DPDP Rules 2025: India's Push for Clearer, Simpler Data Privacy Policies At the core of the rules lies a simple principle – companies must clearly and plainly explain how they handle user data

In today's digital age, every click and activity on online platforms generates vast amounts of data, making the protection of sensitive information essential. In 2024, several countries introduced data protection laws and regulations, reflecting growing concerns over how personal data is collected, stored, and used. On 3rd January 2025, the Indian government released the Digital Personal Data Protection Rules, 2025, further clarifying the path for enforcing the Digital Personal Data Protection Act, 2023.

These new rules are designed to address rising concerns about data privacy by increasing transparency and giving users greater control over their personal information.

At the core of the rules lies a simple principle – companies must clearly and plainly explain how they handle user data. This move aims to eliminate hidden terms buried under complex fine print. Organizations, referred to as Data Fiduciaries under the Act, must explicitly disclose what data is being collected, why it is needed, and how users can withdraw their consent as easily as they gave it.

The Ministry of Electronics and Information Technology emphasizes this in an explanatory note: "It must use simple, plain language to provide the Data Principal with a full and transparent account of the information necessary for giving informed consent for the processing of their personal data. Specifically, the notice should include an itemized list of the personal data being collected and a clear description of the purpose for processing, along with an explanation of the goods, services, or uses enabled by such processing."

However, Probir Roy Chowdhury, Partner at JSA Advocates & Solicitors, believes the direct impact of the DPDP Rules on FinTech companies may be limited. He highlights that while the new regulations empower the government to impose data localisation requirements on certain data fiduciaries or processors, the broader consequences are yet to be fully realized.

Data localisation mandates that certain types of data be stored and processed within India, restricting companies from transferring or holding it abroad.

Another notable feature is the introduction of Consent Managers – third-party entities that enable users to manage and track their data permissions across platforms. While this initiative empowers individuals, it comes with a caveat. Consent Managers must have a minimum net worth of INR 2 crore to operate, could affect smaller startups.

The rules further stipulate that Consent Managers must implement robust security measures, prevent conflicts of interest, and ensure transparency by disclosing their management and ownership structures. For businesses engaging with minors, the rules impose stricter requirements. Platforms must obtain verifiable parental consent before processing children's data.

Despite the potential hurdles, the pressing question remains – Is India's tech ecosystem ready for this level of regulation?

For large corporations, compliance may simply be another budgetary consideration. For smaller businesses and startups, however, adhering to these regulations could determine their survival.

Nevertheless, it is clear that data privacy can no longer be overlooked. As Indian consumers grow increasingly aware and protective of their personal information, companies that prioritize transparency and data security are more likely to earn long-term trust and loyalty.

Meanwhile Akshay Garkel, Partner, Grant Thornton Bharat concludes,"Good reform necessitates clear, concise, and implementable rules that minimize compliance burdens, especially for smaller businesses, while ensuring effective safeguards against data misuse. We believe the rules should promote innovation and ease of doing business, aligning with the vision of a developed India where data protection is a cornerstone of a vibrant and responsible digital ecosystem."