India, Nov. 19 -- Two years after the Digital Personal Data Protection (DPDP) Act laid the foundation for India's privacy framework, the government has now notified the DPDP Rules 2025. The rules which will govern the DPDP Act threaten to disrupt operations for a number of startups given the heavy compliance burden.

Where the DPDP Act only introduced broad ideas such as consent, deletion, user rights and breach disclosures, the new rules turn each of these ideas into strict, time-bound requirements that must be executed exactly as written.

The changes are one of the biggest regulatory shifts yet for young startups and small and medium businesses. Many bemoan the higher burden of compliance.

Mishi Choudhary, technology lawyer and founde...