In August 2023, after many years delay, India finally enacted its Digital Personal Data Protection Act, 2023, a government and business friendly law with minimal (but still significant) rights for consumers and citizens.(1) Fifteen months later, on 13 November 2025 the Ministry of Electronics and Information Technology (MEITY) made the Digital Personal Data Protection Rules, 2025 (Rules), finalising a draft published in January 2025.

Rules 1, 2 and 17-21 – enabling establishment of the Data Protection Board (DPBI) – come into force immediately (on publication in the official gazette), rule 4 (on registration of consent managers) comes into force after one year, and the rest of the Rules eighteen months after gazettal. So India’s new law will not be in effect until mid-2027.