DPDP in 60 Seconds
- Ask for clear, specific consent before collecting data
- Use data only for the purpose you said you would
- Respect users’ rights to access, correct, or delete their data
Introduction: India Just Joined the Global Privacy Revolution
Think about the last time you downloaded an app. You probably tapped “I Agree” on a 47-page terms document without reading a word of it. And somewhere in that document, the company quietly got permission to collect your location, share it with partners, and use it for ads.
That era is ending — globally, and now in India too.
The Digital Personal Data Protection Act, 2023 is India’s answer. And with the DPDP Rules released in 2025, enforcement is no longer a distant hypothetical. It’s on the calendar.
Data privacy is a trust problem. Users are getting smarter. They know their data has value. They’re increasingly choosing products that respect their privacy. Companies that get ahead of DPDP aren’t just avoiding fines — they’re building a competitive moat. The ones that drag their feet aren’t just risking penalties. They’re risking their reputation.
Check Out Our Free DPDP Audit Tool
What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 was passed by the Indian Parliament and received Presidential assent in August 2023. It is India’s first dedicated law governing how personal data of Indian citizens can be collected, stored, processed, and used.
Before DPDP, India had fragmented privacy protections scattered across the IT Act, 2000 and its rules. There was no unified framework, no clear user rights, and no dedicated regulator. Businesses largely operated on the principle of “collect everything, figure out the rules later.”
DPDP changes that. In one sentence: if you collect data about Indian users, you must collect it with consent, use it responsibly, protect it properly, and give users meaningful control over it.
The law is overseen by the Data Protection Board of India (DPBI) — an independent body empowered to investigate complaints, conduct inquiries, and levy penalties on those who violate the Act.
A helpful way to think about it: Just like FSSAI tells food companies what’s safe to put in your food, the DPDP Act tells businesses what’s safe to do with your data.
The detailed operational rules — the DPDP Rules, 2025 — were released by the Ministry of Electronics and Information Technology (MeitY) and specify exactly how businesses must implement the law.
5 Terms That Run the Entire DPDP Act (Explained Like You’re Not a Lawyer)
You don’t need to read the Act in full. But five terms come up constantly, and if you understand these, you understand 80% of DPDP.
1. Personal Data Any information that can identify a person — directly or indirectly. This includes obvious things like your name and phone number, and less obvious things like your IP address, device ID, or location data. If the data can be traced back to a specific individual, it’s personal data.
2. Data Principal That’s you — the individual whose data is being collected. Under DPDP, the Data Principal has real rights: to know what data is collected, to correct it, to ask for it to be deleted, and to withdraw consent. Think of it as the law recognising you as the owner of your own information.
3. Data Fiduciary The business or organisation that collects and decides how to use your data. Zomato collecting your delivery address? Data Fiduciary. Your hospital storing your health records? Data Fiduciary. Your employer storing your payroll details? Data Fiduciary. Most of the obligations under DPDP fall on this entity.
4. Data Processor A third party that processes data on behalf of a Data Fiduciary. For example, if Zomato uses a cloud analytics company to process your order history, that analytics company is the Data Processor. They don’t decide what to do with the data — the Fiduciary does — but they’re still bound by contractual obligations under the Act.
5. Consent Manager A new concept introduced by DPDP. A Consent Manager is a registered entity through which a user can give, review, and withdraw consent across multiple platforms — like a centralised privacy dashboard. Think of it as a single control panel for all your data permissions.
One more worth knowing — Significant Data Fiduciary (SDF): The government can designate certain companies as SDFs based on the volume or sensitivity of data they handle. Think large social media platforms, major fintech companies, healthcare aggregators. SDFs face additional obligations like mandatory Data Protection Officers and impact assessments.
Is This Personal Data? Here’s How to Tell (With Real Examples)
One of the most common questions businesses ask: “Does this count as personal data?”
