New Delhi, Nov 14 (IANS) The government on Friday notified the rules for the Digital Personal Data Protection (DPDP) Act, formally operationalising India’s first digital privacy law and setting the compliance clock ticking for companies handling user data.

Social media sites, online gateways, and any other organisations handling personal data are required by the new framework to give users a detailed explanation of the information being gathered and to make it apparent how it will be used.

According to the regulations, users must have an easy way to revoke their consent or complain to the Data Protection Board (DPB) about infractions.

While consent managers, which are organisations authorised to act on behalf of users, have 12 months to register with the DPB, companies will have up to 18 months to fulfil the administrative compliance requirements.

Any business that wants to function as a consent manager must have its headquarters in India, apply to the Board, and fulfil its responsibilities consistently; otherwise, its registration might be revoked.

The DPB, which has its headquarters in New Delhi and consists of four members, including a chairperson, will operate as a fully digital adjudicatory body in accordance with the guidelines that have been notified. Its duties include enforcing the law, investigating data breaches, and levying fines.

The regulations also categorise digital intermediaries according to the type of services they offer and specify when user data must be deleted, unless there are laws that mandate its retention.

Within 72 hours of learning about a data breach, data fiduciaries must notify the DPB and the impacted user.

Alongside the regulations, the Ministry of Electronics and Information Technology (MeitY) released a separate notification announcing the DPB's creation. The Parliament passed the DPDP Act in August 2023, and the final rules were issued after months of consultation following the draft's publication in January 2025.

"In sum, the one-year deadline for Consent Managers effectively pre-positions the consent infrastructure for DPDP compliance. By the 18‑month enforcement date, a network of certified, neutral consent-service providers will be ready to handle opt-in/out mechanics, easing the shift to the new regime," said Vinay Butani, Partner, Economic Laws Practice.

