DPDP Act: Government Notifies E-Commerce and Social Media Firms To Erase Inactive User Data After 3 Years As per Digital Personal Data Protection Act

New Delhi, November 14: The government has notified detailed norms under the Digital Personal Data Protection (DPDP) Act, introducing stringent data-retention rules for e-commerce platforms, social media intermediaries and online gaming companies. Under the new guidelines, platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years.

The regulation applies to online gaming companies with more than 50 lakh users, as well as social media and e-commerce platforms with more than two crore registered users in India. Companies must give the inactive user 48 hours' notice before deleting such data, warning them that their data will be deleted if they don't use the platform within that time frame. GPT-5.1 Launched: OpenAI Introduces Its Latest Model, Faster and More Token-Efficient on Simpler Everyday Tasks; Available at Same Price As GPT-5.

For digital platforms with more than 50 lakh users, known as significant data fiduciaries, the Act also establishes a higher compliance threshold. To make sure that their systems, algorithms, and procedures do not endanger user rights, these organisations are required to perform an annual audit and a Data Protection Impact Assessment. They must additionally verify each year that their technical measures remain safe and compliant. Although the DPDP Act permits cross-border transfers of personal data, the government has made it clear that these transfers must follow rules that may be communicated regularly.

This is especially true if user data is transferred to a foreign state or any organisation under the control of a foreign government. To strengthen data governance and improve user protection throughout the quickly growing digital ecosystem, the new regulations are a part of the larger operationalisation of India's first digital privacy law.

The government notified the rules for the Digital Personal Data Protection (DPDP) Act, formally operationalising India’s first digital privacy law and setting the compliance clock ticking for companies handling user data. Social media sites, online gateways, and any other organisations handling personal data are required by the new framework to give users a detailed explanation of the information being gathered and to make it apparent how it will be used. Verizon Layoffs: US-Based Telecommunication Giant To Cut 15,000 Jobs as New CEO Dan Schulman Steps Into Role To Restructure Business and Drive Cost Transformation.

“With the DPDP Rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data. The phased rollout is crucial, it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly," said Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.

(The above story first appeared on LatestLY on Nov 14, 2025 02:51 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).