The short answer — if it can identify a person, even indirectly, it likely does
Clearly personal data:
- Name, email address, mobile number
- Date of birth, home address
- PAN card, Aadhaar number
- Bank account details, UPI ID
- Location data from your phone
- IP address and device identifiers
- Biometric data (fingerprints, face scans)
Less obvious but still personal data:
- Your cab booking history (your movement patterns)
- Your OTP (tied to your number and identity)
- Browsing behaviour linked to an account
- A photo that contains your face
- Inferred data — e.g., “this user is likely diabetic” based on purchase patterns
- Anonymised data: Genuinely anonymised data (where re-identification is impossible) is outside DPDP’s scope. But most “anonymised” data isn’t truly anonymous — it can often be re-identified when combined with other datasets.
- Aggregated data: Data like “60% of our users are in Maharashtra” is not personal data. But the individual records that make up that aggregate are.
Children’s data gets special treatment. Under DPDP, anyone under 18 is treated as a child, and their data requires verifiable parental consent. Businesses cannot target children with behavioural advertising, and they cannot profile them.
Real check: Your salary slip uploaded to an HR platform? Personal data. Your resume uploaded to a job portal? Personal data. Even the city you mention in a customer support chat could qualify in context.
The DPDP Rules 2025 Are Out — Here's What Actually Changed
The DPDP Act was the framework. The DPDP Rules, 2025 are the how-to manual. Released by MeitY, they fill in the operational details that businesses were waiting for.
Here’s what changed and what it means:
1. Consent notices got stricter (and clearer) The Rules specify that consent notices must be in plain language, available in scheduled Indian languages, and must clearly state: what data is being collected, why, and for how long. No more legalese buried in 40-page privacy policies.
2. Consent Managers are now real The Rules define how Consent Managers must be registered, operated, and audited. This creates an entirely new category of compliance infrastructure — and a new business opportunity for platforms that can manage consent at scale.
3. Children’s data verification has a framework Businesses that knowingly or unknowingly process children’s data must now have a mechanism to verify the user’s age and obtain parental consent. The specific technical mechanism is still evolving, but the obligation is live.
4. Data localisation requirements were relaxed (conditionally) Earlier drafts were stricter about data being stored only within India. The 2025 Rules take a more nuanced approach — cross-border data transfer is allowed except to countries specifically blocked by the government. This is better news for global businesses and SaaS companies.
5. Grievance redressal timelines are locked in Businesses must now resolve user complaints within defined timeframes. Users who are unsatisfied can escalate to the Data Protection Board.
What’s still coming: Sector-specific guidance (for healthcare, fintech, etc.) and the formal list of designated Significant Data Fiduciaries are still awaited. The regulatory framework is live, but it’s still maturing.
Does DPDP Apply to Your Business? Here's a Simple Checklist
The DPDP Act has a wide reach — wider than most businesses realise.
It applies to you if:
- You collect, store, or process digital personal data of Indian residents
- You’re a foreign company that handles data of users located in India
- You’re a startup, SME, or large enterprise — size doesn’t create an exemption
It does not apply to:
- Personal or household data processing (a family WhatsApp group is safe)
- Data made publicly available by the person themselves
- Government processing for national security, law enforcement, and similar purposes (with conditions)
- Research, archival, and statistical purposes — under specific safeguards
The global company question: This is where many international businesses are caught off guard. If you’re a US-based SaaS company with Indian users, DPDP applies to you. Just like GDPR applied to non-European companies with European users, DPDP follows the data, not the company’s geography.
Sectors with highest immediate impact:
- Fintech & Banking — KYC data, transaction history, credit profiles
- Healthtech — Patient records, diagnostics, insurance data
- Edtech — Student data, often including minors
- E-commerce — Purchase history, addresses, payment data
- HR & Recruitment — Employee and candidate data at scale
- AdTech — Behavioural data, profiling, targeting
Quick self-check: Do you collect names, emails, phone numbers, or any other information from Indian users digitally? Then DPDP applies to you. Full stop.
