Home
>
Blog
>
DPDP Rules

DPDP Draft Rules Explained

January 6, 2025

Anahad Narain

Founder's Office

Summary

Clarity on Compliance: The Draft DPDP Rules provide clear guidance for businesses on handling personal data, from notices to data breach management, balancing user protection with practical business compliance.

User Empowerment: Users now have enhanced rights to access, erase, and control their data, with businesses required to define processes, timelines, and designated contacts to address these requests.

Parental Consent & Exemptions: Businesses must obtain verifiable parental consent for children’s data, though exceptions apply for healthcare, education, and public functions.

Data Protection Enforcement: The Data Protection Board will oversee compliance, with swift action required for breaches, and significant penalties for non-compliance, urging businesses to act promptly to align with the rules.

Technical Measures: Businesses must implement strong security safeguards, manage data retention, and maintain detailed records of user consents and rights requests.

Regulatory Regime: Consent Managers must be registered to handle user consent, while Significant Data Fiduciaries face stricter compliance requirements.

The wait is over. After months of suspense, the Draft Digital Personal Data Protection Rules 2025 ("Draft Rules" or "DPDP Rules") were released by the Ministry of Electronics and Information Technology (MeitY) last Friday, 3 January. This ended the guessing game on how to actually implement the Digital Personal Data Protection (DPDP) Act. The rules define the edges of several critical components of the DPDP Act. The requirements are pretty extensive but manage to strike a reasonable balance between protecting the interests of end users and minimising the compliance burden on businesses. 

If your business handles personal data of Indian users in any digital form, these Rules will shape your onboarding and day-to-day operations more than any legal document in recent memory. The Rules are currently in draft stage. The ministry has granted a 45-day consultation window for stakeholders to provide their comments. It's time for all businesses to chalk out how to close the gap between DPDP requirements and their processes. 

Read on to get a simple and practical overview of the Draft DPDP Rules, put together by legal and product experts in privacy.  

Consent Notices - Clear, Specific and Independently Understandable

The DPDP Act had made it clear that blanket consents—where users click “I Agree” to multiple purposes without grasping the details—are no longer legal.  It specified all the information that must be provided to the user in the Notice to collect Consent. 

Now, the Draft Rules specify that notice must be independently presented and understandable—no burying essential details in separate T&C documents or linking out to vague FAQs. The Draft DPDP Rules further clarify that businesses must present a standalone, plain-language notice that states exactly:

  1. Which Data Is Collected: An itemized list of personal data categories(e.g., name, address, payment info).
  2. Why It’s Collected: An itemised list of purposes (e.g., order processing, marketing emails, analytics).
  3. What It Enables: An itemised list of the services or goods provided.

Also the notice must contain links and a description for other means for the end user to 

  1. Withdraw their consent 
  2. Exercise their Rights under the DPDP Act 
  3. Make a complaint to the Data Protection Board

Clear Processes and Timelines for Exercise of User Rights

Define and Publish New Processes

The DPDP Act laid down four Rights of Data Principals which must be provided for by Data Fiduciaries. Businesses must now create processes for users to access and erase their personal data, appoint nominees and raise grievances. Also publish the specific customer ID or username that you will need to enable your users to exercise their rights.

Publish Clear Timelines 

Businesses must publish clear timelines within which they will respond to their user’s grievance. The draft rules also require businesses to set up a mechanism to ensure that the response timelines promised to end users are met. 

Designate a Contact Person 

Another key rule: each Data Fiduciary must list the business contact details of their Data Protection Officer (DPO), or a designated person who can address user queries about data processing. This information should appear both on your site or app and in every response you send about users’ data rights.

Consider the case of ShopEase, a fast-growing e-commerce platform. To comply with new Digital Personal Data Protection Rules, ShopEase must publish a dedicated “Data Rights Center” on its website, where customers can submit requests to see which personal details are on file. If they have a grievance, say if they are receiving spam calls “Raise a Grievance” link. ShopEase also posts an expected turnaround time (say, 72 hours) for responding to grievances. If a customer wants a family member to handle their account in case of an emergency, they can also request for adding a nominee on the same form.

