Trending Now

14/11/2025
LIVE
  1. Home
  2. Business
  3. E-commerce, social media firms must erase inactive user data after 3 years: DPDP Act

Must E-commerce and Social Media Companies Delete Inactive User Data After 3 Years?

Click to start listening
Must E-commerce and Social Media Companies Delete Inactive User Data After 3 Years?

Synopsis

India's government has implemented new guidelines under the DPDP Act, mandating that e-commerce, social media, and gaming companies delete inactive user data after three years. This initiative aims to bolster data governance and user protection in the digital realm, establishing clear compliance pathways for businesses.

Key Takeaways

  • Data Deletion Rule: Inactive user data must be erased after three years.
  • Compliance Requirements: Companies must notify users before data deletion.
  • Significant Data Fiduciaries: Higher compliance standards for platforms with over 5 million users.
  • Annual Audits: Organizations need to conduct yearly audits to protect user rights.
  • International Transfers: Must adhere to government regulations.

New Delhi, Nov 14 (NationPress) The government has issued comprehensive guidelines under the Digital Personal Data Protection (DPDP) Act, enforcing rigorous data-retention policies for e-commerce platforms, social media entities, and online gaming firms.

According to these new regulations, platforms are mandated to eliminate the personal data of any user who has not accessed or utilized the service for three consecutive years. This rule is applicable to online gaming companies with over 5 million users, as well as social media and e-commerce platforms boasting more than 20 million registered users in India.

Companies are required to notify the inactive user 48 hours prior to data deletion, alerting them that their data will be erased if they do not engage with the platform within that timeframe.

The Act also sets a higher compliance level for significant data fiduciaries, which are digital platforms with over 5 million users.

To ensure that their systems, algorithms, and procedures do not compromise user rights, these organizations must conduct an annual audit and a Data Protection Impact Assessment. They are also obligated to verify each year that their technical measures remain secure and compliant.

While the DPDP Act allows for cross-border transfers of personal data, the government emphasizes that these transfers must adhere to regularly communicated rules, especially when user data is sent to a foreign nation or any organization under foreign government control.

These new regulations are part of a broader effort to enhance data governance and improve user protection in the rapidly evolving digital environment, marking the operationalization of India's inaugural digital privacy legislation.

The government has officially notified the regulations under the Digital Personal Data Protection (DPDP) Act, triggering the compliance timeline for companies managing user data.

Social media networks, online platforms, and any organizations managing personal data are mandated by this framework to provide users with a thorough explanation of the information collected and clarify how it will be utilized.

“With the DPDP Rules now implemented, Indian businesses have a clear pathway on how they collect, process, secure, and manage personal data. The phased rollout is vital; it provides organizations with the opportunity to operationalize privacy, adjust their data architecture, and integrate accountable fiduciary practices seamlessly,” stated Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.

Point of View

The implementation of the DPDP Act marks a significant advancement in digital privacy legislation in India. It aims to balance user protection with the operational needs of businesses, ensuring that data handling practices are transparent and accountable.
NationPress
14/11/2025

Frequently Asked Questions

What is the DPDP Act?
The Digital Personal Data Protection (DPDP) Act is India's first digital privacy law, aimed at protecting user data and establishing clear data-retention guidelines.
Who does the DPDP Act apply to?
The DPDP Act applies to e-commerce platforms, social media intermediaries, and online gaming companies with significant user bases.
What happens to inactive user data?
Inactive user data must be deleted after three years of inactivity, following a 48-hour notice to the user.
What is a significant data fiduciary?
A significant data fiduciary is a digital platform that has more than 5 million users and is subject to higher compliance standards under the DPDP Act.
Can personal data be transferred internationally?
Yes, but cross-border transfers of personal data must comply with specific regulations set forth by the government.
Tags: data protection digital privacy law user data compliance e-commerce data retention social media data deletion DPDP Act news India data governance digital personal data regulations online gaming user data significant data fiduciary rules
Nation Press

Related Posts

What Did Vice President C. P. Radhakrishnan Say About Rotary International's Impact on Health and Literacy?

Nation Press
Is India Now the 6th Largest Patent Filer in the World?

Nation Press
What Did FM Sitharaman Accomplish During Her Nagaland Visit?

Nation Press
Did FM Sitharaman inaugurate nine new bank branches in Nagaland?

Nation Press

Follow Us

Popular Posts

Categories

Newsletter

Tags

Modi News IPL 2025 Sensex News Technology News Health News Sports News Rahul Gandhi News