Consent Requirements
Consent under DPDP must be:
- Free — No coercion or bundling (“accept everything or you can’t use the app” is no longer valid)
- Informed — The user must know exactly what they’re consenting to
- Specific — One consent cannot cover every possible use of data
- Unambiguous — No pre-ticked boxes, no implied consent
- Revocable — Users must be able to withdraw consent as easily as they gave it
Example: A job portal collecting your resume for job matching cannot use that same consent to send you marketing emails or share your profile with third-party recruiters unless you separately agree to that.
Data Minimisation
Collect only what you genuinely need for the stated purpose. Nothing more.
Example: A food delivery app needs your delivery address and phone number. It does not need your Aadhaar number, your date of birth, or access to your full contacts list. Asking for more than you need is a violation.
User Rights (Data Principal Rights)
Users now have legally enforceable rights:
- Right to Access: Users can ask what personal data you hold about them
- Right to Correction: Users can ask you to fix inaccurate data
- Right to Erasure: Users can ask you to delete their data (subject to legal retention requirements)
- Right to Grievance Redressal: Users can file complaints if their rights are violated
- Right to Nominate: Users can nominate someone to exercise these rights on their behalf in case of death or incapacity
Businesses must have a clear, functional mechanism to handle these requests within defined timeframes.
Security Obligations
Security Obligations
The Act requires Data Fiduciaries to implement “reasonable security safeguards” to prevent data breaches. If a breach occurs, you must notify the Data Protection Board and affected users without unreasonable delay.
What counts as reasonable: Encryption, access controls, regular audits, and breach detection systems are baseline expectations. The bar will rise as the rules mature.
Additional Obligations for Significant Data Fiduciaries
If your company is designated as an SDF, you have extra obligations:
- Appoint a Data Protection Officer (DPO) based in India
- Conduct periodic Data Protection Impact Assessments (DPIAs)
- Undergo independent audits
- Avoid using personal data for training AI/ML models without explicit consent (proposed)
What Happens If You Don't Comply? The Penalty Breakdown
DPDP is not a law with criminal liability — you won’t go to jail for a data breach. But the financial penalties are significant enough to hurt any business.
Penalty tiers under the Act:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement adequate security safeguards | ₹250 crore |
| Failure to notify a data breach | ₹200 crore |
| Violation of children’s data protection rules | ₹200 crore |
| Non-compliance with Data Principal rights | ₹50 crore |
| General non-compliance | ₹50 crore |
| Frivolous complaints by Data Principals | ₹10,000 |
Who decides: The Data Protection Board of India (DPBI) has the authority to investigate complaints, summon parties, and impose penalties. Decisions can be appealed to an Appellate Tribunal, and further to the High Court.
Important nuance: These are maximum penalties — the Board will consider the nature, gravity, duration, and intent behind the violation before deciding the actual fine. A startup that unknowingly missed a consent requirement will likely be treated differently from a large platform that knowingly ignored user rights.
The risk isn’t just financial. Regulatory investigations are public. The reputational damage from being in the DPBI’s crosshairs could cost far more than the fine itself.
DPDP vs GDPR: Same Spirit, Different Rules
If your business is already GDPR-compliant, you have a head start — but DPDP is not identical to GDPR. Here’s how they compare:
| Factor | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Scope | Indian users’ data, processed digitally | All EU residents’ data |
| Legal bases for processing | Primarily consent-driven | Consent + legitimate interest + contract, etc. |
| Data localisation | Conditional (blocked countries list) | Not required |
| DPO requirement | Only for Significant Data Fiduciaries | Required for large-scale processing |
| Right to data portability | Not explicitly included | Explicitly included |
| Children’s age threshold | Under 18 | Under 16 (varies by country) |
| Maximum penalty | ₹250 crore (~$30M) | €20 million or 4% of global turnover |
| Criminal liability | No | In some member states |
Key takeaway: DPDP is inspired by GDPR but is lighter on compliance burden in several areas. However, India’s reliance on consent as the primary legal basis is stricter in some ways — GDPR allows “legitimate interest” as a basis for processing, which DPDP largely does not.
