Overview
- MeitY has operationalised the law by notifying the DPDP Rules 2025 and constituting a four‑member Data Protection Board with its head office in New Delhi.
- Companies must file detailed personal‑data breach reports with the Board within 72 hours and alert affected users without undue delay, with limited scope for delayed user notification in sensitive cases.
- Protections for children are tightened through verifiable parental consent requirements and prohibitions on tracking, profiling, or targeted ads to minors, with narrow safety‑related exemptions.
- The consent‑manager framework will become operational after 12 months, requiring registration in India, conflict‑of‑interest safeguards, technical and financial eligibility, and audit obligations.
- Cross‑border transfers are permitted by default under a blacklist approach, while specified data categories for significant data fiduciaries may face localisation, and penalties for violations can reach ₹250 crore under a graded system; an RTI change limiting disclosure of personal information is already in force.