New data rules: E-commerce, social media to delete user info after 3 years

For the first time, the rules for the Digital Personal Data Protection Act categorise various types of data fiduciaries and stipulate that entities like e-commerce platforms, online gaming services, and social media networks must delete user data three years after it is no longer needed.

These requirements are outlined in Section 8 of the draft rules, which mandate that data fiduciaries must erase personal data when it is no longer necessary for its intended purpose. The Third Schedule of the draft rules specifies the data retention timelines for different data fiduciaries, including social media platforms, online gaming platforms, and e-commerce entities.