India’s emerging technology ecosystem, long celebrated for its rapid, data-driven innovation, is facing a profound operational overhaul as the final Digital Personal Data Protection (DPDP) Rules, 2025, take effect. Following the passage of the DPDP Act in 2023, these new rules, which will be implemented in phases over the next 18 months, establish a comprehensive, enforceable privacy regime, effectively shifting the economy from a “data is the new oil” mindset to one where personal information is a heavily regulated asset.
The core message for founders in the blockchain, artificial intelligence (AI), and online gaming verticals is clear: compliance is now a mandatory architectural feature, not an afterthought.
The Fundamental Conflict: Immutability vs. Erasure
Perhaps the most acute tensions are found within the Blockchain and Crypto sector. The DPDP Act is “technology-neutral,” meaning on-chain data linked to an identifiable individual (via KYC, wallet linkage, or analytics) is categorized as personal data.
This creates a structural conflict between the DPDP’s Right to Erasure and the immutability inherent to public ledgers. Once identifiable data is written on-chain, it is nearly impossible to erase without breaking consensus.
To mitigate this, the document suggests practical steps: centralized exchanges and wallet providers, who are clearly defined as Data Fiduciaries, must restructure their retention policies, moving beyond the current practice of “keep forever” for analytics. They must default to off-chain storage for identifiable data, storing only non-personal hashes on the chain itself, thereby satisfying erasure requests via off-chain records.
AI Faces New Constraints on Training Data
For the booming Artificial Intelligence (AI) and Machine Learning industry, the new rules impose strict boundaries around model training and data usage.
Startups can no longer rely on unconsented scraping or the broad repurposing of user data. Under DPDP’s principle of purpose limitation, using existing customer data (collected for one service) to train a new AI model now requires a compatible legal basis and renewed transparency with the user.
A key operational challenge introduced by the DPDP rights of access and erasure is the concept of “model unlearning”—the complex technical requirement for AI firms to modify model weights to remove the influence of erased personal data. This mandates new governance models, requiring clear separation between production user data and training corpora, and prioritizing data minimization and de-identification techniques before training begins.
Gaming Platforms Targeted by Retention Mandates
The Online Gaming and Metaverse environments are specifically targeted in the new Rules. Large gaming platforms (those crossing user thresholds, such as 50 lakh registered users in India) now face a mandatory 3-year inactivity purge.
If a user remains inactive for three years, the platform must erase or irreversibly anonymize their personal data, notifying the user 48 hours before the erasure takes place. Furthermore, because these services are often used by minors, platforms must enforce strict age gating and ensure verifiable parental consent, coupled with default privacy safeguards against open-by-default voice chat or excessive profiling.
How India Plans to Implement Its Digital Privacy Law: The Strategies Behind a Regulatory Overhaul
Across all emerging sectors—Fintech, Health Tech, and EdTech included—the DPDP rules mandate adherence to five cross-cutting compliance themes:
• Phased Rollout to Prevent Industry Shock
Regulators have adopted a staggered timeline — immediate enforcement for breach reporting and user rights, but up to 18 months for high-risk fiduciary rules and Consent Manager systems.
• Mandatory Data Mapping by All Companies
Businesses must document every piece of personal data they collect — including purpose, retention period, storage location, and sharing practices — a first for many Indian startups.
• Strict Retention & Deletion Requirements
Platforms must automatically delete inactive user data, often within three years, and build technical systems to track deletion, archival and proof-of-erasure.
• Redesign of Consent Architecture
The law pushes companies toward plain-language disclosures, easy opt-outs, no dark patterns, and clear explainability for AI-driven profiling and automated decisions.
• Dedicated Compliance Path for AI Systems
AI models must maintain auditable logs showing datasets used, personal data involvement, correction/deletion mechanisms, and the impact of automated decision-making.
• Supply-Chain Accountability for Data Processors
Vendors cannot be a loophole anymore — firms must sign Data Processing Agreements, ensure third-party audits, and set penalty clauses for breaches or misuse.
• Security-by-Regulation, Not by Choice
Companies must implement encryption, multi-factor authentication, access logs, and 72-hour breach notifications; weak cyber hygiene may trigger early enforcement.
• Sector-Specific Compliance Playbooks
Fintech, health-tech, ed-tech, gaming, Web3 and IoT will follow adjusted rules tailored to sensitive data, minors, profiling risks, and off-chain storage limitations.
