Overview
- Implementation is staggered, with consent-manager registration due within 12 months (by 14 November 2026) and core fiduciary and Significant Data Fiduciary obligations taking effect after 18 months (around May 2027).
- The Data Protection Board is established as a four-member, digital-first adjudicatory body based in New Delhi to investigate complaints and levy graded penalties, with appeals routed to TDSAT.
- The rules create a regulated consent-manager layer that requires Indian registration, conflict-of-interest safeguards, security audits and defined grievance timelines within a one-year onboarding window.
- Significant Data Fiduciaries face annual impact assessments and independent audits with algorithmic due diligence, and cross-border transfers follow a default-allow approach subject to government blacklists or targeted localisation for specified data.
- Data fiduciaries must notify the Board of breaches within 72 hours and inform affected users without undue delay, and platforms must obtain verifiable parental consent while restricting tracking, profiling and targeted ads for minors.