The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) on Friday for public consultation. The rules aim to operationalize India’s personal data protection regime, following the enactment of the Digital Personal Data Protection Act, 2023. One of the key features of the draft rules is the requirement for parental consent for users under 18 years of age to open social media accounts.
Data fiduciaries must verify consent using government-issued IDs or digital identity tokens. The rules also propose enhanced consumer rights, allowing users to demand the deletion of their data and seek transparency from companies about data collection practices. Penalties of up to Rs 250 crore are proposed for breaches.
The draft defines critical digital intermediaries, including e-commerce entities, online gaming intermediaries, and social media intermediaries. Social media platforms are defined as intermediaries that primarily enable online interaction between users, including the sharing, dissemination, and modification of information.
Draft rules for data protection feedback
A Data Protection Board will be established to oversee compliance with the rules. The Board will function as a fully digital regulatory body, conducting remote hearings, investigating breaches, enforcing penalties, and registering consent managers. Consent managers will be required to register with the Board and maintain a minimum net worth of Rs 12 crore.
They will be tasked with managing data permissions. The rules aim to ensure that data fiduciaries adopt robust technical and organizational safeguards, particularly concerning vulnerable groups like children. Exemptions are included for specific scenarios, such as educational use, to avoid undue burdens on institutions serving children’s needs.
Critics have raised concerns about the consultation process, pointing out that public comments have been invited only in Hindi and English, limiting participation. There are also concerns about vague terms, discretionary powers, weak oversight, overbroad exemptions for state processing, and the potential for mass surveillance through mandatory age verification. The Ministry urges citizens and stakeholders to review the draft and provide their feedback by February 18, 2025, to ensure the rules effectively protect user data and address all potential concerns.
