Your App or Website Collects User Data. Here Is What the DPDP Rules 2025 Now Require You to Do Before May 2027

The Clock Is Already Ticking, and Most Indian Businesses Don’t Realize It

Imagine you run an e-commerce app. Every day, thousands of users sign up and share their names, phone numbers, addresses, and payment details. Your privacy policy sits in the footer, mostly unnoticed. You send marketing emails and share data with ad platforms. You probably haven’t given it much thought, since no one asked you to.

But that’s about to change.

On November 13, 2025, the Government of India officially announced the Digital Personal Data Protection (DPDP) Rules, 2025. These rules implement the DPDP Act, 2023. Full compliance is required by May 13, 2027. That might seem like a long way off, but it’s not. The changes you’ll need to make go far beyond updating your privacy policy. They involve real changes to how your business collects, stores, and uses personal data.

This guide explains what you need to do in simple language and with real examples, so you can start getting ready now.

What Is the DPDP Act and Why Should You Care?

India’s Digital Personal Data Protection Act, 2023, is the country’s first independent data protection law. You can think of it as India’s version of the GDPR. It sets the rules for how organizations, known as Data Fiduciaries, collect, use, store, and delete the personal data of individuals, known as Data Principals.

If your app or website collects even a name and phone number from someone in India, this law applies to you. Many founders are surprised to learn that it also covers foreign companies if they offer goods or services to people in India.

The DPDP Rules 2025 are the detailed instructions that make the Act work in practice. They tell you exactly what steps to take, when to take them, and how to do it.

The Three-Phase Rollout: What’s Already Live and What’s Coming

The government set up a phased timeline because it understood that meeting these requirements would take time. Here is the current status as of February 2026:

Phase 1	November 13, 2025	The Data Protection Board of India was established
Phase 2	November 13, 2026	Registration for Consent Managers opens
Phase 3	May 13, 2027	All core compliance duties become mandatory

Phase 3 is the most important stage. It includes consent notices, security measures, breach reporting, data principals’ rights, and requirements for Significant Data Fiduciaries (SDFs). The 18-month period from November 2025 to May 2027 is your window to prepare, and time is running out.

Who Is Considered a “Data Fiduciary”? Are You One Too?

A Data Fiduciary is anyone, person or organisation, who decides why and how personal data is processed. Put simply, if you choose what data to collect and for what reason, you are a Data Fiduciary.

• For example, if a SaaS startup collects email addresses to onboard users, it is a Data Fiduciary.
• A food delivery app that saves customer addresses and order history is also a Data Fiduciary.
• If a hospital manages patient records digitally, it is considered a Data Fiduciary.
• Even a freelancer who uses a contact form on their portfolio website is likely a Data Fiduciary.

Some organisations are called Significant Data Fiduciaries (SDFs). These are large platforms that handle a lot of sensitive data. SDFs have additional responsibilities, including required Data Protection Impact Assessments (DPIAs), independent audits, and, in some cases, data localisation rules.

The 7 Core Compliance Requirements You Must Meet Before May 2027

1. Completely Revamp Your Consent Mechanism

Under the DPDP Rules 2025, consent is the main legal reason for processing personal data. But not just any consent will do. It must be free, specific, informed, and clear.

What does this mean in practice?

• Pre-ticked checkboxes are out. Gone.
• Buried consent in 40-page terms and conditions? Not acceptable.
• Consent must be given for a specific purpose. You cannot ask for broad approval to use data just “for business purposes.”
• Users must be able to withdraw consent at any time, as easily as they gave it.

Real example: Think of how Zomato asks for location access. Currently, many apps require it as a condition of use. Under the DPDP Rules, you’ll need to be explicit: “We need your location to show nearby restaurants. You can revoke this at any time in Settings.” And then actually make that revocation mechanism work.

If a user withdraws consent, you must stop processing their data for that purpose. You also need to ensure your processors, including vendors and third parties, do the same.

2. Issue a Clear, Itemised Consent Notice

Before you collect any personal data, you need to provide notice to users. This notice should be:

• Written in clear, simple language without legal jargon
• Provided separately from your terms of service
• Available in several languages, ideally in the language your user prefers
• Be clear about what data you collect, why you collect it, and how you will use it

Your notice should include the following:

• What personal data are you collecting
• Why are you processing this data
• How the user can exercise their rights
• Contact information for your Data Protection Officer, if you have one

Real example: If you run a fitness app that collects health data, you can’t just say, “We collect health information to improve your experience.” It must say something like: “We collect your step count, heart rate, and weight to generate personalised fitness plans. This data is not shared with advertisers. You can request deletion anytime by emailing privacy@yourapp.com.”

3. Build in Data Minimization and Retention Limits

The Rules set strict limits on how much data you can collect. You should only gather what you need for your specific purpose, and you cannot keep it indefinitely.

A key retention rule is that you cannot retain personal data for more than 1 year after a user becomes inactive, unless the law requires you to retain it longer.

There is an important exception. For completed transactions, you must retain relevant data, such as order details, payment information, and system logs, for at least 1 year after the purpose for which it was collected is served. This is required for audit and legal compliance.

Before deleting any data, you need to give users 48 hours’ notice that their information will be erased due to inactivity.

For your business, this means that if you have users who signed up in 2019 and never came back, you probably need to delete their data or notify them first. Most companies will need to do a thorough data audit to comply.

4. Put Security Safeguards in Place and Keep Records

This is where the penalties become severe. If you do not maintain reasonable security safeguards, you could face the highest penalty under the Act, which is up to ₹250 crore for each breach.

