Data fiduciaries such as ecommerce, online gaming and social media platforms will have to erase personal data of a user three years after it is no longer required, according to the draft rules of the Digital Personal Data Protection (DPDP) Act.