Overview
- An official gazette notification puts much of the DPDP Act into effect and sets an up to 18‑month compliance window, with consent managers required to register within 12 months.
- The Data Protection Board is established in principle as a fully digital adjudicatory body based in the National Capital Region with four members, with appointments yet to be announced.
- Data fiduciaries must inform affected users without undue delay and report breaches to the Board within 72 hours, with the government empowered to defer user disclosure in sensitive cases.
- Processing children’s data requires verifiable parental consent and prohibits tracking, profiling and targeted advertising to minors, with limited exemptions for healthcare, education and real‑time safety.
- Cross‑border transfers are permitted subject to future restrictions and potential localisation of specified categories, while Significant Data Fiduciaries face DPIAs, audits and algorithmic risk checks; firms must retain logs for a year and large platforms must delete data after three years of inactivity with 48‑hour notice.