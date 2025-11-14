ETV Bharat / technology

E-commerce, Social Media Firms Must Erase Inactive User Data After 3 Years: DPDP Act

New Delhi: The government has notified detailed norms under the Digital Personal Data Protection (DPDP) Act, introducing stringent data-retention rules for e-commerce platforms, social media intermediaries and online gaming companies.

Under the new guidelines, platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years. The regulation applies to online gaming companies with more than 50 lakh users, as well as social media and e-commerce platforms with more than two crore registered users in India.

Companies must give the inactive user 48 hours' notice before deleting such data, warning them that their data will be deleted if they don't use the platform within that time frame.

For digital platforms with more than 50 lakh users, known as significant data fiduciaries, the Act also establishes a higher compliance threshold.

To make sure that their systems, algorithms, and procedures do not endanger user rights, these organisations are required to perform an annual audit and a Data Protection Impact Assessment. They must additionally verify each year that their technical measures remain safe and compliant.