Children's Data - Parental Age and Id Verification Clarified

Verifiable Consent: More Than a Checkbox

The Act and Draft rules mandate that for processing personal data of users under 18 or a person with disability, businesses must obtain verifiable parental (or guardian) consent. As explained in our dedicated piece on Children's Data, this inevitably means you must verify the age of all of your users. Gone are the days of simply asking, “Are you 18?” or relying on a token checkbox.

However, the Act and Rules are silent on age verification measures, other than an exception for processing children's data for the purposes of age verification. Based on this exception we can assume that age verification is indeed expected by the government. But the method to verify age is not clear. Surely a self declaration of age may not be good enough as it would defeat the whole point of mandating parental consent for processing Children's Data, Instead, businesses may use methods like AI Classification, checking in existing records or verifying through DigiLocker to verify the age of Children.

Lawful Guardians for Persons with Disabilities

When an individual claims to be the lawful guardian of a person with disabilities, you must confirm they hold that legal status—typically shown by a court order or recognition from a designated authority. The rules require businesses to undertake due diligence checks to ensure that the disabled person’s data is not processed until you have valid evidence that this person is indeed their legally recognized guardian.

Exemptions to Parental Consent

While parental consent is the default, certain Data Fiduciaries and certain purposes are exempt from some obligations:

  • Healthcare Providers: Clinical establishments, mental health professionals, and allied healthcare workers can process a child’s data without following every consent formalism—if it’s strictly necessary to protect the child’s health.
  • Educational Institutions: Schools and similar institutions can track or monitor children for educational purposes or ensure their safety (e.g., location tracking on a school bus).
  • Governmental Functions: Certain public authorities can process a child’s personal data for legitimate public functions, like issuing benefits or subsidies, without adhering to every generic consent requirement—again, only to the extent needed for that purpose.

Purpose-Based Leeway

The Rules also carve out exceptions for processing that aims to:

  • Prevent children from accessing harmful content
  • Confirm whether a user is not a child (e.g., age-gating an app or service)

Consider the case of Kidly, an online tutoring platform for children aged 10 to 15. It obtains verifiable parental consent by checking whether the parent is an existing user or verifying a government-issued ID (for instance, through DigiLocker). Because Kidly qualifies as an educational institution, it may track student progress strictly for enhancing learning outcomes and ensuring child safety—never for targeted ads. If it provides specialized modules for children with disabilities, any guardian claiming legal authority must first verify their status before Kindly processes the child’s data.

Obligations and Registration Process for Consent Managers Defined

The Draft Rules have added a lot more detail to the role played by Consent Managers. The Act defines Consent Managers as an interoperable platform that can allow end users to give, manage and withdraw consent.  

Registration of Consent Managers

Consent Managers will be registered by the board if they are able to qualify prescribed financial and reputational requirements. Critically, consent managers and its directors, promoters and KMP should not have any conflicts of interest with data fiduciaries. Further they must also be certified as interoperable. 

Role of a Consent Manager 

A Consent Manager is defined as a platform that allows an end user to give consent to a business to either use their data or share it with another data fiduciary. Consent Managers are supposed to be blind to personal data and must maintain thorough records in relation to consents, including

  • list of consents given, denied and withdrawn
  • Notices preceding or accompanying request
  • sharing personal data with a transferee data fiduciary

Consent Managers are responsible to end users. They must provide a website/app for end users to access these records and review and withdraw consents.

Immediate Notification and Reporting of Data Breaches Required

In the event of a personal data breach, the Draft DPDP Rules mandate a two-tiered notification process to ensure transparency and accountability. As a Data Fiduciary, you must act swiftly to minimize damage and maintain trust.

