The Digital Personal Data Protection (DPDP) Rules, 2025 - framed under Digital Personal Data Protection Act (DPDPA) - have been released as of November 13, 2025. The Rules are somewhat similar to the draft version which was shared on January 3, 2025 for consultation.

Businesses - particularly those that depend on their online presence -now have 18 months to comply with the Rules. Here's how the new Rules affect websites in general.

In today’s digital-first world, having an online presence is no longer optional; it is essential. Individuals, businesses, professionals and even government departments are all increasingly establishing their digital footprint. The reasons are clear - visibility, engagement and convenience.

Certain organisations, such as e-commerce companies or digital-first startups, rely entirely on their online presence. Their websites and apps are their sole interaction points with customers they have no physical storefronts. Similarly, government portals like UIDAI (for Aadhaar services) and RTI Online are designed to deliver services digitally, improving accessibility and reducing bureaucratic barriers..

This increasing reliance on digital platforms, however, comes with an important trade-off — the collection and processing of user data. Every time a person visits a website, performs a search or interacts with an app, they leave behind digital traces. These traces, or ‘digital footprints’, have significant implications under India’s new data privacy regime.

Virtually every entity with an online presence collects some level of personal data. Research shows that almost all websites gather information - some automatically, some knowingly.

Automatic data collection includes details such as browser type, device information, operating system version, IP address, click patterns, time spent on the website and bandwidth usage. Although these may appear harmless, when analysed together, they can reveal deep insights into an individual’s online behaviour, preferences and even personality traits. In essence, they create a ‘digital clone’ of the user.

In many cases, websites collect this information without providing sufficient transparency. Some do not even have a privacy policy, while others, particularly government sites, have privacy policies that are too brief or vague.

For instance, the Securities and Exchange Board of India’s (SEBI) privacy policy is just a paragraph long and provides little detail about how user data is processed or protected. Such limited disclosure falls short of the expectations set by modern data protection principles.

The turning point came when the Supreme Court of India, in its landmark judgment of KS Puttaswamy v. UOI and Ors, recognised digital privacy as a fundamental right under Article 21 of the Constitution. This recognition laid the foundation for stronger data protection laws and paved the way for the DPDPA.

The DPDPA defines "personal data" as any information that can identify an individual, either directly or indirectly. Under this definition, even automatically collected data like IP addresses or device IDs qualifies as personal data if it can be linked back to a person. Consequently, nearly all websites operating in India fall under the purview of the DPDPA.

With the DPDPA now in effect, organisations must reassess their online practices and ensure compliance. The law mandates that all entities processing personal data must be transparent about their data handling practices, obtain user consent and implement necessary safeguards to protect user information.

This means that even static, minimally interactive websites that simply log visitor data such as IP addresses, domain names, or device types must comply. Such information, while indirect, can still identify an individual when combined with other data points.

Websites must, therefore, include detailed and easily accessible privacy notices that explain what data is being collected, how it is processed, the purposes for which it is used and whether it is shared with third parties. Much like how the Right to Information (RTI) Act obliges the government to disclose information for good governance, the DPDPA legally mandates data transparency for digital governance.

To align with the new data protection framework, website operators in India will need to implement several key measures, such as:

• Cookie consent banners: Websites must clearly inform users about the use of cookies and seek their explicit consent before storing any data.

• Comprehensive privacy notice: The notice should detail the nature of data collected, retention practices, data-sharing procedures and user rights.

• Consent mechanisms: Users should have the option to withdraw consent as easily as they grant it.

• Grievance Officer/Data Protection Officer: The details of the grievance officer or the DPO should be mentioned on the website of the data fiduciary, as per Rule 9 of the DPDP Rules, 2025.

• Information on the rights of data principals: Websites should mention the details of the manner in which their own customers, clients or employees may make a request for exercising their following rights:

  i) Erasure of their personal data from website;

  ii) Accessing what personal data the website holds about them;

  iii) Correction/updation of any personal data that the user has made to the website.

• Accountability measures: Entities must ensure compliance through internal audits. This will be particularly relevant for entities who are designated as significant data fiduciaries under the DPDPA.

Failure to comply can lead to significant financial penalties. Under the DPDPA, violations can attract fines of up to ₹250 crore, a strong deterrent against negligence or misuse of personal data. Even a general breach under the DPDPA is penalised up to ₹50 crore.

India’s data privacy landscape is undergoing a major transformation. As digital engagement deepens, both individuals and organisations must become more aware of the value and vulnerability of personal data. The DPDPA is not merely a regulatory requirement; it is a framework designed to foster trust, accountability and transparency in India’s digital ecosystem.

Every online entity - whether a government department, corporate website, or small business - must now adapt its practices to respect user privacy. In doing so, India takes a crucial step toward aligning its digital environment with global standards and ensuring that the promise of a connected world does not come at the cost of individual rights.

Aman Varma is a Senior Manager at K&S Digiprotect Services.