On November 13, 2025, India formally brought into effect the Digital Personal Data Protection Rules — the implementing framework for the DPDP Act of 2023 — establishing one of the world's most comprehensive data protection regimes for its population of over 1.4 billion people. The rules are not merely aspirational. They create specific, enforceable obligations for any entity that processes the personal data of Indian citizens, with a phased implementation timeline that extends through 2027.

The implementation schedule proceeds in three stages. Stage one, effective immediately upon commencement, established the Data Protection Board of India as the regulatory authority. Stage two, effective November 2026, implements the consent manager registration process — creating accredited intermediaries that manage consent on behalf of data principals. Stage three, effective May 2027, activates the full compliance regime including notice requirements, security protocols, breach notification obligations, rights of data principals, and enhanced duties for Significant Data Fiduciaries.

For identity verification specifically, the rules introduce requirements that are both prescriptive and consequential. Businesses that process the data of children must implement rigorous age and identity verification mechanisms prior to processing. The verification must confirm not only the child's age but also the identity and parental status of the person providing consent. Accepted verification methods include checking against existing information, details provided by the data principal, or virtual tokens issued by authorised entities or verified through Digital Locker service providers.

The consent architecture is particularly detailed. Data Fiduciaries must provide notice in clear, plain language that specifies the personal data being collected, the purpose of processing, and the means by which the data principal can exercise their rights. Consent must be freely given, specific, informed, unconditional, and unambiguous. It must be accompanied by the ability to withdraw consent as easily as it was given.

For organisations operating in India's financial services, telecommunications, and e-commerce sectors — where identity verification is a routine part of customer onboarding — the implications are extensive. The existing Aadhaar-based verification ecosystem remains in place, but the new rules add layers of consent and purpose limitation that change how Aadhaar-linked verification data can be used, retained, and shared.

Significant Data Fiduciaries — entities designated by the government based on the volume and sensitivity of data they process — face additional obligations including mandatory data protection impact assessments, appointment of a Data Protection Officer, and periodic independent audits. The criteria for designation are expected to capture major financial institutions, telecom operators, e-commerce platforms, and technology companies.

Cross-border data transfer provisions add another dimension. While the rules do not impose data localisation as a blanket requirement, they empower the government to restrict transfers to specific jurisdictions, creating uncertainty for multinational organisations that process Indian personal data outside the country.

For businesses conducting identity verification for Indian customers, the practical steps are clear. Audit your current consent mechanisms against the new requirements. Ensure your verification processes collect only the data necessary for the stated purpose. Implement retention limits that automatically delete verification data when the purpose is fulfilled. And prepare for the consent manager framework that becomes operational in November 2026.

deepidv provides identity verification infrastructure designed with data minimisation and consent management at its core, helping organisations operating in India meet DPDP compliance requirements while maintaining effective verification processes.