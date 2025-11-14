The Digital Personal Data Protection Act (DPDP) was passed in Parliament in 2023. It was passed to “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto,” as per the Ministry of Law and Justice.

Two years after the passing of the Act, the Ministry of Electronics and Information Technology (Meity) on Friday brought it into effect by notifying the rules as well as a four-member data protection board under the DPDP Act, 2023.

As per Meity :

Companies have 12 months (until Nov 14, 2026) to appoint consent managers, who will be accountable for social media platforms seeking user consent to use personal data for business purposes.

They have 18 months to set up a system for obtaining explicit user permission before using data for purposes like targeted ads.

Data breaches must be reported to the data protection board within 72 hours and users must be informed without delay.

All social media platforms and data handlers must appoint a data protection officer within 18 months.

Companies must obtain verifiable parental consent before using data of users under 18 and cannot use certain data types that enable tracking minors for targeted ads, which has been an industry demand since the draft rules were issued.

The notifications come after

Meity

initiated a new framework built around the idea of ‘consent as a live signal’ to

operationalise

the Digital Personal Data Protection Act (DPDP) 2023 in August 2025. As part of the initiation, six companies were shortlisted in the first round of its ‘Code for Consent’ challenge to develop real-world Consent Management Systems (CMS). The selected teams were Jio,

IDfy

,

Redacto

,

Zoop

, Concur, and

Aurelion

, and were given three months to make working prototypes.

Provisions

As per the notification, the provisions are extended to citizens and include that the data collected, its purpose, and usage must be clearly stated in plain language; reasonable safeguards, including encryption and firewalls, must protect personal data; in case of a breach, users must be notified promptly and clearly, detailing timing, impact, and future measures; data cannot be stored beyond one year unless legally required with the provision that users must be informed 48 hours before erasure, except when continuing account use.

