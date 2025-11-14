Home / Industry / News / DPDP rules mandate deleting user data after three years of inactivity

DPDP rules mandate deleting user data after three years of inactivity

Before deleting the personal data of such inactive users, the intermediaries must provide the individuals with a 48-hour notice that their personal data will be deleted

The provisions of the DPDP Act shall not apply if personal data is collected and processed explicitly for research, archiving, or statistical purposes Photographer: Matt Cardy/Getty Images
Aashish Aryan New Delhi
3 min read Last Updated : Nov 14 2025 | 1:08 PM IST
The government has mandated that e-commerce companies, online gaming platforms, and social media intermediaries must delete a user’s data if that individual has not logged into the platform or used its services for at least three consecutive years.
 
Under the rules of the Digital Personal Data Protection (DPDP) Act, the Ministry of Electronics and Information Technology has said that e-commerce companies and social media intermediaries with more than two crore registered users in India, and online gaming companies with more than 50 lakh registered users in the country, must delete a user’s personal data if the individual does not use the platform’s services for three years.
 
Before deleting the personal data of such inactive users, these intermediaries must provide the individuals with a 48-hour notice that their personal data will be deleted unless they log in to the service provider’s platform within this period. 
 
What must large platforms do to stay compliant? 
Significant data fiduciaries, or platforms with more than 50 lakh registered users in India, will be required to undertake an annual audit and a Data Protection Impact Assessment to ensure continued compliance with the provisions of the DPDP Act. These platforms will also be required to verify annually that the technical measures, including algorithms and software being used by them, are not “likely to pose a risk” to the rights of users.
 
Though the government has allowed the cross-border transfer of personal data processed by data fiduciaries operating in India, it has said that such platforms and companies must meet the requirements set out by the central government from time to time, especially if such personal data is being made available to any foreign state or to any person or entity under the control of any agency of such a state.
 
Which sectors are exempt from the Act’s provisions?
 
The provisions of the DPDP Act shall not apply if personal data is collected and processed explicitly for research, archiving, or statistical purposes, provided that such data is collected, processed, and stored securely in accordance with the law.
 
Clinical and mental health establishments, as well as healthcare professionals, will be allowed to access the digital personal information of users, including children, only to the extent that such access is necessary for the protection of the health of those users.
 
Similarly, educational institutions can process, track, and monitor the behaviour of children registered on their platform, but only to the extent that it is limited to academic activities and the safety and well-being of the child.
 

First Published: Nov 14 2025 | 1:08 PM IST

