The government has mandated that e-commerce companies, online gaming platforms, and social media intermediaries must delete a user’s data if that individual has not logged into the platform or used its services for at least three consecutive years.

Under the rules of the Digital Personal Data Protection (DPDP) Act, the Ministry of Electronics and Information Technology has said that e-commerce companies and social media intermediaries with more than two crore registered users in India, and online gaming companies with more than 50 lakh registered users in the country, must delete a user’s personal data if the individual does not use the platform’s services for three years.

ALSO READ: DPDP rules notified, India's first digital privacy law now operational Before deleting the personal data of such inactive users, these intermediaries must provide the individuals with a 48-hour notice that their personal data will be deleted unless they log in to the service provider’s platform within this period. What must large platforms do to stay compliant? Significant data fiduciaries, or platforms with more than 50 lakh registered users in India, will be required to undertake an annual audit and a Data Protection Impact Assessment to ensure continued compliance with the provisions of the DPDP Act. These platforms will also be required to verify annually that the technical measures, including algorithms and software being used by them, are not “likely to pose a risk” to the rights of users.

Though the government has allowed the cross-border transfer of personal data processed by data fiduciaries operating in India, it has said that such platforms and companies must meet the requirements set out by the central government from time to time, especially if such personal data is being made available to any foreign state or to any person or entity under the control of any agency of such a state. Which sectors are exempt from the Act’s provisions? The provisions of the DPDP Act shall not apply if personal data is collected and processed explicitly for research, archiving, or statistical purposes, provided that such data is collected, processed, and stored securely in accordance with the law.