New Delhi: The government on Friday notified the much-anticipated Digital Personal Data Protection (DPDP) Rules, 2025, which will be rolled out in phases over the next 12–18 months.
The new rules are designed to give citizens greater control over their personal data, curb misuse, and strengthen online privacy.
While certain provisions take effect immediately, key requirements — including the registration and duties of consent managers, mandatory notices from data fiduciaries before processing personal data, and several other major compliance norms — will be phased in over the coming months.
Aimed at reducing spam calls and preventing unauthorised access to personal information, videos, and voice data, the rules mark a significant step in India’s digital privacy framework.
Citing its powers under Section 40 of the Digital Personal Data Protection Act, 2023, the government formally notified the DPDP Rules, 2025. The framework also outlines the establishment of a Data Protection Board, which will impose penalties according to the severity of violations specified under the DPDP Act.
The Act allows penalties of up to ₹250 per breach for data fiduciaries, with a graded system in place to safeguard small businesses.
The notification comes eight years after the Supreme Court’s landmark judgment on August 24, 2017, declaring the Right to Privacy a Fundamental Right.
Along with granting citizens the right to protect their personal data, the rules also place certain responsibilities on them — such as not suppressing information while applying for government IDs or documents, avoiding false or frivolous complaints, and providing verifiable details when seeking correction or deletion of data.
The DPDP Rules empower citizens to take action if their phone numbers are leaked or used for unauthorised calls. Authorities will be able to investigate and trace the source of such leaks, enabling penalties against violators.
Certain exemptions apply, including cases involving enforcement of legal rights, court orders, crime-related investigations, cross-border contracts or consent, loan default assessments, and government-approved exemptions for specific data fiduciaries — including start-ups — for the purpose of implementing schemes, research, or innovation.
