Your DPDP Rights: How to Make Companies Delete Your Data

For years, asking an Indian app or shopping site to wipe your data was a polite request they could ignore. That changed quietly on 13 November 2025, when the government notified the rules that bring the Digital Personal Data Protection Act to life. Your DPDP data rights are no longer a clause in a law nobody enforced. They are becoming something you can actually use to make a company access, fix or delete the information it holds on you.

Most coverage has focused on what businesses must do to comply. This is the other side: a plain guide for the person whose phone number, location history and purchase records are sitting on a dozen servers. Here is what you can demand, how to ask, and where the limits are.

The five rights you now hold

The Act calls you a Data Principal and the company holding your data a Data Fiduciary. As a Data Principal you have a small but powerful set of rights:

1. Access — ask a company for a summary of the personal data it has on you and what it is doing with it.
2. Correction and completion — get wrong or outdated details fixed, and incomplete ones filled in.
3. Erasure — have your data deleted once the reason it was collected no longer applies, or once you withdraw consent.
4. Grievance redressal — a defined channel to complain, with the company obliged to respond.
5. Nomination — name someone to exercise these rights on your behalf if you die or become incapacitated.

The sixth, and arguably the most useful day to day, is the right to withdraw consent at any time. If you once agreed to let a food app track your location or a lender pull your contacts, you can take that permission back, and withdrawing it must be as easy as giving it was.

How to actually send a deletion request

The law does not require a lawyer or a special form. A clear written request is enough. The steps are simple, even if the outcome sometimes is not.

• Find the grievance or data protection contact. Every covered company must publish how to reach its grievance officer or business contact, usually in the privacy policy or a 'Contact Us' page. Note that address.
• State exactly what you want. Be specific: erase my account and associated personal data, or withdraw my consent for marketing and location use. Vague requests invite vague replies.
• Identify yourself, not over-share. Give the email or phone number tied to the account so they can verify you, but you do not owe them fresh documents they never needed before.
• Put a date on it and keep a copy. A dated email is your proof if you have to escalate later.
• Wait, then follow up. The detailed response timelines sit in the part of the rules that is still being phased in, so for now treat a couple of weeks as a fair window before you chase.

Keep the tone factual. You are exercising a statutory right, not asking a favour.

Why this is built to defeat the usual brush-off

The old playbook was to bury you in 'we value your privacy' boilerplate and never act. The DPDP framework changes the incentive. Companies that mishandle personal data face penalties that run up to ₹250 crore for the worst breaches. That number is aimed at boardrooms, not at you, but it is the reason your email is far more likely to land on someone's desk now than it was two years ago.

There is also a structural shift coming. The rules create a new kind of intermediary called a Consent Manager — a registered Indian platform where you can see every consent you have given and switch any of them off from a single dashboard. To be approved, a Consent Manager must be incorporated in India and hold a net worth of at least ₹2 crore, and it is legally bound to act only on your instructions, not the company's. Think of it as a remote control for your own permissions.

The timeline that decides what works today

The single most important thing to understand is that none of this switched on at full strength overnight. The rollout is deliberately staggered.

• From November 2025: the Data Protection Board of India, the body that hears complaints, comes into being.
• Within about a year (toward late 2026): the registration process for Consent Managers opens, so those dashboards start appearing.
• Around May 2027: the heavy obligations land — formal notice standards, security safeguards, breach reporting, retention-and-deletion triggers, children's consent rules and the precise grievance timelines.

So in mid-2026 you are in an in-between phase. You can already send requests and many responsible companies will honour them, but the strict deadlines and the Board's full muscle arrive later. Sending requests now still matters: it builds a paper trail and signals that people are watching.

Where 'delete everything' hits a wall

Erasure is a right, not a magic eraser. A company can lawfully refuse to delete data it is required by another law to keep. The common examples:

• KYC and banking records, which financial regulators force institutions to retain for years.
• Tax and accounting documents, where invoices and transaction trails must survive audits.
• Information tied to an ongoing legal case or investigation.

There is also the children's-data layer. For anyone under 18, companies must obtain verifiable parental consent before processing data, which shifts the responsibility onto parents to manage what apps collect about their kids. If you are clearing out an old account, expect the company to keep the slivers the law obliges it to, and to delete the rest. If it claims it must retain everything, that is your cue to ask which specific law requires it.

A short routine worth adopting

You do not need to wage a privacy campaign. A light, repeatable habit covers most of the value:

• Once or twice a year, list the apps and sites that clearly hold sensitive data — lenders, health and fitness apps, shopping accounts you no longer use.
• For the dormant ones, send a deletion-and-consent-withdrawal email and archive the reply.
• For the active ones, open settings and switch off location, contacts and marketing permissions you never actually use.
• When Consent Managers go live, register on one and pull your scattered permissions into a single view.

The broader point is a change of posture. For the first time, Indian law treats your personal data as something on loan to companies rather than something they own outright. The rights only mean something if people use them, and the quiet, persistent ask — delete this, stop using that — is what turns a notified rulebook into a real shift in who controls your digital life.