Shifting India’s digital economy into high-compliance mode, the DPDP Rules 2025 tighten data safeguards, reshape industry obligations and impose strict timelines with penalties.
India has rolled out the Digital Personal Data Protection (DPDP) Rules 2025, completing the operational framework of the Digital Personal Data Protection Act, 2023. The notification marks a decisive step towards a rights-based data regime that will reshape compliance practices across digital platforms, consumer-facing services, and the country’s electronics manufacturing ecosystem.
The Ministry of Electronics and Information Technology (MeitY) issued the rules on 13 November. With this, India gains a unified legal structure over how personal data is collected, processed, transferred, and protected. The implications extend far beyond social media or e-commerce. Electronics manufacturers, consumer-durable brands, device makers, and Internet-of-Things (IoT) companies must now meet stringent security, storage, and consent requirements.
Under the rules, every entity handling personal data becomes a Data Fiduciary. Users are termed Data Principals. Companies must obtain explicit and informed consent before processing data, including through mobile apps, connected devices, and embedded software.
This is critical for India’s fast-growing electronics and smart-device markets, where billions of data points flow from smart TVs, wearables, home appliances, industrial equipment, and automotive electronics.
Platforms must implement encryption, masking and tokenisation. They must also track every data access through mandatory activity logs. These logs must be retained for one year. Any violation or failure to safeguard data may result in penalties of up to ₹2.5 billion. Data Principals must be informed within 72 hours of a breach.
The rules introduce major obligations for companies building connected devices for children. Platforms and device makers targeting minors must secure verifiable parental consent before collecting or processing data.
Significant Data Fiduciaries, expected to include large electronics, telecom, and consumer-tech firms, face tighter requirements. They must conduct independent audits, perform impact assessments and ensure that algorithmic tools deployed for processing personal data do not create harm. Certain categories of data cannot be transferred outside India, posing new localisation challenges for global electronics brands and cloud-backed IoT services.
The government has laid out a phased compliance timeline. The Data Protection Board will be operational first. Consent Manager requirements begin in November 2026. A wider set of compliance obligations, including consent, notices, security safeguards, and rights processing, must be met by May 2027.
Legal analysts say the transition period gives the industries time to redesign data systems and update firmware, cloud storage and customer-service processes.
