Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.

Sign up for Newsletter Get in touch

Last Updated: 2025-05-05 ~ DPDP Consultants

India’s Draft DPDP Rules: Parental Consent, Data Localisation & Stricter Compliance on the Horizon

India’s Draft DPDP Rules: Parental Consent, Data Localisation & Stricter Compliance on the Horizon

India has taken another major step in operationalizing the Digital Personal Data Protection Act, 2023 (DPDP Act) with the release of the draft Digital Personal Data Protection Rules. These rules are intended to flesh out the framework set by the Act and provide the operational backbone for compliance, enforcement, and user protection in the digital ecosystem.

One of the most headline-grabbing proposals in the draft rules is the requirement for mandatory, verifiable parental consent for processing children’s data—marking a significant move in safeguarding minors' digital presence.

Key Highlights of the Draft Rules

1. Mandatory Parental Consent for Children’s Data

The draft rules make it clear: if a child (defined under the DPDP Act as an individual under 18) is to be onboarded to an online platform or service, verifiable consent from a parent or guardian must first be obtained.

“A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child,” the draft rules state.

This means any entity—whether a gaming platform, an edtech app, or a social media network—must confirm that:

  • The parent or guardian is an identifiable adult, and
  • Their identity and age are validated through documents or tokens issued by government-authorized identity verification services.

A suggested method includes the use of India’s Digital Locker platform, which could serve as a verification bridge. Parents may voluntarily submit identity proofs through such systems to confirm their status and relationship with the child.

This provision is seen as critical to curbing unauthorized access to digital platforms by minors and ensuring greater accountability from online service providers.

2. Consent Managers: The Gatekeepers of Digital Consent

Another pillar introduced in the draft rules is the formal recognition of Consent Managers.

Consent Managers will be licensed entities entrusted with managing user consents, acting as intermediaries between Data Fiduciaries and Data Principals (individuals whose data is processed). They will ensure that consent is:

  • Informed,
  • Specific,
  • Revocable, and
  • Documented for compliance purposes.

Entities can only process data after consent has been given through these officially appointed Consent Managers, adding a critical layer of transparency and accountability.

This aligns with the DPDP Act’s broader vision of user empowerment and digital agency.

3. Data Localisation: New Restrictions in the Works

Perhaps the most surprising element of the draft rules is the hint at potential data localisation mandates, especially for Significant Data Fiduciaries (SDFs).

While the DPDP Act generally allows cross-border data flows—barring transfers to explicitly blacklisted jurisdictions—the draft rules empower the central government to:

  • Identify specific categories of personal data, and
  • Prohibit or restrict their transfer outside India, based on recommendations from a government-constituted committee.

This move suggests that sensitive personal or strategic data—such as health data, financial information, or data related to critical infrastructure—could soon be subjected to localisation requirements.

The text reads:

“A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government... is not transferred outside the territory of India.”

This new layer of regulation will likely have a major impact on cloud service providers, global platforms, and Indian companies relying on offshore processing centers.

Understanding Significant Data Fiduciaries (SDFs)

The draft rules reemphasize obligations for Significant Data Fiduciaries, which are determined by factors like:

  • The volume and sensitivity of data processed,
  • Risk to individuals’ rights,
  • Impact on sovereignty, security, and public order.

Obligations for SDFs include:

  • Annual Data Protection Impact Assessments (DPIA).
  • Annual independent data audits.
  • Algorithmic accountability—ensuring that AI or software used for data processing does not risk individual rights.
  • Enhanced due diligence in cross-border transfers and third-party data sharing.

For major tech players, telcos, e-commerce companies, and financial institutions, this marks a clear compliance escalation.

Cross-Border Data Transfers: Conditional Permissions

Another critical point of regulation deals with how personal data is handled outside of Indian borders.

As per the draft rules:

“Transfer to any country or territory outside India of personal data processed by a Data Fiduciary shall meet such requirements as the Central Government may specify…”

This implies that even for non-SDFs, cross-border data transfers will be subject to case-by-case government regulations—potentially requiring:

  • Prior approvals,
  • Specific contractual clauses,
  • Certifications, or
  • Data processing agreements with foreign entities.

This provision tightens India’s hold on international data transfers and could affect BPOs, SaaS providers, and multinational corporations operating in India.

Expert Take: Industry Voices

Legal experts and industry stakeholders have taken note of the nuanced but powerful shifts proposed in the draft rules.

Shreya Suri, Partner at IndusLaw, remarked:

“An interesting development is the potential obligations for SDFs regarding cross-border data sharing. The hint at additional oversight and localisation adds a new dimension that stakeholders must now factor into compliance planning.”

Others see the introduction of Consent Managers and parental verification as long-awaited steps toward data maturity and user-centric governance.

What Comes Next?

The draft rules are currently open for public consultation, and industry stakeholders are expected to submit feedback over the coming weeks.

The key takeaways for organizations are:

  • Start preparing compliance frameworks for consent verification and age validation.
  • Map cross-border data flows and identify potential vulnerabilities under new localisation rules.
  • Assess readiness for SDF obligations if processing large or sensitive datasets.
  • Engage with Consent Managers and assess integration requirements.

India’s data protection regime is evolving swiftly—and these draft rules signal the government's intention to enforce more structured, transparent, and responsible data practices across the digital ecosystem.

Final Thoughts

The draft DPDP Rules are more than an administrative formality—they represent the operational DNA of India’s data protection law. For companies, this is not just about compliance—it’s about building trust, accountability, and ethical data ecosystems.

For startups, scaleups, MNCs, and data fiduciaries of all sizes: now is the time to re-evaluate internal practices, refresh privacy policies, and anticipate the compliance curve.

Similar Read

Phone Numbers at Billing Counter? A Common Practice Now a Compliance Risk Under DPDP Act
DPDP Act Strengthens, Not Weakens, Right to Information: IT Ministry
Punjab Government Terminates BJP's Welfare Outreach Amid Data Security Concerns
Human Resources Powerhouse Workday Hit by Subtle but Chilling Data Breach