Data rules land, and adland faces its reckoning

India’s long-running data protection debate has finally crossed into operational reality. With the Government notifying the Digital Personal Data Protection (DPDP) Rules 2025—first released in draft form on January 3, 2025 and finalised ten months later—the industry now has a clear regulatory playbook after years of uncertainty.

The Rules settle key questions around the functioning of the Data Protection Board (DPB), consent management, security obligations for data fiduciaries, and requirements for children and persons with disabilities. They also introduce notable shifts from the draft, including the creation of authorised entities to verify identity, age or virtual tokens for parental consent, and a mandatory one-year retention period for personal data, traffic data and processing logs.

Many stakeholders welcomed the government’s consultative approach, noting that the Rules largely retain their original policy architecture while offering a phased and predictable rollout. However, others pointed out that some structural issues—such as parental consent thresholds and mandatory breach notifications—remain embedded in the Act and fall outside the remit of subordinate rule-making.

For India’s advertising ecosystem, the implications are immediate and material. The Rules place every data-driven practice, be it cookie syncing, profiling or cross-platform attribution, under sharper scrutiny, backed by penalties of up to INR 250 crore for major violations.

Agencies must now demonstrate full traceability across collection, processing, storage and deletion in an environment defined by fragmented martech stacks and a proliferation of third-party vendors. The question facing marketers is not whether compliance is possible, but how quickly they can rebuild their data foundations before enforcement catches up.

Dhruv Garg

Founding Partner

Internet Governance and Policy Project

With immediate activation of the DPB, a one-year window for Consent Managers and a full compliance deadline in 18 months, the burden on organisations, particularly smaller firms, will be significant. But after a decade and a half of committees, drafts and constitutional milestones, the Rules also bring long-awaited clarity, stronger user protections, and a more predictable digital governance structure. The real test now is whether India can translate this long journey into effective on-ground execution, balancing citizen rights, state capability and industry innovation at scale.

Vikas Bansal

Partner-IT Risk Advisory and Assurance

BDO India

Rule 10 requires Data Fiduciaries to obtain verifiable parental consent before processing children’s personal data and to confirm that the consenting party is an identifiable adult. Verification can rely on existing identity or age information or details voluntarily provided by parents or guardians, including digital mechanisms such as Digital Locker tokens. The Rule also introduces narrow exemptions for healthcare and education entities processing children’s data solely for health-protection or educational purposes, and for services focused strictly on child safety. These carve-outs apply only when data is used exclusively for the stated purpose, balancing protection with uninterrupted access to essential services.

Rashmi Deshpande

Founder

Fountainhead Legal

One key area still open is the restriction on cross-border data transfer, which will be addressed only through a separate Government order. The criteria for identifying Significant Data Fiduciaries will also be notified later. Until then, organisations must track both closely as they will shape compliance. The main provisions covering applicability, notices, consent, personal data processing, fiduciary obligations, and rights of data principals will come into force in 18 months from November 13 2025, while most provisions relating to the constitution of the DPB will take effect from November 13 2025. Consent managers will be able to start registering with the DPB one year from now.

Vikram Jeet Singh

Partner

BTG Advaya

The final set of Rules now set out the timelines for their implementation—immediately for certain provisions relating to establishing the DPB, one year for those related to consent managers, and 18 months for rules relating to notices, breach reporting, data rendition, etc. There are more details relating to obtaining ‘verifiable parental consent’, whereby definitions of ‘adult’, authored entity, and digital locker service provider have been specified, a separate rule on processing personal data of a disabled person has been added. There are some other, smaller, tweaks in the final Rules, for example, an added ground for processing children's’ data, in order to determine their real-time location for safety or protection purposes. On the whole, the final Rules are an ‘iteration’ of the version released earlier in 2025, with targeted changes and amendments on specific matters.

Ashok Hariharan

CEO and Co-founder

IDfy

The notification of the DPDP Rules marks a pivotal shift in India’s data protection landscape. It isn’t simply about meeting obligations; it’s about redefining how we honour the trust placed in us by every individual whose personal data we steward. As an industry, we must elevate our thinking from ‘Can we comply?’ to ‘How will we lead?’ by designing systems where consent is not an afterthought, breach-readiness is built-in, and privacy by design becomes the default. The real work begins now: translating policy into architecture, ambition into culture, and intent into impact. With the launch of the DPDP Act, the government has redeemed its pledge, not in half measure, but wholly and substantially, to guarantee privacy as a constitutional right for the people of Bharat, which it made in 2018.

Vaibhav Velhankar

Co-founder and chief technology officer

Segumento

The DPDP Act 2023 is a defining moment for India’s digital ecosystem. As data processors, we play a crucial role, ensuring that data is handled responsibly, with transparency, accountability, and purpose. These regulations will help adtech safeguard data while improving targeting and decision-making. GDPR reshaped how organisations handle data in Europe, where companies that embraced these principles didn’t just comply; they built trust, improved data quality, and unlocked more meaningful insights. India now has the same opportunity. The real opportunity in the DPDP Act lies in positioning privacy as a catalyst for smarter technology and data strategy… Companies that get this right will earn user trust and gain a measurable competitive advantage.