Winning Bizness Desk

Mumbai. The Digital Personal Data Protection Act 2023, along with its newly notified rules, has now come into full effect in India. The IT Ministry has announced that transparency is no longer optional for companies handling personal information. The new framework aims to strengthen citizen privacy while supporting innovation and the digital economy. Passed on 11 August 2023, the Act outlines the responsibilities of companies managing personal data and grants clear rights to individuals. With the rules notified on 14 November, the law now applies completely across sectors.

Parental approval required for minors

Under the new framework, companies cannot collect or use the personal data of children without the verified consent of parents. The rule applies to all forms of data such as photos, location, names and online behaviour. Only essential areas like healthcare, education and real-time safety are exempt. For persons with disabilities who cannot take legal decisions, consent must come from a legally verified guardian.

Clear declaration before collecting data

Companies must now inform users in simple terms why they are seeking personal data and how they will use it. No organisation or app can collect information without explicit permission. Users also have the right to refuse data sharing. Any processing beyond the stated purpose is prohibited. If a shopping app collects data for delivery, it cannot use it later for marketing unless the user permits it.

Control and correction of personal data

Individuals can now access their stored information and ask companies to correct, update or erase it. All such requests must be resolved within 90 days. If a data breach occurs, companies must alert affected users within hours and explain the nature of the breach, possible impact and safety steps in simple language. This communication must help people understand the risk and respond quickly.

Simplified complaint and appeals system

A dedicated digital Data Protection Board will handle complaints. People can file and track cases through an online platform or mobile app without any fee. If they are not satisfied with the board’s decision, they can appeal before the TDSAT. The government has kept compliance easier for small businesses to avoid increasing service costs and to ensure the law remains supportive of innovation.

How new rules differ from old system

Earlier, India did not have a strict framework for verifiable parental consent. The IT Act 2000 and IT Rules 2021 focused mainly on content safety and reporting mechanisms. Age verification was not mandatory and parents did not have enforceable control over their child’s data. The new DPDP Rules 2025 mandate verified parental consent for anyone below 18 years and prohibit tracking, targeted ads and behavioural monitoring of minors. Verification will be technical, involving AI checks or ID token validation.

Major challenges expected ahead

Despite the stronger safeguards, complete implementation will face hurdles. Children may misrepresent their age to bypass consent, as AI-based checks are still evolving. In rural areas, low awareness and limited access to digital IDs may make verification difficult for many guardians. Companies will face heavy penalties of up to Rs 250 crore for violations. They will also need to erase data if minors provide false age details and the truth emerges later.

Key pointers

• New DPDP rules fully notified and now enforced nationwide
• Companies must seek clear consent before collecting personal data
• Parental approval mandatory for all data involving minors
• Users can access, correct or delete data within 90 days
• Breaches must be reported to users within hours in simple language
• Digital Data Protection Board set up for complaints and appeals
• Violations may attract penalties up to Rs 250 crore