Consent managers will be able to start registering with the Data Protection Board one year from now
FinTech BizNews Service
Mumbai, November 14, 2025: The Government of India has notified the Digital Personal Data Protection (DPDP) Rules, 2025, marking the full operationalisation of the DPDP Act, 2023. Together, the Act and Rules create a simple, citizen-focused and innovation-friendly framework for the responsible use of digital personal data.
Enacted by Parliament on 11 August 2023, the DPDP Act establishes a comprehensive framework for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals). It follows the SARAL design —Simple, Accessible, Rational and Actionable—using plain language and illustrations to support ease of understanding and compliance.
The Act is guided by seven core principles including consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.
Rashmi Deshpande, Founder - Fountainhead Legal, law firm specialising in Technology and Data Privacy Practices, explains:
"The Draft Rules were first released on 3 January 2025 for stakeholder feedback. After ten months, the final DPDP Rules have now been issued with only limited changes. With these Rules in place, long-pending questions around the functioning of the Data Protection Board, consent management, security measures for data fiduciaries, and consent requirements for children and persons with disabilities now stand settled, giving stakeholders the clarity they have been waiting for.
One key area still open is the restriction on cross-border data transfer, which will be addressed only through a separate Government order. The criteria for identifying Significant Data Fiduciaries will also be notified later. Until then, organisations will need to track these two points closely, as they will directly affect compliance strategies.
The Government has also notified timelines for when different parts of the DPDP Act will take effect. The main provisions covering applicability, notices, consent, personal data processing, fiduciary obligations, and rights of data principals, will come into force in 18 months from 13 November 2025, giving businesses a clear and realistic runway to prepare.
Most provisions relating to the constitution of the Data Protection Board will take effect from 13 November 2025. This ensures the Board becomes functional well in advance and is ready to handle complaints and enforcement once the Act is fully operational, making the transition smoother for all stakeholders. Consent managers will be able to start registering with the Data Protection Board one year from now, giving them sufficient time to set up the required processes and systems before the framework becomes fully active."