Notify Affected Data Principals Immediately

When a breach occurs, you must inform each affected Data Principal without delay. Your notification should be clear, concise, and easily understandable, covering the following key points:

  • Description of the Breach: Explain what happened, including the nature, extent, and timing of the breach.
  • Potential Consequences: Outline the possible impacts on the affected individuals, such as identity theft or unauthorized transactions.
  • Mitigation Measures: Detail the steps you’ve taken to address the breach and prevent future occurrences.
  • Protective Actions for Users: Provide recommendations for what affected users can do to protect themselves, such as changing passwords or monitoring their accounts.
  • Contact Information: Include the details of your Data Protection Officer (DPO) or a designated contact person who can handle queries related to the breach.

Report the Breach to the Data Protection Board

Within 72 hours of becoming aware of the breach, you must report it to the Data Protection Board. This report should include:

  • Detailed Description: A thorough account of the breach, including how it was discovered and the measures taken in response.
  • Impact Assessment: An evaluation of the breach’s potential effects on Data Principals and your organization.
  • Remedial Actions: Steps you’ve implemented to mitigate the breach and prevent recurrence.
  • Investigation Findings: Insights into how the breach occurred and any identified vulnerabilities.

Remember ShopEase, our thriving e-commerce platform? When a data breach occurs, ShopEase immediately notifies affected customers through clear, concise messages detailing the breach’s nature and potential impacts. They also report the incident to the Data Protection Board within the 72-hour window, outlining the steps taken to mitigate the breach and prevent future occurrences. By handling the breach transparently and efficiently, ShopEase complies with the draft DPDP Rules and avoids hefty penalties.

Reasonable Security Safeguards Defined

Under the Draft DPDP Rules, safeguarding personal data is mandatory. As a Data Fiduciary, you must implement reasonable security safeguards to protect data from breaches and unauthorized access. This involves a multi-layered approach that includes:

  • Data Encryption and Masking: Encrypt sensitive data both at rest and in transit to ensure it remains unreadable if intercepted.
  • Access Control: Restrict data access to only those employees who need it for their roles, using role-based access controls (RBAC).
  • Monitoring and Logging: Maintain detailed logs of data access and continuously monitor for suspicious activities to detect and respond to unauthorized access swiftly.
  • Data Backup and Recovery: Establish robust backup procedures to ensure data can be quickly restored in case of loss or corruption, minimizing disruption.
  • Secure Contracts with Data Processors: Ensure that any third-party vendors handling your data adhere to equivalent security measures through stringent contractual agreements.
  • Technical and Organizational Measures: Regularly update security protocols, conduct frequent security audits, and train employees on data protection best practices to foster a security-first culture.

Significant Data Fiduciaries: Stricter Obligations for Data Giants

Significant Data Fiduciaries handle large volumes of personal data or sensitive information, placing them under stricter regulatory scrutiny. Under the Draft DPDP Rules, these entities must adhere to additional obligations to ensure robust data protection and compliance. Here are the key obligations for Significant Data Fiduciaries.

  • Annual Data Protection Impact Assessments (DPIA): Every twelve months, Significant Data Fiduciaries must conduct a DPIA to evaluate how their data processing activities impact the privacy of Data Principals. 
  • Comprehensive Audits: Alongside DPIAs, these fiduciaries must undergo regular audits to ensure continuous compliance with the DPDP Act and its Rules.
  • Algorithmic Transparency and Safety: If your operations involve algorithmic decision-making—such as personalized recommendations or automated approvals—you must verify that these algorithms do not infringe on the rights of Data Principals. This includes ensuring fairness, accountability, and preventing biases that could harm users.
  • Restricted Cross-Border Data Transfers: Certain categories of sensitive personal data must remain within India’s borders. Significant Data Fiduciaries are prohibited from transferring such data abroad unless it’s absolutely necessary and complies with the stringent conditions set forth by the DPDP Rules.

