Clearer Consent, Faster Breach Alerts: What India’s New Data Rules Mean For Users
The Rules mandate clear, specific and verifiable consent, requiring companies to explain exactly why data is being collected and how it will be used. “Dark patterns” or misleading consent prompts will no longer be tolerated.
With the notification of the Digital Personal Data Protection Rules, 2025, Indian consumers are set to gain unprecedented clarity and control over their personal data.
The Rules mandate clear, specific and verifiable consent, requiring companies to explain exactly why data is being collected and how it will be used. “Dark patterns” or misleading consent prompts will no longer be tolerated. Users must also be able to withdraw consent as easily as they give it.
A major shift lies in breach notifications. Companies experiencing a significant data leak must promptly alert both affected users and the Data Protection Board. This ends the long-standing practice of quietly managing breaches without disclosure.
Users also gain actionable data rights — the ability to access their data, correct inaccuracies, request deletion, and nominate a representative to manage their digital rights.
Privacy advocates say the Rules could significantly improve digital accountability, provided enforcement remains consistent and companies invest in transparent communication with their users.