NOVEMBER 2025

DPDP Rules:
Update Note

www.spiceroutelegal.com
BACKGROUND

Two years after the enactment of the Digital

Personal Data Protection Act, 2023 (“DPDPA”),
the Indian government has notified the Digital
Personal Data Protection Rules, 2025 (“Rules”),
which operationalise and clarify key provisions
of the law.

Alongside the Rules, the government has also

published additional notifications that set out a
phased approach for the implementation of the
law together with a framework for establishing
the Data Protection Board of India (“Board”),
which will serve as the primary regulator under
the law.

TRANSITION PERIODS

The DPDPA and the Rules will come into effect

in a tiered manner. Timelines are as follows:

Provisions regarding the establishment and

constitution of the Board have come into
force effective immediately.

Requirements regarding registration of

consent managers will come into force in
November 2026.

All other provisions, which include consent

collection, data principal rights, reporting of
personal data breaches, implementation of
appropriate security measures, and
enforcement mechanisms will come into
force in May 2027.
CONTINUED RELIANCE ON
CONSENT

Many stakeholders had anticipated - or rather, Privacy notices must contain

hoped - that the Rules would expand the grounds an itemised list of personal
for processing personal data under the DPDPA. datasets they process along
However, the consent-centric framework under the with a description of the
law remains unchanged, as the Rules do not purposes for which the data
introduce or clarify additional non-consent will be processed.
processing grounds for private businesses. Instead,
the Rules reinforce the consent-first approach, To meet these requirements,
providing new guidance on privacy notices. For businesses should prioritise
example, notices must now be presented separately creating comprehensive data
from other information, requiring a shift from the inventories. This will help in
current practice of bundling consent with identifying the types of
acceptance of EULAs or terms and conditions. datasets processed and the
associated purposes for
processing.

Privacy notices must also

include links to portals where
data principals can withdraw
consent and exercise other
rights. This will require a
redesign of user onboarding
journeys and the creation of
data management processes.
NEW
OPPORTUNITIES
FOR CONSENT
MANAGERS

The DPDPA introduces a new class of entities

called consent managers, distinct from data
fiduciaries or data processors. These entities
provide interoperable platforms enabling
data principals to manage their consent Engagements between consent
preferences. Consent managers must managers and data fiduciaries will
register with the Board and meet specific require careful structuring.
conditions, including a local presence and a Alongside technical integration,
net worth of at least INR 20,000,000 consent managers must prevent
(approximately USD 230,000). The Board has conflicts of interest, including
broad oversight powers, including those related to promoters,
prescribing standards for the consent overlapping directorships, or
management platform, requiring disclosures material commercial relationships
during registration, cancelling registrations, with data fiduciaries.
and approving changes of control or mergers
involving consent managers. Interestingly, the Rules clarify that
consent managers act in a
Consent managers are expected to onboard fiduciary capacity toward data
data fiduciaries, facilitate consent requests principals but are distinct from
from data fiduciaries to data principals, other data fiduciaries. The
enable data principals to share consent and implications of this distinction,
personal data through their platforms, and including additional compliance
support the exercise of data principal rights. burdens, remain to be seen.
Critically, consent managers must remain Nevertheless, the government’s
“data-blind”, ensuring no access to personal support for consent managers,
data. This structure is similar to the account coupled with the inability of many
aggregator ecosystem regulated by the small and medium enterprises to
Reserve Bank of India (“RBI”) in the financial manage consent in-house, signals
sector. However, it remains unclear whether new business opportunities in this
and how the RBI-regulated ecosystem will space.
integrate with the DPDPA’s framework for
consent managers.
CHILDREN’S DATA: A NEW
LAYER OF COMPLEXITY

Under the DPDPA, data fiduciaries must obtain verifiable

parental consent to process a child’s personal data.
Similarly, processing personal data of a person with a
disability requires verifiable consent from the person’s
guardian.

Many had anticipated that the Rules would clarify key

issues, such as the types of data fiduciaries that would
need to obtain verifiable parental consent, practical
mechanisms to implement such consent, and scenarios
where services not directed at children inadvertently
process their data – for example, due to
misrepresentation by a child. Instead, the Rules largely
reiterate the DPDPA’s requirement for verifiable consent.
They mandate that businesses, through due diligence,
must ensure that individuals identifying as parents are
adults. While the Rules suggest using government
portals and regulated digital lockers for identity
verification, they also permit other reliable mechanisms.
To process the personal data of persons with disabilities,
businesses face an additional requirement: verification
must confirm that the guardian providing consent has
been legally appointed under applicable laws. As with
consent frameworks, these provisions will compel data
fiduciaries to rethink and redesign user onboarding
processes.

Separately, the DPDPA prohibits processing personal

data that could harm a child’s well-being, behavioural
monitoring of children, and targeted advertising directed
at children. The Rules, however, introduce exemptions for
certain data fiduciaries in specific contexts; for instance,
tracking the real-time location of a child in the interest of
ensuring their safety.
 Read with the DPDPA and existing Indian laws, data
fiduciaries that suffer a personal data breach will have
to, upon becoming aware of the incident, report its
details to the Board “without delay”, and provide a
more detailed report about the incident within 72
hours. This timeline may be extended by the Board
upon receipt of a written request. This obligation exists
in addition to:

the existing 6-hour window to report security

incidents (including personal data breaches) to the
Indian Computer Emergency Response Team
(“CERT-In”);
reporting security incidents by financial institutions
to the relevant financial sector regulators (where
the reporting window starts, in certain cases, at 2
DATA hours);
BREACHES sending a copy of the report filed with the CERT-In
to the Insurance Regulatory and Development
Authority of India, for insurers;
informing the Unique Identification Authority of
India of Aadhaar-related breaches;
reporting to the National Critical Information
Infrastructure Protection Centre in respect of
security incidents that impact critical information
infrastructure; and
reporting obligations of publicly listed companies
to report incidents to stock exchanges.

