NEW DELHI: Millions of Indians going online will now have guaranteed control over their personal digital data, as the government has issued the final rules to implement the Digital Personal Data Protection (DPDP) Act, originally passed by Parliament in August 2023.
Under the new, long-awaited rules, social media platforms such as Facebook and Instagram must obtain verifiable parental consent before onboarding anyone under 18. The framework establishes a consent-driven system to safeguard the data of users accessing social media, e-commerce, gaming, banking, payment platforms, and government services.
Companies that violate the law face penalties of up to ₹250 crore for major lapses in data protection or breaches. They are also required to promptly notify both users and the newly formed Data Protection Board of any data breach. Notifications must be issued in clear, simple language explaining the nature of the breach, potential consequences, the steps taken to address it, and contact details for assistance.
Implementation will be phased in, with businesses given an 18-month transition period to make the necessary backend changes.
The government said the law is built on seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.
For children’s data—an area where major tech companies had pushed for more flexibility—the law mandates verifiable parental consent before any processing of minors’ personal information, except for limited essential purposes such as healthcare, education, or real-time safety. For persons with disabilities who are unable to make legal decisions even with support, consent must come from a lawful guardian. Companies must adopt appropriate technical and organisational measures to obtain verifiable parental consent.
The new rules also restrict the transfer of certain categories of data outside India.
