Digital Data Protection Act: Your Data is Now Secure! India Implements New Digital Law with Penalties Up to ₹250 Crore
Digital Data Protection Act: A new era in data protection for digital users has begun in India. On November 13, the country officially operationalized its first comprehensive digital privacy law, the Digital Personal Data Protection (DPDP) Act. The DPDP Rules, 2025, bring into effect the DPDP Act passed by Parliament in August 2023, establishing strict regulations for how technology companies handle user data in the world’s most populous nation.
This new law marks a turning point for tech companies, social media platforms, and e-commerce sites. From now on, organisations will have to be far more responsible in safeguarding user data.
Key Features of the New Law
The cornerstone of this law is user consent. Companies must now obtain clear and informed consent from users before processing any personal data. For serious violations such as data breaches, the law imposes stringent penalties of up to ₹250 crore (approximately $30 million).
- Consent-Based Data Collection: No personal information can be collected or used without the user’s explicit permission.
- Breach Notification: Users must be notified within 72 hours in the event of a data breach.
- User Control: Users are granted unprecedented control over their personal information.
Strict Protection for Children’s Data
The new rules place a special emphasis on safeguarding children’s online privacy. Platforms are required to obtain verifiable parental consent before processing the data of anyone under 18 years of age. This poses significant operational challenges for social media giants like Meta and Alphabet’s Google in implementing age verification systems.
Get Instant News Updates!
Join on TelegramThe legislation prohibits behavioural tracking and targeted advertising directed at children, with limited exemptions for purposes like healthcare, education, and safety. Technology companies must also implement measures to prevent children from falsifying their age.
Phased Implementation and New Board
The government has granted organisations a transition period of 12 to 18 months for full compliance, acknowledging the significant system overhauls required. Core obligations related to consent, grievance handling, and purpose-limited data use took effect immediately. More complex requirements, like appointing Data Protection Officers and establishing consent manager frameworks, will be phased in over this period.
To enforce this law, the Data Protection Board of India has been established. Headquartered in the National Capital Region (NCR) with four members, it will function as a fully digital institution where citizens can file and track complaints through an online platform and a mobile app.
Cross-Border Data Concerns
The new rules permit cross-border data transfers unless specifically restricted by the government. However, companies processing data for more than 5 million users will be classified as ‘Significant Data Fiduciaries’. They will face enhanced obligations, including annual audits and impact assessments, which has drawn some pushback from global technology firms.
