DPDP rules mandate deleting user data after three years of inactivity
New Delhi, Nov 14, 2025
Ecommerce, gaming, and social media intermediaries must erase dormant user data with prior notice
The government has mandated that ecommerce companies, online gaming platforms, and social media intermediaries must delete a user’s data if the individual has not logged in or used their services for three years straight.
According to rules in the Digital Personal Data Protection (DPDP) Act, the Ministry of Electronics and Information Technology has said that ecommerce companies and social media intermediaries with more than 20 million registered users in India and online gaming companies with more than 5 million registered users must delete users’ personal data if such individuals do not use services for three years.
Intermediaries must provide the individuals with a 48-hour notice that their personal data will be deleted unless they log in to the service provider’s platform within this period.
Significant data fiduciaries, or platforms with more than 5 million registered users in India, will have to undertake an annual audit and a Data Protection Impact Assessment to ensure continued compliance with the provisions of the DPDP Act. Platforms will also be required to verify annually that the technical measures, including the algorithms and software being used by them, are not “likely to pose a risk” to the rights of the users.
Though the government has allowed cross-border transfer of personal data processed by data fiduciaries operating in India, such platforms and companies will have to meet requirements set out periodically. That applies especially if such personal data is being made available to any foreign state or to any person or entity under the control of or any agency of such a State.
The provisions of the DPDP Act shall not apply if personal data is collected and processed explicitly for research, archiving, or statistical purposes, provided that such data is collected, processed, and stored securely in accordance with the law.
Clinical and mental health establishments, as well as healthcare professionals, will be allowed to access the digital personal information of users, including children, only to the extent that such access is necessary for the protection of the health of those users.
Similarly, educational institutions can process, track, and monitor the behaviour of children registered on their platform, but only to the extent that it is limited to academic activities and the safety and well-being of the child.
[The Business Standard]
