation is subject to change, businesses will also need to monitor updates from the DPB regarding when the Rules will come into effect. Focus points for compliance include:

  • Updating privacy notices provided at the time consent is collected.
  • Developing a consent management framework, considering requirements for collecting parental consent, and whether to engage a Consent Manager.
  • Evaluating current data security practices, including contractual requirements with data processors and policies related to safeguards and incident response to ensure alignment with the new standards.
  • Monitoring the central government’s decisions regarding international data transfers and restricted countries.
  • Reviewing the compliance obligations imposed by the DPDP generally (aside from those specific to the Rules) addressed in our prior alert.

If you are concerned that the Rules may apply to your business and are interested in learning more about how to ensure your business complies with the Rules, please reach out to the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

Related Professionals
Related Services
Firm Publication

On November 13, 2025, India’s Ministry of Electronics and Information Technology finalized the Digital Personal Data Protection Act (DPDP) Rules (Rules), allowing the DPDP to come into effect. While most provisions are expected to take effect 18 months after the Rules are passed, India’s Data Protection Board (DPB) stated these timelines may be accelerated to require companies to comply with the Rules sooner. Because the DPDP diverges from other global data privacy laws and introduces novel concepts such as the “consent manager” construct, companies that process data in India or of individuals residing in India will want to review and update their privacy compliance measures to address the new requirements of the DPDP and Rules. For an overview of the requirements of the DPDP itself, please refer to our previous article here.

Implementation

Below is an overview of the timeline brought into effect by the Rules:

  • November 13, 2025 – The DPB was created.
  • November 13, 2026 – Registration for consent managers becomes mandatory, and the associated obligations outlined below come into effect.
  • May 13, 2027 – The following operational requirements will take effect, unless they are accelerated to require compliance earlier: (1) consent and notice requirements; (2) processing of personal data relating to children; (3) significant Data Fiduciary obligations; (4) rights of Data Principals; (5) obligations surrounding cross-border data transfers; and (6) research exemptions.

Consent and Notice Requirements

The DPDP generally requires Data Fiduciaries to obtain consent from Data Principals to process their personal data (except in certain circumstances where a “legitimate use” exists, such as for medical emergencies, threats to public safety, and as required to perform functions under the law or to comply with a legal judgment, among other reasons). In order to collect specific and informed consent, a Data Fiduciary must give a Data Principal clear notice at the time of collection on how the personal data will be used. The Rules set forth the requirements for the format and content of that notice, which include:

  • A clear, itemized description of the personal data to be processed.
  • The specific purposes of, and specific description of the goods or services to be provided or enabled by data processing or uses to be enabled by, such processing.
  • A link to the website or app or description of other means, if any, where the Data Principal may withdraw their consent, exercise their rights under the DPDP, or make a complaint to the DPB.
  • The notice must be understandable and presented separately from the other information provided to the Data Principal (such as terms of use or end user license agreement).

Data Fiduciaries will need to evaluate their current consent collection practices to ensure that the notices they provide to Data Principals at the time consent is collected meet the requirements outlined above.

Consent Managers

Under the Rules, Consent Managers are intermediaries who help individuals whose data are being collected (Data Principals) manage, review, and withdraw their consent to the processing of their personal data across multiple online services. Consent Managers must be registered with the DPB; incorporated in India; have a minimum net worth of ₹2 crore (roughly $222,500 USD); and meet specified technical, operational, and governance standards. For example, they must operate independently and avoid conflicts of interest with any person who alone or in conjunction with another person determines the purpose and means of processing the personal data (parties determining the purposes and means of processing personal data are called Data Fiduciaries). Consent Managers are also required to maintain comprehensive records of consent for a minimum of seven years while ensuring privacy by refraining from accessing any personal data provided through these records.

While a Consent Manager is not mandatory to use, it is intended to ease the compliance burden on Data Fiduciaries by streamlining the consent process. Engaging a Consent Manager shifts the operational burden for providing the Data Fiduciary’s notice, managing consent withdrawal, and potentially grievance filing mechanisms to the Consent Manager. It also provides a Data Fiduciary access to auditable records regarding consent. While it remains to be seen how much more efficient using a Consent Manager will actually be, businesses building their consent management framework will want to consider whether integrating with a Consent Manager will reduce compliance costs.

Cyber-Breach Response Times

A Data Fiduciary must report a breach to the DPB “without delay” upon becoming aware of the breach. The first report must include the nature, extent, timing, and location of the occurrence and its likely impact. Within 72 hours of becoming aware of the breach (which suggests that “without delay” means less than 72 hours), or a longer period if approved by the DPB, the Data Fiduciary must submit a second notice to the DPB. In the second notice, the Data Fiduciary must update the information given in the first notice and present broad facts relating to the events and cause of the breach, the implemented or proposed measures to mitigate the risks going forward, any findings regarding the person who caused the breach, and a report of notifications that have been provided to Data Principals. The DPDP does not include any explicit data breach reporting requirements for data processors; however, Data Fiduciaries are required to include in their contract with such processors appropriate provisions “for taking reasonable security safeguards,” so Data Fiduciaries will need to include breach reporting requirements in their data processing agreements.

