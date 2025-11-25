November 14 was an important date in India’s digital journey, marking a milestone by bringing to life a comprehensive framework that fundamentally changes how companies handle personal data. One of the major things that changes with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025—at least in theory—is the way an individual’s browsing history, e-commerce trail, or social media use can be used by advertisers. We are all used to privacy policies posted on these platforms, though hardly anyone reads them. What’s critical for the layman to note is that the DPDP framework transports privacy from a constitutional promise to enforceable rights and duties.

The good news is that companies can no longer hide behind impenetrable legal jargon. There has to be a clear and understandable request from the person determining the purpose and means of processing personal data (data fiduciary), for consent from the person whose data is being processed (data principal). The request shall be accompanied by a notice informing the principal of the purpose for processing the personal data, the way the principal can withdraw or modify consent, the grievance mechanism available, and the way complaints can be raised against the data fiduciary.

The rules provide timelines for data fiduciaries to maintain records before erasing them from their system. It is also significant to note that the rules apply to processing personal data outside India if it is in connection with offering goods or services within India.

The rules also provide for registration of ‘consent managers’, entities that play the role of a trusted intermediary between data principals and data fiduciaries, by assisting the data principal to manage their consents through a given platform. Consent managers have certain obligations too, such as implementing reasonable technical and organisational measures to prevent personal data breaches, and maintaining detailed records of every consent given, denied, or withdrawn, along with related notices and data sharing.