Updated: November 20, 2025 — to reflect MeitY’s notification of the DPDP Rules, 2025 and the official implementation timeline

India has officially activated its long-awaited Digital Personal Data Protection Act (DPDP Act, 2023), following the publication of the DPDP Rules, on November 13, 2025. This notification triggers the phased rollout of India’s comprehensive, consent-driven privacy regime — with some obligations already in effect and others scheduled over the next 12 to 18 months.

For global companies — especially platforms serving youth — India’s DPDP Act sets one of the highest standards for children’s data protection worldwide. Unlike COPPA in the U.S. which requires parent consent for children under 13 or the General Data Protection Act (GDPR) in the EU and UK which requires consent for children 15 or under, India’s DPDP Act requires verifiable parental consent for all users under 18.

What Is the DPDP Act and What Does It Require?

The Digital Personal Data Protection Act (DPDP Act, 2023) is India’s first comprehensive data privacy law. It applies to both Indian and foreign companies processing personal data of individuals in India and establishes a rights-based, consent-led framework for data processing — with some of the strongest protections in the world for children.

Children’s Data Requirements Under the Act:

• All individuals under 18 are considered children
• Verifiable parental consent is required before collecting, processing, storing, or sharing a child’s personal data
• Tracking, profiling, or targeted advertising to minors is prohibited without consent
• Penalties can reach ₹250 crore (~USD $30M) per violation

Broader Compliance Obligations:

• Data minimization
• Purpose limitation
• Strong security safeguards and breach response
• Transparent notices and data rights
• Retention and erasure workflows
• New minimum retention rules for:
  • E-commerce platforms (≥20M users)
  • Social media platforms (≥20M users)
  • Online gaming intermediaries (≥5M users)

Implementation Timeline: What’s in Force and When

The official notification dated 13 November 2025 triggers a staggered rollout. Here is the timeline companies should rely on:

Effective Immediately — 13 November 2025

The following are now in force:

• Establishment and powers of the Data Protection Board of India (DPBI)
• Enforcement structure and penalty framework
• Rulemaking provisions
• Definitions needed for the Act to function

What it means for businesses:
The regulator is active, and oversight has officially begun.

Effective in 12 Months — 13 November 2026

The following provisions will come into force:

• Section 6(9) — governing Consent Manager operations
• Section 27(1)(d) — specific fiduciary obligations

This stage operationalizes the new Consent Manager ecosystem, which must be:

• Registered in India
• Technically interoperable
• Capable of routing, managing, reviewing, and withdrawing consent
• Free from conflicts of interest
• Fully auditable

Effective in 18 Months — 13 May 2027

This is the major compliance milestone. The following core operational requirements take effect:

• Consent notices & lawful processing rules
• Purpose limitation & processing restrictions
• Children’s data obligations (under 18)
• Data retention & erasure workflows
• Security safeguards
• Transparency & notice requirements
• Significant Data Fiduciary responsibilities
• Data Principal rights
• Controller accountability and breach obligations

For most companies — especially those processing children’s data — this is the true “go-live” date for DPDP operational compliance.

Next Steps for Businesses

If you operate apps, platforms, games, or connected products in India—or if your services are accessible to Indian users—you must:

1. Review how you collect and process children’s data.
2. Implement age assurance and parental consent tools that meet DPDP requirements.
3. Ensure your workflows adapt to multiple jurisdictions (under 13 in the U.S., under 16 in the EU, under 18 in India).
4. Prepare to demonstrate compliance to regulators.

How PRIVO Helps
PRIVO is a global leader in youth privacy assurance, with FTC-approved COPPA Safe Harbor status and two decades of experience helping companies build safe, compliant digital experiences for children and families.

Our platform is jurisdiction-aware, meaning we can help you:

✔️ Implement age assurance tools
✔️ Adapt parental consent workflows by country or region
✔️ Scale compliance for India’s under-18 threshold
✔️ Align with COPPA, GDPR-K, the Children’s Codes, Australia’s Online Safety Act, and more

DIY Consent won’t work, your online service needs infrastructure to cope with global requirements. PRIVO is here to help. 

What’s Next
As India’s digital privacy regime moves from notification to implementation, organizations should expect additional guidance from the Data Protection Board and further clarifications to the Consent Manager framework. With children’s protections at the forefront, the DPDP Act will reshape global privacy practices and require companies to rethink how they design youth experiences online.

PRIVO will continue monitoring emerging DPDP guidance, particularly around children's data and verifiable parental consent requirements, and will publish updates as new rules or interpretations are released.

👉 Contact PRIVO to Learn More

Additional Resources

• Full text of the DPDP Act, 2023 (MeitY)
• Enforcement Timeline for the DPDP Act (MeitY) 
• What is Verifiable Parental Consent