BlogArrowLegal ExplainersArrow
DPDP Rules

DPDP Rules 2025 - What to expect

Avisha Khatri

Product Content Strategist
September 24, 2025

Summary

  • Businesses must implement core security measures like encryption, access controls, and audit logs to protect data. This also applies to third-party vendors.
  • Blanket "I Agree" consents are illegal. Your notice must clearly state what data you're collecting, why, and give users a simple way to withdraw consent.
  • For anyone under 18, you must get verifiable parental consent. Specific exemptions exist for schools and certain healthcare providers.
  • Significant Data Fiduciaries have additional responsibilities. 
  • Breach notifications must be sent to the Data Principals and Data Protection Board without any delays.
  • Appoint a consent manager to be a single point of contact for all consent related requirements.

The DPDP Rules will be released soon - 9 months after the draft rules were published.

While the final draft may contain small edits, the core obligations will remain the same. 

If your organization processes personal data, these Rules are not optional — they define how you must collect, use, and protect personal data.

In this article, we’ll break down what you need to do.

1. Implement 6 “reasonable” security safeguards

Under the DPDP Act, Data Fiduciaries (DFs) are responsible for protectung personal data and ensuring their Data Processors (DPs) i.e 3rd party vendors you use do the same.

You must implement at minimum:

  1. Data encryption and masking: Encrypt, obfuscate, mask or tokenize personal data so it cannot be read by unauthorized parties.
  2. Access controls: Restrict access to personal data only to employees who need access to perform their job role.
  3. Audit logs and monitoring: Maintain detailed logs of who has accessed personal data and for what purpose. Keep monitoring these for suspicious activity.
  4. Data backups: Maintain recoverable backups in case of breach or accidental deletion.
  5. Retention period: Keep data records for at least one year from the date of any breach or unauthorized access.
  6. Contracts with Data Processors: Update vendor contracts to mandate the above safeguards.

Once you have these safeguards in place, the next step is to ensure- that the consent notice that you share with your customer/user is in compliance with the Rules. 

2. Use DPDP-compliant consent notices

Blanket “I Agree” consents are no longer valid. The purposes are no longer legal.

Your consent notice must:

  • Be easy to read - No burying essential details in separate T&C documents or linking out to vague FAQs. It should be easily understandable. 
  • Be in vernacular -  Your notice must be in a language understood by the borrower. DPDP requires notices to be in all languages specified under the 8th Schedule of the Constitution
  • State what data you collect and why - categories + purposes. General statements like “Use data for various activities under DPDP Act etc.” 
  • Provide a privacy centre where users can:
    • Withdraw consent
    • Exercise rights
    • File complaints
consent notice

But what when you’re collecting the personal data of a child? The Draft Rules carve out some special requirements for processing a child’s PII. 

3. Collect verifiable parental/guardian consent 

For anyone under 18 years, you must obtain verifiable parental consent before processing their data.

The Rules specify 2 ways to verify the identity/age of the parent:

  1. Use identity/age details that you might already have.
  2. Verify identity/age details of the parent or a virtual token mapped to government-authorized sources like DigiLocker.

The rules don’t provide for AI/Biometric verification yet. Whatever method you use - keep a log of it for audits.

For persons with disabilities, obtain consent from their lawful guardian (supported by court order/authority recognition).

What are the exemptions to Parental Consent?

The core of the DPDP Act lies in empowering the user. The DPDP Rules give the Data Principals, i.e. the person you’re collecting data from, certain rights.

Who is exempted?

Role based exemption When are they exempted?
Healthcare Providers Clinical establishments, mental health professionals, and allied healthcare workers may process children’s data if strictly necessary to protect their health.
Educational Institutions and Day care centres Schools and similar institutions can monitor children for education or safety purposes (e.g., location tracking on school buses).
Purpose based exemption When are they exempted?
Government Functions Public authorities can process children’s data for legitimate public functions (e.g., issuing benefits or subsidies) without following all generic consent rules.
For the creation of a user account Only to the extent it is necessary for the creation of such account creation
For the child’s well-being Processing to prevent access to harmful content or verify a user’s age is allowed.

4. Rights of Data Principals

Users (Data Principals) gain enforceable rights - they can now demand action from you for certain things:

They can:

  • Access, review, and withdraw consent.
  • Request data erasure.
  • Raise complaints with defined resolution timelines.
  • Receive breach and deletion notices (where applicable).

