Summary of MeitY’s Digital Personal Data Protection (DPDP) Guidelines
The Ministry of Electronics and Information Technology (MeitY), unveiled the Draft Digital Personal Data Protection Rules (“DPDP Rules”).
The Draft DPDP Rules addresses key issues such as consent management, rights of data principals, security measures while handling personal data of a child, data security, and procedures for handling data breaches. These rules are designed to balance the rights of individuals (Data Principals) with the responsibilities of entities handling personal data (Data Fiduciaries).
These guidelines operationalize the Digital Personal Data Protection Act, 2023, and are designed to protect user data while enabling lawful processing. Key highlights:
1. Consent Requirements
- Consent must be freely given, specific, informed, and easy to withdraw.
- Consent Managers must meet transparency and operational standards.
- No pre-checked boxes or auto-triggered pixels before consent.
2. Special Provisions for Children & Persons with Disabilities
- Verifiable parental consent is mandatory for processing children’s data.
- Guardianship verification must follow legal protocols (e.g., via Digital Locker or Aadhaar-linked tokens).
3. Significant Data Fiduciaries
Entities with large user bases (e.g., 2+ crore users) have extra obligations:
- Annual Data Protection Impact Assessments and audits.
- Transparency in algorithmic processing to avoid bias.
- Restrictions on cross-border data transfers unless approved by the government.
4. Cross-Border Data Transfers
- Allowed only if the Data Fiduciary meets conditions set by the Central Government.
- No blanket approvals — each case may be evaluated individually.
5. Data Breach Notifications
- Must notify affected users and the Data Protection Board within 72 hours.
- Include breach details, consequences, and mitigation steps.
6. Data Retention & Erasure
- Data must be erased once the purpose is fulfilled, unless legally required.
- Users must be notified 48 hours before erasure.
- Retention periods vary by sector:
- E-commerce: 3 years from last interaction.
- Online gaming & social media: similar retention rules.
7. Rights of Data Principals (Users)
Users can:
- Access and correct their data.
- Withdraw consent.
- Request data erasure.
Why This Matters for Indian Marketers
If you’re running retargeting, email, or personalization campaigns:
- You must audit pixel behaviour and implement consent gating.
- Avoid embedding PII in URLs or query strings.
- Vet vendors for compliance with DPDP rules.
- Use secure protocols (HTTPS) and monitor for unauthorized scripts.
These rules aren’t just legal formalities — they’re trust enablers. Indian users are increasingly privacy-aware, and brands that respect that will win long-term loyalty.
You can explore the full draft rules on MeitY’s official site or read a structured summary from Lexplosion.