Limit Data Retention to What’s Necessary and Notify Users Before Erasure

Retention with a Purpose

Under the Draft DPDP Rules, Data Fiduciaries must ensure that personal data is retained only as long as necessary for its intended purpose. For example, e-commerce platforms with over two crore registered users are required to erase personal data three years after the Data Principal last engaged with the specified purpose or after the commencement of the DPDP Rules, whichever is later. Retention post fulfilment of purpose is allowed if the retention is to abide with the provisions of any existing regulatory or other law. For a comprehensive look at the minimum periods of retention under major Indian laws, refer to our Guide to Data Retention.

Advance Notification

Before erasing any personal data, Data Fiduciaries must notify the affected users at least forty-eight hours in advance. This notification should clearly outline which data will be deleted and provide users with an opportunity to retain their information by re-engaging with the specified purpose or exercising their data rights.

Exceptions to the Rule

Certain types of data, such as information necessary for accessing user accounts or virtual tokens used for transactions, may be retained beyond the standard erasure period. These exemptions ensure that essential services remain functional while still promoting the minimization of unnecessary data storage.

Data Used For Research, Archiving, and Statistical Purposes Exempted

The DPDP Act provides an important exemption for the processing of personal data when used strictly for research, archiving, or statistical purposes. This ensures that essential academic and policy research can continue without the full weight of compliance requirements, provided it adheres to the safeguards outlined in Schedule II of the Draft Rules. These safeguards are designed to protect personal data while allowing its use for generating valuable insights and fostering innovation.

For businesses, this exemption offers an opportunity to utilize personal data for legitimate analytical purposes, such as trend analysis or product improvement, without breaching compliance. This is particularly relevant for pharmaceutical companies, which rely heavily on anonymized data for clinical research, drug development, and public health studies, enabling them to innovate while adhering to privacy standards. However, it is crucial to ensure that such processing strictly aligns with the standards mentioned in Schedule II to avoid misuse and remain within the bounds of the law. Further, section 17 of the Act requires that this data never be used to take a decision about the Data Principal. 

For more exemptions to DPDP laws, refer to our article on DPDP Exemptions.

A Digital-First Data Protection Board to Enforce Compliance

The Data Protection Board (DPB) will be at the heart of enforcing compliance under the DPDP Act, ensuring efficient and transparent handling of data-related grievances and breaches. The Board will be constituted by a Chairman and other Members, who will be appointed by the Central Government based on the recommendation of a special cabinet committee. 

To enhance efficiency, the DPB will function as a fully digital office. This techno-legal setup will eliminate the need for physical presence by leveraging technology for inquiries and hearings while still retaining the authority to summon individuals under oath. By adopting this approach, the Board will streamline operations, provide faster resolutions, and create a modernized compliance ecosystem aligned with the DPDP Act’s goals.

Next Steps - Prepare, Comply, and Engage 

The Draft DPDP Rules bring much-needed clarity to the compliance landscape, but waiting for the final version might leave your business behind. Here's how you can get ahead:

  • Share Your Suggestions: Leegality will be submitting detailed comments on the draft rules. If you have suggestions or concerns you'd like us to include, email us at consentmanager@leegality.com.
  • Start Complying Now: Don’t wait for the final rules to act. You can begin by implementing foundational steps like setting up robust data retention protocols. Check out our Data Retention Guide and DPDP Compliance Checklist to kickstart your compliance journey.
  • Explore Our Solutions: Want an in-depth discussion on compliance or a sneak peek into our software that simplifies these requirements? Contact us here and let’s make compliance effortless for your business.

Proactively preparing today ensures a smoother transition to compliance tomorrow while safeguarding your business and building trust with your users.

Download Blog as PDF
Content

Related articles

Explainer
December 5, 2023
What is DPDP Act?

Anahad Narain

4
min read
Explainer
February 1, 2024
How to comply with DPDP Act?

Anahad Narain

6
min read
Explainer
September 5, 2024
The Data Protection Board: What Businesses Need to Know

Anahad Narain

7
min read

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.