First in person consultation on draft DPDP Rules

New Delhi Questions about consent and data localisation were among the key concerns raised at the government’s first consultation meeting with industry representatives on draft Digital Personal Data Protection (DPDP) Rules 2025 on Tuesday, with Union minister Ashwini Vaishnaw promising “focussed” deliberations to balance regulation and innovation.

“About 350 stakeholders attended the first consultation session on DPDP rules. Excellent suggestions. This will be followed by a series of focussed discussions,” Vaishnaw posted on X.

Stakeholders from different sectors – social media, e-commerce, banks, payments companies, insurance companies, conglomerates, telecom – attended the consultation in New Delhi in the presence of Vaishnaw and IT secretary S Krishnan. The rules are key to bringing into effect the DPDP Act that was notified in August 2023.

According to people aware of the matter,during the meeting, Vaishnaw indicated that the consultations could exceed by 15 days.

Processing children’s data

A stakeholder mentioned that the proposed rules around verifiable parental consent (VPC) create an “unintentional data moat” that benefits established, larger platforms that can use existing data to determine who is a child.

Multiple people asked for clarity around how virtual tokens could be used to get VPC for users under the age of 18 years. People also asked if private digital locker service providers could exist and if those would be interoperable with the government’s DigiLocker. They also asked how APAAR ID could be used to get a VPC.

Some people said that with the restrictions on processing of children’s data, kids would be shown irrelevant content. Some participants also said that without targeted advertising of children, customer acquisition costs for MSMEs and content creators geared towards children will increase as advertising will become less efficient.

A participant suggested that different consent provisions should exist for processing children’s data, and data of people with disabilities. Another stakeholder asked how verifiable consent for people with autism could be taken, and if a person on the spectrum always needed to rely on a guardian to give consent on their behalf.

Consent and consent managers

At least two participants asked how consent should be taken for “legacy data” from “legacy users”, that is, personal data collected by companies before the DPDP Act comes into effect. They asked if simply notifying the users would suffice as “deemed consent”, and if they could still continue processing data if the users did not respond to these notices.

Questions were raised about whether using consent managers was obligatory. To be sure, under the act and the draft rules, a company is not obligated to use a consent manager.

Multiple questions were raised about how consent managers would work. People asked if interoperability standards would need to be adopted for consent managers so that they can be integrated across a wide swathe of data fiduciaries.

At least one stakeholder asked if the existing account aggregator (AA) framework would be integrated with consent managers, and if the government would create financial incentives for the adoption of consent managers as it did for AAs.

The draft rules propose mandatory registration of consent managers with the Data Protection Board (DPB). People asked how existing consent managers would continue to function until the DPB comes into being.

At least one person asked about how the act and the rules will deal with vicarious or lateral consent (such as booking an Uber for a person who does not have an Uber account).

Data localisation and sector-specific regulations

People asked about how sectoral restrictions around data localisation would work and why data localisation had been “re-introduced” via the rules. One participant asked that if specific classes of personal data are important or sensitive enough to need localisation, why is the localisation requirement restricted to significant data fiduciaries instead of all data fiduciaries.

A participant from a credit information company said that the DPDP Rules clash with the obligations imposed on the sector by the RBI. For instance, credit information companies cannot erase data and corrections must be routed through the bank, this person said. This person also said that despite arguably being a data fiduciary, a credit information company did not take consent directly from the customers so how would it be governed under the DPDP Act.

Another participant called for rules to be synced with sectoral regulations around digital lending, commercial messaging, etc.

Stakeholders also asked for sector-specific security safeguards instead of common standards.

User rights

A stakeholder asked for the rules to specify the timelines within which the data fiduciaries must respond to users’ request to exercise their rights such as right to erasure and correction. Another participant asked that the process of dealing with user rights should be standardised across data fiduciaries.

Personal data breaches

A participant asked MeitY to consider a threshold or risk-based approach to informing users about personal data breaches as informing users about all breaches would be difficult and could cause confusion for the users. Another asked why social media companies and online gaming companies, despite not having had any significant data breaches or data leaks, had been singled out for data retention requirements.

A question was also raised if processing personal data without notifying the user was also a data breach and needed notification to the DPB.

Data Protection Board

One participant suggested that the DPB should have suo motu powers to take up cases of violations of the DPDP Act, and should have the power to make references to other statutory bodies.

Graded approach to obligations of data fiduciaries

Once the DPDP Act comes into effect, practically everybody will be a DF. Citing this, stakeholders asked for a graded approach to obligations of data fiduciaries, depending on their size.

Participants asked for clarity around conducting data audits for significant DFs (SDFs) and selection of independent data auditors. A participant also asked for the difference between a data protection impact assessment and the “due diligence” needed to be observed by an SDF while using “algorithmic software”.

Under the DPDP Act, the central government can exempt a startup from obligations of the act. At least one participant asked how an interaction between a DF and an exempted startup would be regulated.

Questions were also raised about regulation of cookies under the act, and if the exemption for research activities extended to research done to build AI models.