DPDP Rules 2025 explained: 7 key changes for Indian websites

The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023 and then sat without operating rules for two years. That ended on 13–14 November 2025, when MeitY notified the DPDP Rules, 2025 with an 18-month phased rollout. The Act now has working teeth, the Data Protection Board is constituted, and the headline compliance deadline is fixed: 13 May 2027. This is the seven-change summary for an Indian website owner reading the Rules for the first time.

**Change 1 — Consent Manager regime activated.** Section 6(7) of the Act envisaged a Consent Manager — a Board-registered entity that gives Data Principals a single dashboard to give, manage and withdraw consent across multiple Fiduciaries. The Rules set the registration criteria (₹2 crore net worth, fit-and-proper directors, technical interoperability standards) and signal that the registration window is expected to open around November 2026. For an Indian website, the operational impact lands in 2027: Consent Managers will issue user-side consent tokens, and your stack will need to accept and honour those tokens alongside your own banner. Build the consent layer assuming dual sources — your own banner plus federated tokens from a Consent Manager — rather than your banner alone.

**Change 2 — Breach notification: 72-hour detailed report + early intimation.** Section 8(6) of the Act simply says 'notify the Board and affected Data Principals'. The Rules give that obligation a timer: an early intimation as soon as the Fiduciary becomes aware of the breach, followed by a detailed report to the Data Protection Board within 72 hours. The notification to affected Data Principals must include the nature of the breach, the data categories affected, the steps taken, and the contact for follow-up. For an Indian website, this means a pre-written breach playbook is now table stakes — the 72-hour clock starts when your team becomes aware, not when the breach happened, and 72 hours is not enough time to assemble a playbook from scratch under pressure. The [72-hour breach template](/tools/breach-notification) is a starting skeleton.

**Change 3 — Verifiable parental consent for children.** Section 9 of the Act prohibits processing children's data without 'verifiable consent of the parent or lawful guardian' and bans tracking, behavioural monitoring and targeted ads at children outright. The Rules specify acceptable verification methods — including DigiLocker-backed parental identity verification, a ₹1-refund-style payment verification linked to a parent's account, and government-ID OTP linked to a parent's mobile. Self-attested age is no longer sufficient where the platform has signals that a user is under 18. For Indian edtech, gaming, social and any consumer product with under-18 users, this change forces an age-determination flow before consent — and the engineering work is substantial. See the [DPDP for Indian edtech](/blog/dpdp-for-edtech-india) post for the deeper walk-through.

**Change 4 — Section 5 notice itemisation.** Section 5 of the Act requires a notice listing the personal data being collected, the purposes, and the rights mechanism. The Rules pin down what 'itemised' means in practice: each category of personal data must be named (email, phone, location, payment metadata — not 'contact information'); each purpose must be specific (order fulfilment, transactional email, marketing emails — not 'business operations'); and the Grievance Officer's name, designation, contact and 30-day SLA must be visible on the notice and in the site footer. Generic privacy-policy templates that worked under the pre-Rules vacuum will now fail an audit. The [privacy notice generator](/tools/privacy-notice) is the cheapest fix.

**Change 5 — Cross-border 'negative list' formalised.** Section 16 of the Act takes a permissive default (transfers allowed) with restrictive overrides (the Central Government may notify specific countries as restricted). The Rules confirm the negative-list mechanism without yet naming any countries — meaning Indian website operators today can transfer personal data to most destinations (AWS us-east-1, GCP europe-west, Cloudflare global) without a separate transfer mechanism. The Rules also clarify that sector regulators (RBI, IRDAI, SEBI, MoH&FW) retain the ability to impose stricter localisation requirements — payment data still needs to follow RBI's localisation circulars regardless of DPDP being permissive. See the [cross-border guide](/cross-border) for the practical playbook.

**Change 6 — Significant Data Fiduciary criteria + India-resident DPO.** Section 10 of the Act lets the Government designate any Fiduciary as 'Significant' by volume, sensitivity or risk. The Rules sharpen the framework: SDFs must appoint an India-resident Data Protection Officer who is a senior employee reporting to the Board of Directors, undergo a periodic Independent Data Auditor audit, and conduct a Data Protection Impact Assessment for any processing that materially changes risk. The Rules do not pin a single user-count threshold — MeitY explicitly kept the criteria flexible — but large consumer platforms, anyone touching children's or health data at scale, and intermediaries with influence over public discourse should plan as if designation is coming. See the [SDF obligations post](/blog/significant-data-fiduciary-obligations-explained) for the procurement timeline.

**Change 7 — Grievance redressal: 30-day SLA.** Section 8(10) of the Act requires every Data Fiduciary to publish a Grievance Officer. The Rules add the SLA: grievances must be resolved within 30 days of receipt. The Board treats the SLA as a pattern-of-conduct test — a documented 95% on-time rate is a complete defence in most realistic complaint scenarios. A site that bounces grievance emails or has no named officer fails immediately. The [Grievance Officer guide](/blog/how-to-add-grievance-officer-website-dpdp) covers the publish-and-respond pattern that survives a Board audit.

**The deadline — 13 May 2027.** The Rules phase obligations over 18 months from notification. The most demanding obligations (verifiable parental consent at scale, SDF duties, Consent Manager interoperability) come into force across that window; the headline deadline for full compliance is 13 May 2027. 2026 is the build year. Most organisations underestimate how much consent UX, processor agreements, breach playbooks and rights-handling work is required — the right starting move is a [free scan](/scan) of your current state and a [gap analysis](/tools/gap-analysis) to prioritise the build.

**Bottom line.** The Rules do three things together: they replace 'wait and see' with a concrete operational timetable, they tighten consent and notice UX in ways most Indian sites currently fail, and they raise the cost of being passively non-compliant. None of the seven changes above is a six-month engineering programme on its own. All seven together, in 18 months, is. Start with the visible failures (banner, notice, Grievance Officer, breach playbook), then layer the structural work (SDF readiness, Consent Manager integration, cross-border documentation). The [interactive compliance checklist](/checklist) sequences the work for you.