Back to Blog
DPDP Act 7 min read

DPDP Rules 2025: What the Draft Rules Require

A summary of the Draft Digital Personal Data Protection Rules 2025 — consent manager framework, age verification, cross-border transfers, grievance timelines, and what is still pending.

Key Takeaways
  • The Draft DPDP Rules 2025 were released for public consultation and address several critical implementation details left open by the Act.
  • The Rules introduce a "Consent Manager" framework — MEITY-registered entities that manage consent on behalf of Data Fiduciaries.
  • Age verification mechanisms are addressed but digital identity-based approaches (Aadhaar, DigiLocker) are the favoured direction.
  • Breach notification timelines and content requirements are specified in the draft Rules.
  • Several key items — cross-border transfer whitelist, SDF classification criteria thresholds — remain pending in the draft.

In this guide

  1. Overview of the Draft DPDP Rules 2025
  2. Consent Manager Framework
  3. Age Verification Requirements
  4. Breach Notification: Timeline and Format
  5. Grievance Redressal Timelines
  6. Cross-Border Transfer Whitelist: Status
  7. What the Rules Leave Pending

Overview of the Draft DPDP Rules 2025

MEITY released a draft of the Digital Personal Data Protection Rules 2025 for public consultation in early 2025. The Rules flesh out many of the procedural and operational details that the Act deliberately left to subordinate legislation. They are not yet final — they remain in consultation and may be substantially revised before notification.

The structure of the draft Rules follows the Act's chapters: rules on consent and notice, rules on Data Fiduciary obligations, rules on Data Principal rights and grievances, rules on the Data Protection Board, and rules on specific obligations for Significant Data Fiduciaries. The Rules also introduce two new institutional mechanisms: the Consent Manager and the Data Protection Board's digital portal for complaints.

Companies should treat the draft Rules as a planning document. The obligations they specify — timelines, formats, processes — may change before finalisation, but they provide the best available signal of what compliance will require. Build your compliance programme to accommodate the draft Rules' requirements, with flexibility to adapt when the final Rules are notified.

Consent Manager Framework

One of the most novel elements in the draft Rules is the Consent Manager framework. A Consent Manager is a MEITY-registered entity that acts as an intermediary between Data Principals and Data Fiduciaries, enabling individuals to manage their consent across multiple Data Fiduciaries through a single interface. Think of it as a consent dashboard that aggregates and manages your privacy decisions across the digital ecosystem.

Data Fiduciaries can choose to interoperate with registered Consent Managers, allowing their users to manage consent through the Consent Manager's platform rather than through each individual company's privacy settings. This is inspired by the Account Aggregator framework in financial services, which has demonstrated how consent interoperability can work in the Indian context.

The Consent Manager framework is optional for Data Fiduciaries in the current draft — you are not required to integrate with a Consent Manager. However, for consumer-facing companies with large user bases, Consent Manager interoperability may become a competitive requirement as users expect a single place to manage their consent decisions. Monitor the framework's development and evaluate whether integration makes sense for your product.

Age Verification Requirements

The draft Rules address the age verification challenge that Section 9 creates. Rather than mandating a specific technical solution, the draft Rules provide a framework: Data Fiduciaries must implement reliable mechanisms that verify the age of users and obtain verifiable parental consent for under-18 users. The Rules identify DigiLocker and Aadhaar-based verification as preferred mechanisms given their widespread adoption in India.

For consumer platforms that cannot integrate Aadhaar or DigiLocker, the draft Rules suggest alternative approaches including: virtual token-based verification (where a government-issued token confirms age without revealing full identity); parental mobile OTP combined with guardian identity verification; and for lower-risk platforms, self-declaration with enhanced safeguards.

The finalised Rules will determine how the verification bar scales by risk. A children's gaming app and an enterprise B2B SaaS tool that incidentally serves some under-18 users are very different risk scenarios. Companies should engage in the Rules consultation process to contribute to a workable, risk-proportionate verification framework.

Breach Notification: Timeline and Format

The draft Rules specify a two-stage breach notification process. Stage 1: notify the Data Protection Board within 72 hours of becoming aware of a personal data breach. The Stage 1 notification must include: (a) description of the breach; (b) categories and estimated number of Data Principals affected; (c) categories of personal data involved; (d) likely consequences; and (e) measures taken or proposed to address it.

Stage 2: within a further period (draft suggests 30 days), submit a detailed report to the Board covering: confirmed scope of the breach; root cause analysis; full list of affected Data Principals; completed remediation steps; and steps taken to prevent recurrence. Data Principal notifications must also be sent as soon as practicable after Stage 1, with the same information in plain language.

