MeitY's DPDPA Draft Feedback Period Has Been Extended Until March 2

Nitin Konde, Varun Bhardwaj

14 Feb 2025 — 3 min read

MeitY Extends DPDPA Draft Feedback Deadline to March 2

Feedback on the draft Digital Personal Data Protection (DPDP) Rules, 2025, is due in 15 days, according to reports from the Ministry of Electronics and Information Technology (MeitY). The deadline will be moved from February 18 to March 3, 2025, a government official told a media house. An official notification confirming the extension is anticipated shortly, according to a media report. The provisional terms for implementing the DPDP Act, which was approved by Parliament in 2023, were outlined in the government's January 3 release of the draft DPDP Rules, 2025. When the rules are finished and published, they will give the DPDP Act, which was published in the gazette on August 12, 2023, teeth.

What New DPDP Act Says?

Users under the age of 18 are considered children under the DPDP Act, which requires social media companies and online middlemen—also referred to as data fiduciaries—to have express parental approval before processing their data. According to the draft regulations, digital platforms can only process a child's data with verifiable parental or guardian consent, which can be verified by a virtual token issued by an authorised body or voluntarily supplied identifying details. Before processing any child's personal data, MeitY has suggested that all data fiduciaries put in place the proper organisational and technical safeguards to guarantee compliance.

Tech Companies Meeting Government to Carve a Perfect Act

The founders of a number of cutting-edge tech firms, including MobiKwik, OYO, ixigo, and Razorpay, reportedly met with government representatives last month and expressed their worries on the proposed regulations. According to media reports, the talks focused on the role of consent managers, cross-data transfer provisions, and overlap with other sectoral legislation. The Centre's decision to target data fiduciaries for data privacy is likewise viewed by many experts as a flawed strategy. Ashwini Vaishnaw, the union minister, previously stated that the DPDP regulations will be further improved to shield kids from the risks associated with the internet.

Deleting Personal Data of Inactive Users

According to the new regulations, companies have three years to remove the personal information of inactive users from their sites. Data fiduciaries must notify the Data Protection Board within 72 hours of any data breach. When a data breach occurs, data fiduciaries operating in India will also have to notify each user in "a concise, clear, and plain manner and without delay, through her user account or any mode of communication" that the user has provided.

The nature, scope, timing, and location of the data breach; its effects on the user; the steps being taken to mitigate the risk; and the contact details of the person the user can contact with any questions about the data breach are all included in these details. When an organisation experiences a breach, it must notify the board of the specifics, including the type and scope of the breach, the individuals or incidents that caused it, the corrective actions being taken, and a report on the information provided to the platform users affected by the breach.