Govt mandate rule to delete user data after 3 years of inactivity

The government’s new rules now require platforms to delete user data after 3 years of inactivity. This is a significant shift in how companies in India must handle dormant user accounts and data.

Here’s a detailed breakdown of the mandate, why it matters, how it came about, and what actions businesses and users should take.

What’s the rule about delete user data after 3 years of inactivity?

Under the recently notified rules of the Digital Personal Data Protection Act (DPDP Act), certain platforms must erase the personal data of any user who has not logged in or used their service for three consecutive years.

These platforms must also issue a notice (at least 48 hours in advance) to the user, warning that their data will be deleted unless they log in or respond.

Key thresholds for applicability:

• E-commerce and social media intermediaries with over ~20 million (2 crore) registered users in India.
• Online gaming companies with over ~5 million (50 lakh) users.

Companies must retain at least one year of data/logs after processing for auditability.

Why this rule?

The “delete user data after 3 years of inactivity” rule fits into five broad goals:

1. Privacy protection & data minimisation: By forcing deletion of long-unused data, platforms reduce potential risk of data breaches, misuse or unauthorised retention.
2. Lifecycle governance: The new rules emphasise the entire lifecycle of user data — from collection, processing to deletion.
3. Regulatory clarity: Until now, many companies lacked clear guidelines on retention of inactive account data. This provides clarity.
4. User rights: Users get greater assurance their dormant accounts won’t result in indefinite data storage.
5. Efficiency & data hygiene for businesses: Reducing piled-up inactive data may improve system performance, cost control and risk management.

Background & context

• The DPDP Act was enacted by Parliament on 11 August 2023 and the rules (DPDP Rules 2025) were notified on 13 November 2025.
• The rules operationalise the law’s principles: consent & transparency, purpose limitation, data minimisation, storage limitation, accuracy, security safeguards and accountability.
• Before these rules, the law lacked detailed operational norms about when inactive user data must be removed.
• The “three-years inactivity” provision is part of the storage limitation principle — i.e., data shouldn’t be kept longer than required.

What exactly qualifies as “inactivity”?

“Inactivity” in this context means the user has not logged into or used the service for a continuous period of three years.
Prior to deletion, the platform must notify the user (at least 48 hours) that if they don’t take action (log in/respond), their personal data will be deleted.

There are some caveats:

• If retention is required by law (for audit, taxation, litigation, etc.), longer retention may apply.
• The rule applies specifically to personal data stored by the ‘data fiduciaries’ (platforms) and covered under the Act and Rules.
• Deleted data means personal data whose processing is no longer needed; it may not include credentials or monetary tokens if other laws require their retention.

Implications for Businesses

If your company falls into the threshold (social media, e-commerce, gaming with large user bases) you need to:

• Audit your user-base for accounts inactive for three years and plan deletion workflows.
• Build notifications: send to user 48 hours in advance of deletion, provide log-in or confirmation option.
• Ensure data architecture supports timely deletion and audit logs retained for at least one year.
• Update privacy policies and terms to reflect this deletion policy.
• Monitor for exceptions (legal holds, pending disputes, regulatory retention requirements).
• Plan for compliance timelines: many obligations have an 18-month window for full compliance.

Implications for Users

• Dormant accounts: If you stop using a service for three years, your personal data may be deleted — so if you value keeping your profile/data, log in periodically.
• Data rights: You’ll receive a notice before deletion and can choose to re-activate or respond.
• Better privacy: Less risk of your unused account data being stored indefinitely.
• Awareness: Understand which services you use and which you’ve forgotten — this may affect your digital footprint.

What still needs clarity & future outlook

• Exact definition of “use” or “log in” may vary by platform.
• The retrospective applicability: Will data that’s already inactive for >3 years need deletion immediately, or only moving forward? (Companies are interpreting now).
• Exceptions: How many legal/sectoral retention laws will override this rule?
• Cross-border data & global platforms: Management of inactive user data from Indian users by foreign-based platforms.
• Cost and technical burden on smaller firms: Even though thresholds are large (20 million+, etc), smaller companies may eventually face pressure or similar norms.
• Enforcement: The newly created Data Protection Board of India (DPBI) will oversee compliance and adjudication.

Conclusion

The government’s mandate to delete user data after 3 years of inactivity marks a major step forward in India’s digital privacy landscape. For businesses it means re-engineering data retention and deletion practices; for users it means greater control and privacy over their digital footprints. With compliance timelines ahead, stakeholders must act now to align with this new reality.