India’s data privacy law comes into force, two years after it was passed

New Delhi: India’s long-awaited data-privacy regime formally kicked in on Friday. More than two years after the Digital Personal Data Protection Act, 2023 (DPDP Act) was passed by Parliament, the ministry of electronics & information technology (MeitY) notified the rules and established a four-member data-protection board, bringing the law into effect.

Companies will need to comply with the Act’s provisions within 12–18 months, including appointing consent managers and data-protection officers, putting in place systems for express user permission, and reporting data breaches within 72 hours.

Platforms must also take parents’ consent for users under 18, and cannot use certain data—like data that enables targeted ads—a change industry had long sought.

The data protection board under the Act takes effect immediately. The chairperson of the board will receive a remuneration of ₹4.5 lakh a month as notified in the gazette, while the other three members will be paid ₹4 lakh a month.

According to a government official who requested anonymity, a select committee under Meity will now recommend names, following which appointments will be notified.

Reactions from analysts and observers were mixed. Some broadly welcomed the clarity on implementation timelines, lighter compliance requirements, and the added safeguards for children’s data.

Others warned that the rules still lack clear checks on government data use and could leave industry carrying more obligations than the state.

However, the official cited above said that Rule 7 of the Act clearly mentions exemptions under which the Centre can access personal data and beyond that, there is no scope for any government agency to handle personal data different from corporate entity.

“If parties had concerns against access of personal data by government bodies, they must have made a strong-enough case for these clauses to be reconsidered during our extensive consultation process. Given that no such case happened, it’s difficult to ascertain what these alleged exemptions are,” the official added.

Meanwhile, tech companies, which will be most impacted by the new rules, did not immediately react.

“We are currently in the process of assessing the DPDP rules,” an Amazon India spokesperson said when contacted by Mint. Meta Platforms, too, said it was not likely to comment on Friday.

Queries sent to Google India, InMobi, TCS, Infosys, Protean, Genpact, Zoho, Bharat Matrimony remained unanswered till press time.

The details

Companies will need to implement various parts of the law in 12-18 months. In 12 months, that is, by 14 November 2026, they need to appoint consent managers—the person accountable for social media platforms seeking permission to use people’s personal data.

And within 18 months, companies have to implement a mechanism to seek express permission from users before using their data for business purposes, such as targeted advertisements.

They will also be required to inform the newly notified data protection board of data breaches within 72 hours, and inform users about these “without delay”.

Further, all social media platforms and other parties that handle user data will be required to appoint a data protection officer in the next 18 months.

For users under 18, companies will need to seek “verifiable” parental consent before using their data. At the same time, certain types of data, such as those that enable general tracking of users for ads, will be completely barred to ensure children’s safety.

Importantly, the final version of the law will allow platforms to live-track the location of underage users for safety purposes only—a key demand that was granted by Meity after multiple parties voiced concerns against a blanket ban on access of underage users’ data.

Then, Rule 15 of the DPDP Act allows personal data to be saved outside India, but bars any storage in countries that are ‘blacklisted’ by the Union government.

Further, Rule 13(4) says storing personal data outside India may be restricted if defined so by a special committee that will include members of Meity as well as other ministries and government departments.

Industry reactions

Industry stakeholders largely welcomed the draft. Aparajita Bharti, founding partner at policy consultancy firm The Quantum Hub, said the rules offer clarity to companies in terms of the timeline of implementation.

“It was also important to clarify exemptions to usage of underage personal data for enabling safety features for children—such as applications that parents use for tracking location, ensuring children see age-appropriate content and ads, etc.,” Bharti said. “With these features now notified, a key industry demand has been clearly responded to by the Centre.”

Supratim Chakraborty, partner at law firm Khaitan & Co, said the final version of India’s first privacy regulation has eased compliance for businesses by not mandating that they would have to offer users an ‘itemized’ description of goods and services.

“This means that even though businesses will have to specify a list of all personal data they will take from a user, they won’t have to minutely map these against an itemized list of goods and services,” he explained.

Chakraborty added that the rules have also taken into account India’s ability to restrict foreign government-backed bodies from using and processing Indian citizens’ data. “Overall, the final version of the rules are in line with what the Centre was mentioning that it would offer,” he said.

Others, however, flagged some concerns, especially on user protection and government capability.

“Both have been strengthened, but not necessarily in the same direction,” said Dhruv Garg, lawyer and partner at tech policy consultant, India Governance and Policy Project (Igap). “The government itself must abide by the same rules and principles. Further, the law may face legal scrutiny and challenges, if eventual assessment finds data retention and government exemptions to be disproportionate.”

He added that the rules still lack detailed checks on how government agencies handle personal data, leaving broad discretion in data access, potential risks of profiling, and no independent audit or oversight mechanisms.

Garg also said that while the DPDP rules do give a one-year data retention timeline, scope for persistent data logs may “enable deep retrospective data visibility, which could be another concern. While retention of personal data may improve data audits, it will also raise real privacy concerns over persistence of digital footprints. In the long run, the current DPDP rules will also require all tech service providers to maintain large logs.”

“While the DPDP rules, 2025 mark an important institutional milestone, they do not address key structural concerns repeatedly raised by civil society since the 2022 and 2023 iterations of a data protection law. As a result, ordinary users still lack a rights centred data protection legal framework, even as large data processing entities gain greater discretion and benefit from opacity,” a statement by privacy advocacy body Internet Freedom Foundation of India (IFF) read.

A joint statement by Nasscom and Data Security Council of India (DSCI) further said that while simplifying legislation for companies on handling data was appreciated, “certain matters raised by industry during consultation arise from the architecture of the Act itself and could not realistically be addressed through subordinate legislation.”

“These include the overarching structure of parental consent, the statutory age threshold for children and the requirement that all personal data breaches be notified,” it added.