Data Fiduciaries must notify Data Principals of a breach “without delay” by providing a description of the breach (including its nature, extent, and the timing of its occurrence), the consequences relevant to the Data Principals, the implemented or proposed measures to mitigate risks, safety measures to protect their interests, and the contact information of the Data Fiduciary.  The DPDP is not clear on what constitutes “without delay,” but these are relatively short response times. Unlike several other countries, the Rules do not provide a likelihood of harm threshold to determine whether a breach needs to be reported; therefore, all personal data breaches (whether harmful or not) must be reported to the DPB and affected Data Principals.

Data Fiduciaries should establish an incident response plan specific to the DPDP and assess whether their own data processing agreements include language supporting the obligation to report. Given the short timeframes and steep penalties, businesses should evaluate whether additional measures, such as a continuous response team in India, are appropriate.

Security Requirements

The DPDP establishes security safeguards that a Data Fiduciary must take to protect personal data under its control against unauthorized use. These safeguards include, at a minimum: securing personal data through encryption, obfuscation, masking, or virtual tokens; controlling access to computer resources; maintaining visibility through logs; and monitoring to detect and investigate unauthorized access. Additionally, a Data Fiduciary must take reasonable measures, such as using data-backups, for continued processing in the event of a compromise to the confidentiality, integrity, or availability of such personal data. Further, Data Fiduciaries must retain logs and personal data for a period of one year unless otherwise required by law.

Because the Rules are more prescriptive than many other countries’ data protection laws, Data Fiduciaries must pay close attention to their contracts with entities that process personal data on their behalf (Data Processors) to ensure that these specific security provisions are included. Given the specificity required by the Rules, it is likely that the obligations could become a focus in negotiating contracts involving data transfers, and companies may need to point to the Rules as justification.

International Data Transfers

The Rules permit cross-border transfers, subject to any requirements to be set forth by the central government. While such transfers still must comply with consent-based requirements of the law, this approach is currently much more permissive than other international privacy laws, pending any forthcoming restrictions from the central government. However, the DPDP itself explicitly mentions that the central government may wholesale prohibit the transfer of personal data to a country or territory without being required to provide any justification for its decision.

Data Fiduciaries should continuously monitor government notifications for restricted countries, prepare to comply with any future conditions, and update contracts as necessary to enforce compliance with the cross-border data transfer requirements.

Parental Consent Requirements

Before processing the personal data of a child under the age of 18 or individuals with disabilities, the DPDP requires that a Data Fiduciary obtain verifiable consent from the parent or guardian of the child/individual. This requires Data Fiduciaries to implement age and identity verification mechanisms prior to processing such data. The Rules describe that the Data Fiduciary must use “appropriate technical and organizational measures” to ensure that verifiable consent of the parent is obtained. This requirement parallels Article 8(2) of the EU’s GDPR, which requires the use of “reasonable efforts” and “available technology” to verify parental consent; however, the Rules go further and also include certain steps for conducting due diligence.

Specifically, to verify the identity of the individual identifying themselves as a guardian, Data Fiduciaries must do one of the following:

  1. Use reliable details of identity and age that are available to the Data Fiduciary (e.g. reliable identity and age details previously provided to the Data fiduciary or identity and age details issued by an entity entrusted by the law or government with maintenance of such details).
  2. Use a virtual token mapped to such details, issued by an authorized entity.

Data Fiduciaries will need to implement technical and organizational measures that include either of the following:

(1) Requesting reliable age verification information from individuals identifying themselves as guardians providing consent on behalf of Data Principals who are children.

(2) Pulling such verification information from publicly available sources.

Exemptions for Research, Archiving, and Statistical Purposes

The DPDP carves out an exemption for research, archival, and statistical purposes if the data processing aligns with certain standards detailed in the Rules. These safeguards include ensuring that the data processing is carried out lawfully and not used to make decisions about the Data Principal specifically, and implementing security safeguards and mechanisms to prevent data breaches and ensure accuracy. Entities that process personal data for such purposes should consider whether their processing fits within the standards detailed in the Rules to lessen their compliance burden.

Next Steps for Businesses

The above is a high-level overview of the most impactful aspects of the Rules, which will require compliance review by businesses subject to the law. Because the timeline for implementation is subject to change, businesses will also need to monitor updates from the DPB regarding when the Rules will come into effect. Focus points for compliance include:

  • Updating privacy notices provided at the time consent is collected.
  • Developing a consent management framework, considering requirements for collecting parental consent, and whether to engage a Consent Manager.
  • Evaluating current data security practices, including contractual requirements with data processors and policies related to safeguards and incident response to ensure alignment with the new standards.
  • Monitoring the central government’s decisions regarding international data transfers and restricted countries.
  • Reviewing the compliance obligations imposed by the DPDP generally (aside from those specific to the Rules) addressed in our prior alert.

If you are concerned that the Rules may apply to your business and are interested in learning more about how to ensure your business complies with the Rules, please reach out to the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

In Case You Missed It: