The Data Dilemma: Navigating the three-year rule under the DPDP Act – Part 1

In an era where digital footprints shape consumer behaviour and drive business strategies, the draft rules under the Digital Personal Data Protection (DPDP) Act are set to redefine how platforms handle user data. A key mandate requires platforms like social media, e-commerce, and online gaming to erase user data after three years of inactivity – a seemingly straightforward rule with far-reaching implications!

For these sectors, where data storage intricacies, system interoperability, and diverse legal obligations converge, compliance is far from simple. Data linked to financial transactions, customer support queries, or law enforcement requirements must often be retained for extended periods, raising questions about how such platforms can balance regulatory adherence with operational feasibility.

This two-part series explores the technical, operational, and legal challenges businesses face under the DPDP Act’s three-year data erasure mandate, while examining its potential impact on user privacy, data governance practices, and the broader digital economy.

Significant challenges

The draft rules under the DPDP Act mandate data erasure after three years of inactivity. Experts are unanimous in their view that the data erasure clause poses challenges at multiple fronts, given the complexities of data storage, interoperability, and legal obligations, (for example, for financial transactions, customer support, and law enforcement requests). 

Mandating data erasure after three years of inactivity poses significant operational and strategic challenges, opines Vivek Bhargava, Co-founder, consumr.ai (ProfitWheel).

On the operational side, Bhargava adds, businesses must reconcile different legal timelines: financial and taxation records may need to be retained up to seven years or more, which clashes with the three-year rule. According to him, defining “inactivity” is equally complex – someone who hasn’t made a purchase or posted on social media might still be reading brand emails or passively browsing. For industries like wedding-related services or large one-time purchases, customer cycles often stretch beyond three years, making a strict cut-off inappropriate, he points out.

“From a marketing and personalization standpoint, erasing user history makes it difficult to re-engage dormant customers who might otherwise return after extended gaps. Platforms such as e-commerce or lending firms rely on historical data to assess credit risk, detect fraud, and serve personalized offers. Losing that intelligence could undermine both user experience and risk management. A critical, yet often overlooked, challenge is data stored across multiple, siloed systems—ranging from legacy backups to analytics platforms. Ensuring a thorough and synchronized data purge across all these touchpoints can be extremely resource-intensive and error-prone,” says Bhargava.

Rajiv Dhingra, Founder & CEO, ReBid, highlights significant operational challenges posed by the three-year mandatory data erasure rule, especially for industries like social media, e-commerce, and gaming that depend on historical data for personalization, fraud prevention, and legal compliance. Key hurdles include the complexity of erasing redundant and backed-up data, synchronizing deletions across third-party systems, and meeting extended retention requirements for legal or financial obligations. Dhingra suggests using advanced tools like Customer Data Platforms (CDPs) to automate compliance and ensure operational efficiency.

Erasing data after three years of inactivity is like cleaning out a wardrobe; you risk tossing something you’ll need later, quips Vishal Rupani, Co-founder, Sprect.com.

“Take Flipkart, for example. It’s not just about deleting old shipping addresses; purchase histories help track warranties, process returns, and even provide personalized recommendations. Zomato faces similar challenges. Your biryani orders from years ago don’t just satisfy your cravings; they help tailor offers and recommendations. Urban Company, meanwhile, relies on service records intertwined with vendor details, ratings and legal agreements. Deleting them too soon could lead to disputes, poor customer service and logistical nightmares,” says Rupani.

According to him, social media platforms like X face a unique dilemma. It’s not just about deleting inactive accounts. Think what happens to the tweets, replies, and trending conversations linked to those users? “Entire threads might lose context, and content important for public discourse, journalism, or even legal cases could vanish. Online gaming companies are in a similar boat. A player returning after years to find their leaderboard achievements and in-game purchases gone? That’s a loyalty killer,” Rupani adds.

