The IT Ministry & government of India has introduced a sweeping set of data protection regulations that are expected to significantly alter how companies handle personal information across the country’s rapidly growing digital economy. The Digital Personal Data Protection (DPDP) Rules 2025, notified this week, impose strict obligations on businesses of all sizes and require them to report data breaches within 72 hours.
The government asserts that it will work to enhance user privacy as well as to increase accountability with businesses collecting, storing, and processing personal data. The regulations follow years of debate about strong privacy guards for a country with 850 million-plus internet users, the country’s second-largest online-probability of internet users.
Major changes for businesses
Under the new regulations, one cannot collect personal data unless the user has given informed and clear consent. The data can only be used according to the principles stipulated at the time of collection. Violation of the rules can fetch heavy sanctions, comprising huge fines reaching hundreds of millions of rupees, depending on the nature of the breach.
Industry experts have said the rules would have an immediate financial impact, especially aimed at advertising, e-commerce, and fintech firms: these are heavily data-driven. Marketing and advertising firm billing is anticipated to go up by as much as 15% according to one early industry estimate.
Many businesses must appoint chief data protection officer, upgrade their data storage systems, increase encryption, and maintain exhaustive logs of data access. For start-up ventures and smaller establishments, this will involve potential upheavals in their technological set-up.
Reporting requirements tightened
Proclaiming a consequent, the ̈72-hour requirement ̈ expects companies to inform the authorities of any breach that was detected or held in possession from within their jurisdiction with in the data protection regulations. This will result in more time being spent on response and redress for the users of those who may have had their personal details compromised, before the hackers have enough time to use them.
The disclosure has been praised by security experts, saying that it will enable reducing the incident impacts and more efficient regulatory action. “The 72-hour reporting requirement aligns India with global standards and will encourage more responsible data governance,” said the top analyst at a Delhi-based cybersecurity firm.
Impact on the advertising sector
One of the most affected sectors is digital advertising, which is ever-expanding in India. Much of the industry banks on targeted advertisements that are driven by user behaviors, tracking technologies, and third-party data brokers. These new rules have posed limits to such practices because a company is at its fear of ensuring explicit, unambiguous consent for any form of tracking.
Consumer rights strengthened
The DPDP framework enabs a number of rights for users including request for deletion of their personal data, request the personal data to be withdrawn from access consent and information on the processing of their data. The government now states that these measures place individuals at the center of the digital transformation in India. Consumer advocacy groups welcomed the new law overwhelmingly, terming them long-overdue in addressing ever more vocal public concerns about privacy violations, spam, and the misuse of personal data.
Global context
India’s move has brought it almost as close as possible to establishing a global data protection regime, similar to the European Union’s General Data Protection Regulation (GDPR). However, it has been mentioned that the Indian framework allows greater flexibility in some respects, giving more time to companies to alter their operations to accommodate compliance conditions.
On the other hand, international companies, including large tech platforms that operate in India, must scale up their system to comply with these requirements. According to a slate of Memoranda of Understandings, India must enter into some data protection agreements with the UK that take these modifications into account. Now several companies have been planning for stricter regulation and they were all expecting that the law would come into force.