In addition, data fiduciaries will, to the best of their abilities, have to inform
impacted data principals of personal data breaches, the consequences
likely to arise out of the breach, and among other details, the contact
information of an individual within the data fiduciary’s organisation that
can respond to questions.

In practice, this will require data fiduciaries to revisit existing SoPs that
exist for multiple reporting timelines and regulators, and create a
sophisticated response system that can effectively react to both the
incident at hand and differing regulatory requirements.
 Government Access to Personal Data
Through the Rules, the government has a broad
right to seek personal data from data fiduciaries
and internet intermediaries for purposes that
include national security, Indian sovereignty and
integrity, performance of its functions under
applicable laws, and for assessing data fiduciaries.
This is a fairly broad right that stems from existing
provisions under the DPDPA, and may impact
cross-border data transfers, especially from the EU
and the UK to India.

Reasonable Security Safeguards

OTHER
The Rules set out a minimum standard for the
NOTABLE reasonable security safeguards that must be
implemented by data fiduciaries, including access
TAKEAWAYS controls, a minimum retention period of 1 year, and
backup and disaster recovery mechanisms. The
Rules also recommend encryption, obfuscation, or
other methods to mask personal datasets. These
security measures will need to be contractually
imposed on data processors as well. Companies
with existing certified systems may find these
standards easier to comply with.

Potential New Localisation Requirements

While neither the DPDPA nor the Rules prescribe
localisation obligations, the Rules refer to the
government’s power to require significant data
fiduciaries to store data in India as well as limit
sharing of personal data with foreign regulators.
This is likely to impact cross-border data transfers as
well as investigations, though its scope remains to
be seen.
 Data Principal Requests
Data fiduciaries and consent managers are required
to respond to grievances and requests submitted by
data principals within 90 days.

Significant Data Fiduciaries

The Rules do not clarify the types of entities that
may be classified as significant data fiduciaries.
However, they do prescribe additional compliance
obligations, including conducting data protection
impact assessments and audits every year and
using due diligence to ensure that technical
OTHER measures, including algorithmic software that they
deploy, do not risk the rights of data principals.
NOTABLE Definitions of algorithmic software and clarity on
the risk of harm remain unclear.
TAKEAWAYS
Data Retention Periods
E-commerce entities with more than 20,000,000
registered users, social media intermediaries with
more than 20,000,000 registered users, and online
gaming intermediaries with more than 5,000,000
registered users will have to comply with specific
data retention periods of 3 years.

Exemptions for Research, Archiving and

Statistical Purposes
The Rules prescribe specific measures and
principles that need to be met to avail these
exemptions. Compliance with these standards
would exempt businesses that process personal
data for research, archiving, and statistical purposes
from the scope of the DPDPA.
 THE WAY FORWARD

The release of the Rules marks a much-awaited step towards the eventual
enforcement of India’s data law, but is a mixed bag in respect of
compliance. While the flexibility offered to data fiduciaries to define their
own consent protocols is a welcome step, the lack of clarity on non-consent
related grounds of processing, localisation requirements, and added
compliance around processing of children’s data will require companies to
create internal solutions and strategies to achieve compliance.

Feel free to write to [email protected] if you have any questions or

would like to have a longer chat on these requirements.
 AWARDS AND RECOGNITIONS

RANKED RANKED RANKED

ASIA PACIFIC GLOBAL FINTECH

2025 2025 2025

TECHNOLOGY AND
RECOMMENDED TELECOMMUNICATIONS
FIRM FIRM OF THE YEAR

2025 2024

WHAT DOES THE MARKET SAY ABOUT US?

“Mathew and Aadya stand out as the team members “It’s excellent to be able to rely on Mathew and
who take point on data advisory and actioning. As the Aadya to run a project globally at competitive rates
requirements of the company are cross-jurisdictional, it but unquestionably high-quality standards; both
is a significant differentiator that they are able to run their own and the counsels they partner with.”
India, have a preliminary view on international –Legal500
positions, and effectively coordinate with international
counsels.”
–Legal500

“..they are the best team. Extremely knowledgeable, responsive, and dedicated!”

“Every member of Spice Route's team shows a very “Timely and accurate. Advisory is always to the point
good understanding of the matter and the turnaround and they are always available for discussions. The team
time is excellent.” is extremely resourceful and can handle every complex
–Chambers and Partners matter we throw at them.”
–Chambers & Partners
KEY CONTACTS

Ada Shaharbanu Soumitra Ponkshe Harshada Bakshi

Senior Associate Senior Associate Senior Associate

Mathew Chacko
Partner
Vishal Singh Ajeeth Srinivas Vishnu Naduvakkad
Senior Associate Associate Associate

Dhruvo Das Swastik Sharma Hamsadhwani Alagarsamy

Associate Associate Associate

Aadya Misra
Partner

Sean McDonald Pulkit Taneja

Associate Associate

Ankita Hariramani
Partner Ishani Mukherjee Dhriti Hundia
Associate Associate
 [email protected]

https://spiceroutelegal.com/

Bengaluru, Mumbai, Pune, Delhi

To access Spice Route Legal’s proprietary Data Protection tool, click here.