DPDP Act updates: what’s changed since the Rules were notified
At a glance
Nothing has been formally notified beyond the Digital Personal Data Protection Rules, 2025 themselves (13 November 2025) as of this writing. This page is a running, dated log — not a rewrite of the commencement schedule — that we add to only when something real happens: an amendment, a new notification, a Data Protection Board order, or a regulatory clarification. For the full phased schedule of what’s binding and when, see DPDP timeline and deadlines; this page is for what changes after that schedule, as it happens.
Educational resource only. This is a dated log of developments under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its 2025 Rules; it is not formal legal advice, and it is not a news feed — entries are added only when something is actually confirmed.
On this page
The situation
DPDP is a law in motion — Rules notified, a staggered commencement running through 2027, and several pieces (the cross-border restricted-country list, Consent Manager registrations, the first Data Protection Board orders) still to come. Searching “DPDP news” every few weeks isn’t a reliable way to track that. This page is the one durable bookmark: a dated log, updated only when something is actually confirmed, so you can check back here instead.
What’s changed since 13 November 2025
As of this writing, nothing further has been formally notified beyond the Rules themselves. The log starts at the baseline:
- 13 November 2025 — The Digital Personal Data Protection Rules, 2025 were notified, bringing the Data Protection Board, the Act’s definitions, and the penalty framework into force. This is the anchor date every later milestone is measured from.
No amendments, no new notifications, and no published Data Protection Board orders have followed since. When one does, it’s added here with the date, in plain language, and linked to the pillar it affects.
What’s scheduled next
Two dates are already fixed by the Rules — not new developments, but worth having on this page as the near-term horizon.
- 13 November 2026 — the framework for Consent Managers becomes operative: this is when Data Protection Board–registered platforms can begin to exist and register.
- 13 May 2027 — the Act’s substantive obligations (notice, consent, security, breach reporting, retention, rights, Significant Data Fiduciary duties, cross-border conditions) become binding.
For what each of those actually requires and why the 18-month runway matters, see DPDP timeline and deadlines — that page covers the schedule in depth; this one tracks what happens around it.
What we’re watching
A few pieces of the framework are still open, and this is where an update would land first.
- The cross-border “restricted list.” Section 16 lets the government notify countries or territories where sending personal data is restricted. None have been notified yet — transfers remain generally permitted, subject to DPDP’s ordinary safeguards. A notification here would be a significant update.
- Significant Data Fiduciary data-localisation orders. SDFs can be required to keep specified categories of data within India. No such class-specific order has been notified yet.
- The first Data Protection Board enforcement orders. Once the Board starts ruling on complaints and breaches, its early orders will start shaping how the Act is actually applied in practice — those get logged here too.
- Any amendment to the Rules or the Fourth Schedule (the children’s-data exemption classes), should one be notified.
FAQ
Has anything changed under the DPDP Act since the Rules were notified? Not as of this writing. The 13 November 2025 notification remains the most recent formal development; nothing further has been notified.
Is this the same as the DPDP timeline page? No. DPDP timeline and deadlines explains the phased commencement schedule already built into the Rules — what’s binding and when. This page is a separate, dated log of anything new that happens after that schedule, added only as it occurs.
When does the Consent Manager framework start? 13 November 2026, per the Rules’ existing 12-month clock from notification. That’s a scheduled date, not a new development — it’ll be marked here once it actually happens.
How often is this page updated? Only when something real is confirmed — an amendment, a notification, or a Board order. It’s deliberately not a “DPDP news” feed; a quiet page here means nothing has changed, not that it’s been neglected.
Related reading
- DPDP timeline and deadlines — the full phased commencement schedule this log tracks changes against.
- DPDP penalties, explained — what’s already in force and enforceable.
- What is a Consent Manager? — the role whose registration framework arrives 13 November 2026.
- Are you a Significant Data Fiduciary? — the tier most likely to be affected by a future localisation notification.
Reviewed by Confidential Dispatch Editorial Team
Last updated 10 July 2026
Not legal advice.