Deep Dive: DPDP Act 2025 strengthens parental consent, data localisation

India’s draft DPDP Rules mandate parental consent for minors' data, explore data localisation, and impose stricter compliance on businesses, aiming to enhance digital privacy and user protection

e4m by e4m Staff
Published: Feb 28, 2025 4:43 PM  | 3 min read
data privacy
  • e4m Twitter

The Indian government has introduced draft Digital Personal Data Protection (DPDP) Rules, proposing stricter regulations for online data collection, particularly for children. The new rules mandate verifiable parental consent before processing the personal data of individuals under 18, aiming to enhance digital privacy and security.

The DPDP draft rules, which are open for public feedback, also explore the possibility of data localisation, potentially restricting certain types of personal data from being transferred outside India. These regulations could have a major impact on technology companies, online platforms, and digital service providers operating in the country. 

Parental Consent Becomes Mandatory for Minors

One of the key proposals in the draft rules is the requirement for digital platforms to obtain parental consent before processing data belonging to minors. Companies will need to verify that consent has been provided by a legitimate parent or guardian, using official identity documents.

This move is expected to create a safer online environment for children, preventing unauthorised use of their data for advertising, profiling, or other commercial purposes. It also aligns India with global trends in child data protection, such as the European Union’s General Data Protection Regulation (GDPR) and the United States’ Children’s Online Privacy Protection Act (COPPA).

For businesses, implementing these consent mechanisms could pose technical challenges, requiring them to introduce new verification processes. However, failure to comply could result in penalties once the rules are enforced. 

Data Localisation and Cross-Border Transfers

The draft rules also suggest that certain personal data may be required to remain within India, preventing it from being transferred to foreign servers. A designated committee will be formed to determine which data categories would fall under these restrictions.

This proposal is in line with the government’s broader push for digital sovereignty, ensuring that Indian user data remains protected from potential misuse by foreign entities. However, it may pose challenges for multinational technology firms that rely on global data centers for storage and processing. 

Increased Compliance for Companies

The draft DPDP rules introduce stricter compliance requirements for businesses classified as ‘Significant Data Fiduciaries.’ These entities, which handle large volumes of sensitive personal data, will be required to conduct regular data protection impact assessments, independent audits, and risk evaluations.

Additionally, companies must ensure that their automated algorithms and decision-making processes do not compromise individual rights. This is particularly relevant for platforms that use artificial intelligence for targeted advertising, content recommendations, and behavioral analysis.

Industry Response and Next Steps

The proposed rules mark a significant step in India’s evolving data protection framework. While they aim to strengthen user privacy, particularly for children, businesses are concerned about the operational challenges of implementing these measures.

The government has invited public feedback on the draft, with stakeholders from the technology, education, and e-commerce sectors expected to provide their inputs. The final version of the rules will likely incorporate industry recommendations before being formally adopted.

As India moves toward a stricter data privacy regime, companies will need to reassess their data handling policies and invest in stronger compliance mechanisms. The new rules signal a shift toward greater accountability in the digital ecosystem, reinforcing India’s commitment to safeguarding user privacy. 

Published On: Feb 28, 2025 4:43 PM