Get in Touch
2026-03-18

The Missing Infrastructure: Why India’s Data Deletion Rights Need More Than the DPDP Act

Introduction

The ongoing massive use of personal data drives the present-day digital economy. Every online transaction, whether using a mobile application, registering for a service, or making a digital payment, generates data that businesses analyse and process for a variety of uses.

Although people typically give their information to a specific platform, the information rarely stays with that organization alone. Rather, it frequently passes through a number of middlemen that are a part of the larger digital ecosystem, including cloud services, digital advertisers, analytics companies, and marketing networks. With the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or the “Act”) and the ensuing Digital Personal Data Protection Rules, 2025 (the “Rules”), India has made significant progress in safeguarding personal data.

When combined, these tools seek to establish a framework that strikes a balance between individual privacy protection and innovation in the digital economy. While the DPDP Act framework introduces Consent Managers as a centralized mechanism for managing user consent, their role remains limited and does not extend to ecosystem-wide enforcement of deletion requests.

Accordingly, the lack of fully operational, centralised deletion mechanisms may make it challenging for individuals to effectively exercise their erasure rights as digital ecosystems grow more complex.

The Promise of Deletion Rights Under India’s DPDP Framework

A rights-based framework is established by the Act, to guarantee that personal data is handled responsibly and only for legitimate, designated purposes. It establishes a framework of accountability for the gathering, use, and storage of personal data by defining important participants in the data ecosystem, including Data Principals, Data Fiduciaries, Data Processors, and Consent Managers. Storage limitation is a key element of the Act.

  1. A Data Fiduciary is required by Section 8(7) to remove personal data when the Data Principal withdraws consent or when the specified purpose of processing is no longer being served, unless retention is mandated by law.
  2. Additionally, the fiduciary is responsible for ensuring that the data is deleted by any Data Processor that received it, extending the obligation to do so throughout the processing chain.
  3. According to Section 8(8), if the Data Principal has not communicated with the Data Fiduciary or used any rights pertaining to the data for a predetermined amount of time, the purpose is deemed no longer served.
  4. Rule 8(1) mandates that Data Fiduciaries only keep personal information for the time frame listed in Schedule III, after which it must be erased unless retention is mandated by another law.
  5. Large digital platforms, such as e-commerce companies and social media intermediaries with at least two crore registered users in India and online gaming platforms with at least fifty lakh users, are primarily covered by Schedule III.
  6. Although some information may be kept to preserve account access or digital assets like wallet balances or reward points, the platform is required to remove a user’s personal information after three years of inactivity. Procedural protections are also introduced by the Rules.
  7. The Data fiduciaries are required by Rule 8(2) to give users at least 48 hours’ notice prior to deletion so they can retrieve critical information.
  8. Rule 8(3) further mandates that organisations keep technical records, such as system logs and traffic data, for a period of one year, for security, audit, and compliance reasons.
  9. A Data Principal may request that personal data be updated, corrected, or deleted under Section 12(3). If the request is not fulfilled, the person may file a complaint under Section 27 with the Data Protection Board of India after first lodging a grievance under Section 13 with the Data Fiduciary.
Role and Limitations of Consent Managers

A notable feature of the DPDP framework is the introduction of Consent Managers, which act as intermediaries enabling Data Principals to grant, manage, and withdraw consent across multiple Data Fiduciaries through a single interface. This reflects an initial move toward centralised control over personal data processing. However, their function remains primarily limited to consent management rather than enforcement of deletion across the data ecosystem.

Withdrawal of consent does not automatically ensure that personal data already shared with multiple processors, third parties, or downstream entities is erased across all such systems. As a result, while Consent Managers improve accessibility and user control, they do not yet address the operational challenge of ensuring comprehensive and verifiable data deletion across interconnected digital networks.

California Delete Act: A Centralized Approach to Data Deletion

California passed the California Delete Act in October 2023 in response to the problems brought about by the expanding data broker sector. Without having direct contact with the people whose data, they handle, data brokers gather and exchange personal information from a variety of sources. People may find it challenging to monitor the storage location or usage of their personal data as a result of this practice.

  • The law required regulators to create the Delete Request and Opt-Out Platform (DROP), a centralised deletion tool, in order to address this problem.
  • Residents can register for a verified account on the platform and make a single request that all registered data brokers remove their personal data and cease selling or sharing it.
  • The platform serves as a single conduit for sending deletion requests to all registered data brokers, eliminating the need for users to get in touch with multiple businesses individually.
  • These brokers must periodically retrieve requests from the platform, process them within a predetermined amount of time, and make sure that the deleted data is not collected or resold.
  • Additionally, they have to use the system to report their compliance status and maintain suppression lists.
The Infrastructure Gap in India’s Data Ecosystem

India’s digital ecosystem has grown a lot in the last few years, especially in areas like e-commerce, fintech, online services, and digital advertising. The personal information often moves between different organisations, many of which the person can’t see directly. In this kind of setting, the decentralised model for deletion requests under the Act framework has some real-world problems.

People may not know all the companies that have their personal information, especially if it has been shared with marketing networks or third-party processors. Although Consent Managers introduce an element of centralisation, they do not function as a unified deletion infrastructure.

The absence of mechanisms capable of propagating deletion requests across unknown or downstream entities continues to create practical challenges in fully enforcing the right to erasure. The absence of centralized infrastructure also creates challenges for regulators. Without systems that keep track of deletion requests, it becomes hard to see if they have been carried out across networks of linked data processors.

AMLEGALS Remarks

The Act and Rules represent significant progress in strengthening India’s data protection framework. By recognising rights such as access, correction, and deletion, the framework seeks to empower individuals while promoting responsible data governance.

However, while India has taken an important step by introducing Consent Managers, the current framework stops short of enabling centralized, verifiable deletion across the broader data ecosystem. For example, California Delete Act illustrates that effective privacy protection requires not only legal recognition but also operational infrastructure that ensures enforceability.

Bridging this gap would require integrating consent management systems with mechanisms capable of ensuring ecosystem-wide deletion, thereby aligning user control with actual data outcomes.

For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com or Khilansha.mukhija@amlegals.com

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree