New Delhi: The government has issued detailed rules under the Digital Personal Data Protection (DPDP) Act, introducing strict data-retention requirements for e-commerce platforms, social media intermediaries, and online gaming companies.
Under the new norms, platforms must delete the personal data of users who have not logged in or used the service for three consecutive years. This mandate applies to online gaming companies with over 50 lakh users, as well as social media and e-commerce platforms with more than two crore registered users in India.
Before deleting any data, companies must issue a 48-hour notice to inactive users, informing them that their data will be erased if they fail to access the platform within that period.
For platforms with more than 50 lakh users—classified as significant data fiduciaries—the Act imposes stricter compliance obligations. These entities must conduct an annual audit and a Data Protection Impact Assessment to ensure their systems, algorithms, and processes do not compromise user rights. They are also required to annually certify that their technical safeguards remain robust and compliant.
While the DPDP Act allows cross-border transfers of personal data, such transfers must adhere to government-issued rules, especially when data is being shared with foreign states or organisations under foreign government control.
These measures form part of the wider rollout of India’s first digital privacy law, aimed at strengthening data governance and enhancing user protection across the expanding digital ecosystem.
“With the DPDP Rules now notified, Indian enterprises have a clear roadmap for collecting, processing, securing, and governing personal data. The phased rollout is crucial, giving organisations the time to operationalise privacy, realign their data architecture, and seamlessly embed accountable fiduciary practices,” said Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.