The draft Rules also specify that the Board will operate a digital portal for breach notifications — similar to CERT-In's portal. Data Fiduciaries will file notifications through this portal. Companies should build their internal breach response workflow to output the required information in the specified format, reducing the time and effort needed to file in a crisis.

Grievance Redressal Timelines

The draft Rules specify that Data Fiduciaries must acknowledge a grievance from a Data Principal within 24 hours and resolve it within 30 days. If the Data Fiduciary fails to respond within 30 days, the Data Principal is entitled to escalate to the Data Protection Board.

For Significant Data Fiduciaries, the DPO must personally handle grievances that are escalated after initial handling by customer support. The draft Rules also specify that grievance responses must be in writing (including electronic form) and must clearly state whether the grievance has been upheld, partially upheld, or declined, with reasons.

The 30-day resolution timeline is the maximum — the draft Rules encourage Data Fiduciaries to resolve straightforward requests (access, correction) within shorter periods. Companies should set internal SLAs more ambitious than the regulatory deadline, both for user experience and to reduce Board escalation risk.

Cross-Border Transfer Whitelist: Status

The draft Rules do not specify the cross-border transfer whitelist. The whitelist — the list of countries to which personal data may be transferred — is expected to be published as a separate notification after the Rules are finalised. This is one of the most critical outstanding items for companies with international data flows.

The draft Rules do describe the process by which the Central Government will determine whitelist inclusions: it will consider the privacy protection framework of the candidate country, the existence of bilateral data sharing arrangements, national security and diplomatic considerations, and the nature of data flows between India and the candidate country.

Given that the whitelist is published separately, it can be updated more dynamically than the Act or Rules — a country can be added or removed from the whitelist through a simple notification without amending the Rules. This creates ongoing compliance management obligations for companies with international data flows.

What the Rules Leave Pending

Despite the draft Rules addressing many key provisions, several critical items remain pending: (1) the Significant Data Fiduciary classification criteria — specifically, any numeric thresholds for volume or sensitivity; (2) the cross-border transfer whitelist; (3) the standards that the independent data auditor must use for SDF annual audits; (4) the specific legitimate use scope under Section 7(e) (employment) and 7(f) (verification/fraud prevention); and (5) the Data Protection Board's constitution and operational rules.

The absence of SDF classification criteria is particularly problematic for companies trying to plan their compliance programme. Without knowing whether they will be SDFs, companies cannot determine whether they need a DPO, are subject to DPIAs, or require annual audits. Companies processing large volumes of data should prepare for SDF classification as a prudent default.

Engage with MEITY's consultation process. Industry bodies (NASSCOM, iSPIRT, FICCI, CII) are actively engaging on the Rules. Your participation — directly or through industry associations — can help shape workable implementation standards. The draft Rules represent a starting point, not a final answer.

Frequently Asked Questions

When will the DPDP Rules 2025 be finalised?
As of early 2026, the Rules remain in consultation. A finalisation timeline has not been officially announced. Estimates from industry stakeholders suggest late 2026 at the earliest, though political and diplomatic considerations may accelerate or delay this. Companies should plan as if Rules could be finalised at any time and enforcement begins 6-12 months after.
Should we comply with the draft Rules now, or wait for finalisation?
Use the draft Rules as your planning baseline. Implement processes and systems that satisfy the draft Rules' requirements. Build in flexibility to adapt when the final Rules are notified. Do not wait for finalisation before starting — the gap between draft and final Rules is unlikely to be dramatic, and the compliance work you do now will not be wasted.
What is a Consent Manager and do we need to become one?
A Consent Manager is a MEITY-registered intermediary that manages consent on behalf of multiple Data Fiduciaries. Most companies will not become Consent Managers — this is a new business category. You may choose to integrate with a Consent Manager to offer your users a unified consent experience. Whether to integrate depends on your product design and user base expectations.
The Rules don't specify the whitelist. How do we plan for cross-border transfers?
Plan conservatively. Map all cross-border data flows. Evaluate which flows are essential vs. which can be redirected to Indian data centres. For essential flows to countries like the US, EU, UK, and Singapore — which are likely whitelist candidates — maintain current arrangements but have a contingency plan. For flows to less certain destinations, evaluate Indian alternatives now.
Will the Rules require companies to register with MEITY or the Data Protection Board?
The draft Rules do not require general registration of Data Fiduciaries. SDFs may be required to register with or notify the Board upon classification. Consent Managers require MEITY registration. Absent a specific registration requirement, companies do not need to proactively register — but must comply with all applicable obligations once the Rules and Act are in force.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act 2023 Explained: What Every Indian Company Must Know

DPDP Act

Data Protection Board India: Enforcement and Adjudication

DPDP Act

DPDP Act Implementation Roadmap: 6-Month Action Plan