You must:

  • Publish DPO/contact details clearly on your website/app.
  • Put in place an internal ticketing/escalation process to handle requests.
  • Notify users 48 hours before deletion if you are:
    • An e-commerce platform with >2 crore users
    • An online gaming intermediary with >50 lakh users
    • A social media intermediary with >2 crore users

5. Additional obligations for Significant Data Fiduciaries (SDFs)

SDFs are Data Fiduciaries handling large volumes of personal or sensitive data, attracting stricter regulatory scrutiny.

If you qualify as an SDF (large-scale processing, sensitive categories), you face stricter requirements:

  • Conduct annual Data Protection Impact Assessments (DPIA) and compliance audits - , reporting results to the Data Protection Board (DPB).
  • Ensure algorithms you use (e.g., personalized recommendations, automated approvals) do not infringe on the rights of Data Principals.
  • Ensure personal data specified by the Central Government is not transferred outside India.

6. Role of a Consent Manager 

The Act introduces Consent Managers — independent, neutral platforms where users can manage their consents.

Consent Managers must:

  • Keep detailed records of given/withdrawn consents.
  • Provide user dashboards/websites for review/withdrawal.
  • Track notices and sharing of data.

With this, the DPDP Act- also carves out certain exceptions when consent in not mandatory. 

7. Exemptions to consent

You do not need consent if:

  • Data is used solely for research/archiving/statistics (non-individual level, secure, lawful).
  • The user voluntarily provided the data.
  • The State processes data for legal obligations, emergencies, disaster response, public health, or employment-related purposes.

For more exemptions to DPDP laws, refer to our article on DPDP Exemptions.

8. Breach notifications

In case of a personal data breach:

Notify Data Principals immediately - explain:

  • State what happened and its impact.
  • Share mitigation steps and user actions (e.g., change passwords).
  • Provide DPO/contact details for queries.

Notify the Data Protection Board (DPB) within 72 hours - include:

  • Updated and detailed description of the breach and discovery.
  • Impact assessment on users and the organisation.
  • Remedial actions and key investigation findings.
  • Measures implemented to reduce risk

9. Role of Data Protection Board

We have referred to the Data Protection Board a couple of times in the blog- so what does the Board really do?

The DPB will enforce compliance, handle complaints, and oversee breaches. 

The DPB will function as a fully digital office - all filings, hearings, and resolutions will be online.

10. What to do once the rules are out?

With the DPDP Rules coming out by the end of this week, all organizations are just waiting. But here are some things you can do immediately:

  • Educate your teams about the upcoming law so that everyone is prepared. 
  • Understand what PII you process and where it is stored.
  • Appoint a DPO or a privacy expert to create new policies and update existing policies for DPDP compliance
  • Update your third-party contracts to ensure that their mistakes don’t cost you!

If you need more help, get in touch with us.

Explore Consentin- Leegality’s DPDP-compliant Privacy Platform for your DPDP Compliance needs

Book a Demo
Download Blog as PDF
Content

Related Articles

Legal Explainers

DPDP Act 2023 Summary

Blog avatar image

Anahad Narain

Legal Explainers

How to comply with DPDP Act?

Blog avatar image

Anahad Narain

Legal Explainers

The Data Protection Board: What Businesses Need to Know

Blog avatar image

Anahad Narain

Consentin Logo
Plot No. 444, Udyog Vihar Phase 3, Gurugram,
Haryana, 122008
For enquiries - enquiry@consent.in
For support - support@consent.in
About
Who are we?Contact UsCareersPrivacy centerCookie preferenceT&C
Products
Consent ManagementData Life Cycle ManagementCompliance & PrivacyThird Party Risk Management
Compliance Handbooks
Data Retention GuideCompliance ChecklistData Mapping GuideData Compliance GuideData Retention Guide
Industry Solutions
BFSIEcommerceTelemarketing
Resources
Consent FAQProduct FAQDPDP FAQBlogs
Quick links
Whats DPDP Act in IndiaGDPR vs DPDPDPDP draft rulesWhat is Cookie ConsentExemptions in DPDP ActPenalties in DPDP Act
Other Leegality Products
Document InfrastructureAadhaar eSigneSignDigital StampingNeSLElectronic Bank GuarenteesDeal Collaboration
2025 Copyright consent.in