According to him, financial platforms that assist e-commerce companies have it even tougher since regulators require them to keep records for much longer. For example, he adds, credit card disputes can surface years later, like an unwelcome surprise. “Automation can help flag and delete outdated data, but syncing across different systems makes things trickier. And there’s the big issue – law enforcement. Deleting data too soon could disrupt investigations. While it sounds simple on paper, making this rule work will take major effort, including overhauling old systems and rethinking what “inactivity” really means in today’s digital world,” Rupani says.

The DPDP Act requires businesses to erase unnecessary personal data, but compliance isn’t straightforward. Sammy Mamdani, Executive Vice President – Global Operations at Route Mobile, explains that while data deletion is mandated, businesses can retain or anonymize data for valid legal or regulatory reasons, such as retaining financial records for seven years.

The challenge lies in managing data spread across silos and backup systems, while balancing stricter privacy obligations with practices like retaining dormant user accounts for potential reactivation. To address these complexities, organizations must classify data, establish clear retention and deletion policies, and automate synchronization across systems.

By adopting these practices and focusing on data minimization, businesses can strengthen compliance, reduce breach risks, and streamline their data management processes.

The three-year data erasure mandate under the DPDP Act presents a significant operational challenge for platforms, says Ayush Nambiar, Chief Strategist & Director, Flags Communications.
According to him, social media, e-commerce, and gaming platforms often store vast amounts of user data for personalization, transaction records, and long-term engagement strategies. Ensuring interoperability while adhering to this rule requires reengineering existing data systems to track and manage inactivity effectively.
“Moreover, legal obligations such as financial compliance, customer dispute resolution, and law enforcement requests necessitate retaining certain data. Platforms will need clear exemptions and guidelines to handle these conflicting demands. While the mandate promotes privacy, implementing it in such a diverse digital ecosystem requires flexibility and technological readiness. For some platforms, it may involve significant costs and disruption, especially for legacy systems not designed for dynamic data erasure,” says Nambiar.

Meanwhile, Sanjay Trehan, Digital & New Media Advisor, has a different take on this. He believes that data erasure after three years of inactivity is to be seen in the right context. He stresses that the operative word here is ‘inactivity’. If the user has been inactive on a platform, be it social media, e-commerce or gaming, it’s alright to delete his personal data, thus minimising its misuse. Regarding financial transactions, if the user opts to keep the data, he/she can be given that choice.

Trehan thinks that the intent behind mandatory erasure is to protect user privacy, prevent data misuse, keep the data relevant and avoid storage overload.

“If one has been inactive, I don’t see it compromising user experience. However, for businesses a choice can be given to preserve personal data if the user’s permission has been specifically obtained. In an age of intrusive and permission-less marketing where the user is increasingly harassed by all kinds of messaging and advertising, mostly irrelevant, this is a step in the right direction,” adds Trehan.

According to Sajal Gupta, Chief Executive, Kiaos Marketing, the requirement for transparent, comprehensible data usage disclosures is not new; under the GDPR in the EU, businesses are already required to provide simplified privacy policies. Users accessing international apps while in the EU, even temporarily, are often asked to re-consent to such region-specific, user-friendly privacy terms.

“A user inactive for three years holds diminished business value. It is reasonable to assume that during this period, internal marketing and CRM efforts would have made several attempts to reactivate the user but failed to encourage engagement or transactions. Consequently, the likelihood of future engagement from such users is minimal. Most businesses already track Monthly Active Users (MAU), which naturally excludes such dormant users. Moreover, well-structured CRM systems typically devalue inactive users long before the three-year threshold mentioned in the DPDP Act. Therefore, the mandated data purging process should have minimal impact on existing business operations,” Gupta adds.

(Tomorrow: Part 2 of the report will focus on the potential risks and benefits of a mandatory data erasure policy for both users and businesses. Key points will include exploring how platforms can ensure that user data is erased securely and completely, while minimizing disruptions to user experience and maintaining legitimate business operations.)