The Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection (DPDP) Rules, 2025, to operationalize the DPDP Act of 2023. These rules aim to safeguard citizens' digital personal data while fostering India's digital economy and innovation. They are open for public consultation until February 18, 2025.

Data Localisation: Reinstating Domestic Data Storage

A significant shift in the draft rules is the reintroduction of data localisation mandates. Significant Data Fiduciaries (SDFs), such as major tech companies, are required to store and process specific categories of personal data within India. A government-appointed committee will determine the types of data subject to localisation, aiming to prevent sectoral disruptions while enhancing data security. ​

Age Verification: Protecting Minors Online

To ensure a safe digital environment for children, the draft rules mandate age verification for users under 18. Data fiduciaries must obtain verifiable parental consent, implementing due diligence to confirm the identity and age of the parent or guardian. This approach seeks to protect minors from online risks while acknowledging practical implementation challenges. ​BTG 

Data Retention and User Empowerment

The draft rules propose a data retention limit of three years following the user's last interaction or the effective date of the rules, whichever is later. Data fiduciaries are required to notify users at least 48 hours before data erasure. However, exemptions exist for legal, regulatory, or contractual obligations, necessitating a structured framework to balance user privacy with business continuity. 

Consent Management and Grievance Redressal

The rules introduce the concept of Consent Managers—entities responsible for managing user consent for data processing. These managers must be Indian-incorporated companies with a minimum net worth of ₹2 crore. Additionally, the Data Protection Board of India (DPBI) is envisioned as a digital-first body to handle consent mechanisms and grievance redressal efficiently. ​

Implications for Businesses and Stakeholders

The draft rules place significant responsibilities on data fiduciaries, especially SDFs, to comply with localisation, age verification, and data retention requirements. While aiming to enhance data privacy and security, these provisions may increase compliance costs and operational complexities for businesses. Stakeholders are encouraged to provide feedback during the consultation period to address practical concerns and ensure balanced regulation.​

Conclusion

India's Draft DPDP Rules 2025 represent a critical step in strengthening digital personal data protection. By addressing data localisation, age verification, and user data rights, the rules aim to create a robust framework that balances individual privacy with the needs of a growing digital economy. Stakeholder engagement during the consultation phase will be vital in refining these rules for effective implementation.

Start your Stock Market Journey and Apply in IPO by Opening Free Demat Account in Choice Broking FinX.

Join our Trading with CA Abhay Telegram Channel for regular Stock Market Trading and Investment Calls by CA Abhay Varn - SEBI Registered Research Analyst.