The draft rules of the Digital Personal Data Protection (DPDP) Act mandate data fiduciaries like e-commerce, gaming, and social media platforms to erase users' personal data three years after it is no longer needed, with prior 48-hour notice allowing users to retain it if desired. Data fiduciaries must ensure data security, promptly notify affected users of breaches, and provide mitigation measures and contact details for queries.

‍