Executive Summary
- India’s Digital Personal Data Protection Act (DPDP Act) 2023 has now been fully operationalized with the DPDP Rules 2025, notified on 14 November 2025.
- EY India estimates the law will unlock more than ₹10,000 crore of spending over the next three years on privacy automation and compliance services, with consent management alone accounting for around 10%.
- A new class of regulated “Consent Managers” is emerging, supported by MeitY’s “Code for Consent” challenge and a minimum net-worth requirement of ₹2 crore.
- The Rules tighten obligations on notices, consent, data retention, children’s data, security controls, breach reporting and cross-border transfers, with 12–18-month implementation timelines for most organizations.
- While the framework strengthens user rights, civil society and startups have flagged high compliance costs, extensive logging requirements and broad exemptions for state processing as areas of concern.
1. The DPDP Act and Rules: Where India Stands Now
Parliament passed the Digital Personal Data Protection Act in August 2023, creating a comprehensive privacy law for the world’s largest open internet market.
The DPDP Rules 2025, notified by the Ministry of Electronics and IT (MeitY) on 14 November 2025, translate this law into operational requirements – from how consent must be collected to how breaches must be reported.
Most obligations kick in over a staggered 12–18-month period, giving organizations time to upgrade systems, appoint data protection officers and implement automated workflows.
2. A ₹10,000 crore Compliance and Privacy Automation Market
According to EY India’s analysis, India’s new data law is expected to drive at least ₹10,000 crore of cumulative spending over the next three years as firms invest in privacy technologies, cyber-security and advisory services.
Key spending buckets include:
- Consent and preference management platforms
- Data discovery and mapping tools
- Identity and access management
- Security monitoring and breach response
- Policy, legal and process consulting
Consent management alone could contribute around 10% of this market as large enterprises embed consent systems into their digital infrastructure in the next 12–18 months.
Global vendors such as ServiceNow, IBM, OneTrust, and TrustArc, as well as specialised Indian SaaS providers, are already positioning themselves for this spend, often partnering with consulting and audit firms to deliver end-to-end solutions.
3. Consent Managers and the “Code for Consent” Ecosystem
The DPDP Act formally defines a Consent Manager as a registered entity that acts as a single point of contact to enable data principals to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform.
The Rules and supporting guidance specify that:
- A consent manager must be an Indian company with a minimum net worth of ₹2 crore.
- The platform must be neutral and interoperable across multiple data fiduciaries.
- Consent should be verifiable in real time via secure APIs and must support revocation and modification.
To accelerate this ecosystem, MeitY and the National e-Governance Division launched the “Code for Consent: DPDP Innovation Challenge”. Six entities have been shortlisted for the second round: Jio Platforms, Baldor Technologies (IDfy), VertexTech Labs (Redacto), Zoop (Quagga Tech), Concur – Consent Manager and Aurelion Future Forge.
These firms are now building and testing prototype consent management systems that could become reference architectures for the wider market.
Also Read: What is the Digital Personal Data Protection (DPDP) Act, 2023 all about?
4. What the Final DPDP Rules Mean for Businesses
The notified Rules fill in the operational details across several themes.
4.1 Notices, Consent and Data Retention
- Pre-ticked boxes, bundled permissions and implied consent are not acceptable. Organisations must obtain clear, specific consent via notices in English or any scheduled language, explaining what data is collected, why, and how to withdraw consent.
- Data fiduciaries must erase personal data once the purpose is fulfilled or consent is withdrawn, unless retention is required under another law.
- Draft and final guidance expects structured retention schedules, consent logs and right-request logs that can be audited.
4.2 Children’s Data and Age-Gating
The Act and Rules create one of the stricter regimes for processing children’s data:
- Data fiduciaries must obtain verifiable parental consent before processing personal data of individuals under 18, with flexibility on the mechanism but clear accountability for effectiveness.
- Behavioral tracking and targeted advertising aimed at children are generally prohibited, with limited exceptions for safety and prevention of harmful content.
- The Rules allow real-time location tracking of children without parental consent only for tightly scoped safety and protection purposes, which has drawn close scrutiny from privacy advocates.
4.3 Cross-Border Transfers and Localization
- Most personal data can flow cross-border, but the central government can notify specified categories that must remain in India, based on recommendations from a committee.
- Significant Data Fiduciaries (large, high-risk entities) face stricter governance, including impact assessments and localization for designated classes of data.
4.4 Security, Breach Reporting and Timelines
- Data fiduciaries must implement “reasonable security safeguards” proportionate to risk, including technical and organizational controls.
- Breaches must be reported to the Data Protection Board and affected individuals in a prescribed format and within tight timelines, bringing India closer to global norms such as the EU’s GDPR.
5. Costs, Gaps and the Civil-Society Response
The new framework has been broadly welcomed as a long-overdue privacy law that codifies user rights and corporate responsibilities.
At the same time, legal scholars and policy groups have highlighted concerns:
- High fixed compliance costs for startups and smaller platforms, especially around age verification, log retention and continuous monitoring.
- The requirement to retain detailed logs for at least a year, which improves auditability but increases the persistence of digital footprints.
- Broad exemptions that allow government agencies to process data for reasons such as national security or friendly relations with foreign states, with limited external oversight.
These tensions will likely shape future amendments, sectoral guidelines and enforcement practice.
6. What Organizations Should do in the Next 12–18 Months
For Indian and multinational businesses operating in India, the DPDP Act regime should be treated as a strategic compliance and trust-building initiative rather than a narrow legal exercise. A pragmatic roadmap would typically include:
- Governance and accountability
- Appoint a senior data protection officer or designate a responsible executive.
- Establish a privacy steering committee spanning legal, IT, security, HR and business units.
- Data mapping and risk assessment
- Catalogue systems, vendors and data flows that involve personal data.
- Classify processing activities by risk, including children’s data and cross-border transfers.
- Consent, notices and preference management
- Redesign notices and consent flows in line with DPDP Rules.
- Evaluate whether to integrate with one or more consent managers as they go live.
- Controls, retention and logging
- Implement technical safeguards, role-based access, encryption and monitoring.
- Create retention schedules, deletion workflows and audit-ready logs.
- Children’s data and age-gating
- Introduce verifiable parental consent where minors are involved.
- Turn off targeted advertising and behavioural tracking for child users.
- Training, testing and ongoing assurance
- Run structured training for employees, especially in front-line and tech teams.
- Conduct periodic internal audits and penetration tests; refine controls based on findings.
Opinion: Move from Checkbox to Trust-First Compliance
India’s new data protection regime should be read as a strategic inflexion point for digital businesses, not just a tougher set of rules. The DPDP Act and Rules will stretch governance, process and technology capacity, especially in mid-market firms and startups, but they also create a clear roadmap to professionalize data management.
Organizations that use this transition to rationalize the data they hold, design intuitive consent and preference journeys, and systematically close out legacy data risks will be better placed to earn customer trust, secure cross-border partnerships and face regulators with confidence. Over time, competitive advantage will accrue to those that move past checkbox compliance and embed privacy-by-design into product roadmaps, process architecture, vendor management and technology platforms, with explicit KPIs and board-level oversight to keep the discipline intact.
Reference: Economic Times
