New Delhi, Nov. 15 -- The Government of India has moved from policy intent to operational enforcement with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. Designed around the SARAL principle - Simple, Accessible, Rational and Actionable - the rules put clear, citizen-facing obligations on organisations that collect and process personal data. The result: businesses must now treat privacy as a design principle, not a compliance afterthought.

At the core of the rules is consent reform. Consent must be a standalone, plain-language notice that specifies the precise purpose of data collection. Data principals gain explicit rights to access, correct, update or erase their data - and to nominate another person to exe...