The Rules require:

• Encryption and masking of all personal data in your possession
• Access control: Only authorised personnel within your company should be able to access user data.
• Access logging and monitoring: Track who accessed what data and when.
• Data backups to ensure continuity in case of a breach
• Incident detection mechanisms: Use systems that can spot unauthorized access.

These steps are required. They apply not only to your own systems, but also to any Data Processors you hire, such as vendors, cloud providers, or analytics tools. You are responsible for making sure they follow these rules as well.

5. Build a Breach Reporting Process Without Thresholds

India’s law is stricter than the GDPR in this area. Under the DPDP Rules, you must report every personal data breach to the Data Protection Board and to affected users. There is no materiality threshold, so even a breach involving just one record must be reported.

The Rules require you to notify the following:

• The Data Protection Board
• Affected Data Principals, which means the users whose data was compromised

If you do not notify, you could face penalties of up to ₹200 crore.

What this means in practice: You need a clear process for responding to personal data breaches. Large organizations might need a dedicated team. At the very least, set up a protocol that covers who is notified internally, who contacts the Board, who informs affected users, and how quickly each step happens.

6. Enable and Respect Data Principal Rights

Your users now have clearly defined rights, so you need to create systems that respect those rights.

Right to Access	The user can request corrections to inaccurate data.
Right to Correction	The user can ask you to delete their data when it’s no longer needed.
Right to Erasure	The user can nominate someone to exercise their rights in case of death or incapacity.
Right to Nominate	The user can complain. You must have a mechanism to resolve it.
Right to Grievance Redressal	The user can complain. You must have a mechanism to resolve it.

For example, if a user emails you and asks, “What data do you have on me?” you need a process to answer them. Many startups do not yet have a formal way to handle this. You must set up a process before May 2027.

7. Special Obligations for Children’s Data

If your platform is used by anyone under 18, or if you collect data that might be about children, the DPDP Rules set much stricter requirements.

• You must get clear parental consent before processing a child’s data.
• You are not allowed to profile children for targeted advertising.
• You are not allowed to track children’s behaviour or create profiles about them.

This is especially important for edtech platforms, gaming apps, social media, and any consumer app with a wide user base. The rules governing the handling of children’s data are among the strictest in the entire framework.

What Are Significant Data Fiduciaries, and Could You Be One?

The government will label some organizations as Significant Data Fiduciaries (SDFs) depending on things like how much data they handle, how sensitive it is, the risk to individuals, and national security concerns.

SDFs face additional obligations:

• Annual Data Protection Impact Assessments (DPIAs) are conducted by independent professionals, with reports submitted to the Data Protection Board
• Independent audits of compliance
• Appointment of a Data Protection Officer (DPO) based in India
• Due diligence on all algorithmic and AI systems used for processing personal data
• Possible data localization requirements for specified categories of data

If you run a large consumer tech, fintech, healthtech, or social media platform in India, you should start preparing for SDF obligations now. The designation might happen sooner than you think.

Penalties: Numbers That Should Get Your Attention

Here’s what it really costs if you don’t comply:

Failure to maintain security safeguards	₹250 crore (USD 28 million)
Not notifying Board/users of a breach	Not notifying the Board/users of a breach
Violations related to children’s data	₹200 crore
Other violations of the Act or Rules	₹50 crore

These numbers are real. The Data Protection Board of India is now in place and can investigate complaints and issue these penalties. While the rules are a bit easier on MSMEs, the system is designed to ensure everyone follows them.

Your 18-Month Compliance Roadmap (Starting Now)

Here’s a step-by-step plan businesses can use from now until May 2027.

Now through June 2026: Audit and Gap Assessment

• Conduct a full data mapping exercise: What data do you collect? From where? Who processes it? How long do you keep it?
• Review all existing consent flows, privacy policies, and vendor contracts.
• Identify gaps against the DPDP Rules requirements.

July to December 2026: Build and Redesign

• Redesign consent flows to meet the specific, itemized, plain-language requirements.
• Build or upgrade mechanisms for users to exercise their rights (access, correction, erasure)
• Implement or strengthen security safeguards across all systems.
• Draft compliant data processing agreements with all vendors
• November 2026: Consent Manager registration opens. Get involved in this ecosystem.

January–April 2027: Final Preparation

• Test all systems end-to-end.
• Train your teams on data handling protocols.
• Finalize incident response procedures for breach reporting.
• Conduct internal mock audits.
• Confirm vendor compliance

May 2027: Go Live with Full Compliance

Common Mistakes Indian Businesses Make (And How to Avoid Them)

Mistake 1: Thinking this is just a “privacy policy update.” It’s much more than paperwork. You need to rethink how your business manages data, so make sure the right people are in charge.

Mistake 2: Believing the deadline is a long way off. May 2027 is only 15 months after February 2026. Setting up consent systems, doing data audits, retraining your team, and updating vendor contracts all take time. If you wait until April 2027 to start, you won’t be ready.

Mistake 3: Overlooking your Data Processors. You must make sure every vendor, analytics provider, CRM tool, and cloud platform you use also follows DPDP rules. This usually means updating contracts, so begin those discussions as soon as possible.

Mistake 4: Underestimating children’s data obligations. If your app could be used by anyone under 18, you need to build parental consent verification into your onboarding process. This is technically complex and needs lead time.

Mistake 5: Failing to plan for breach reporting. Many startups don’t have a clear way to spot or report data breaches. You’ll need to set up people, systems, and steps for this, not just send out a standard email.