More than two years after Parliament passed India’s first dedicated data privacy legislation, the Digital Personal Data Protection (DPDP) Act, 2023 has formally come into force. The ministry of electronics and IT (Meity) on Friday notified the operational rules and unveiled a four-member Data Protection Board, bringing the long-awaited law into effect.
Under the fresh notification, companies will get 12 to 18 months to comply with the various obligations laid out in the Act.
All platforms handling personal data must appoint consent managers—the nodal officers responsible for overseeing consent-related processes—within 12 months, or by 14 November 2026. These managers will be accountable for ensuring that platforms seek valid consent from users before using their data for business purposes.
Firms have 18 months to build systems that obtain explicit user permission before deploying personal data for targeted advertising or other commercial activities. They must also report any data breach to the newly formed Data Protection Board within 72 hours, and inform affected users without delay.
All social media platforms and data-handling entities will be required to appoint a data protection officer in the next 18 months. Companies will also need to secure verifiable parental consent before collecting or using data belonging to anyone under the age of 18.
At the same time, the new rules prohibit firms from using certain types of minors’ data for profiling or general targeted advertising—an industry concern that had surfaced during the draft stage. The exemption allowing safety-related features such as location tracking or age-appropriate content filters has been retained.
The DPDP rules adopt a blacklisting framework for cross-border data flows. Under Rule 15, personal data may be transferred to most countries by default, except those specifically prohibited by the union government.
However, Rule 13(4) states that storing personal data outside India can still be restricted on the advice of a special committee comprising representatives from Meity and other government departments.
Industry voices have broadly welcomed the final rules. Aparajita Bharti, founding partner at policy consultancy The Quantum Hub, said the rules “offer clarity to companies, particularly on implementation timelines”. She added that explicit allowances for children’s safety features—such as parental control apps or age-appropriate content filters—address a major concern raised by firms during consultations.
The newly notified Data Protection Board becomes operational immediately. According to the government notification, the chairperson will receive a monthly remuneration of ₹4.5 lakh, while the other three members will be paid ₹4 lakh each.