If you’re already GDPR-compliant, focus on:
- Rebuilding consent flows to meet India’s specific requirements
- Adding user rights mechanisms for Indian users
- Reviewing cross-border data transfer protocols
DPDP Compliance Timeline: What's Already Active and What's Coming
Here’s where things stand as of 2025:
August 2023: DPDP Act passed and notified. The law exists, but enforcement rules are pending.
2025: DPDP Rules released by MeitY. The operational framework is now live. Businesses have no excuse for not knowing what’s required.
Now – Mid 2025: Awareness and early preparation phase. Businesses are expected to begin building compliance infrastructure. The Data Protection Board is being constituted.
Mid 2025 onwards: Enforcement begins phasing in. Significant Data Fiduciaries are expected to be notified. Consent Manager registrations begin.
Full Enforcement: Penalties become fully applicable. At this point, there is no “we’re still figuring it out” defence.
What happens if you delay: The DPDP Act does not come with an indefinite grace period. Once enforcement notifications go out, the clock runs. Businesses caught without basic compliance infrastructure — no consent mechanisms, no user rights workflows, no breach response plan — will be the first targets.
The Board is expected to make early examples. Don’t be one of them.
Your DPDP Compliance Roadmap: A Practical 18-Month Plan
Compliance sounds overwhelming until you break it into a sequence. Here’s a realistic roadmap:
Months 1–3: Audit and Understand
Before you fix anything, understand where you stand.
- Data mapping: Document every type of personal data you collect, where it comes from, where it’s stored, who has access, and who you share it with
- Gap analysis: Compare your current practices against DPDP requirements
- Risk prioritisation: Identify your highest-exposure areas — children’s data, health data, and financial data need to be fixed first
- Appoint a data privacy lead internally — even if it’s a part-time role for now
Months 4–6: Policy and Consent Overhaul
Fix the front-end of your data collection.
- Rewrite your privacy notice in plain, simple language — no more legalese
- Rebuild consent collection across all touchpoints (app sign-ups, website forms, checkout flows)
- Ensure consent is specific, revocable, and documented
- Update all vendor contracts to include data processing obligations
- Build a mechanism for users to withdraw consent easily
Months 7–12: Technical and Operational Implementation
This is where the work becomes engineering work.
- Build user rights request workflows — how users submit access, correction, or deletion requests, and how your team processes them within the required timeframe
- Implement breach detection and notification protocols
- Set up a formal grievance redressal mechanism with clear escalation paths
- If you’re an SDF: conduct a Data Protection Impact Assessment, appoint a DPO, prepare for audit
Months 13–18: Test, Train, and Sustain
Compliance isn’t a one-time project. It’s an ongoing practice.
- Train your teams — customer support, marketing, product, HR all touch personal data and need to understand their obligations
- Run mock audits — simulate a user rights request, a data breach, and a regulatory complaint to test your readiness
- Establish a review cadence — quarterly privacy reviews as the regulatory framework continues to evolve
- Monitor regulatory updates — DPDP Rules will continue to be refined. Subscribe to MeitY notifications and Board circulars
The Bottom Line: DPDP Is Not Optional — But It's Also an Opportunity
Here’s the thing about every major data privacy law in history — GDPR, CCPA, PDPA — the businesses that treated compliance as a minimum bar lost. The ones that treated it as a chance to build genuine user trust won.
DPDP is India’s moment to reset the relationship between businesses and the people whose data they rely on. Your users are about to have real legal rights. The businesses that respect those rights proactively — before they’re forced to — will earn something no marketing budget can buy: trust.
The law is live. The rules are out. The only question is whether you’re getting ahead of it or waiting to be caught behind.
Before You Close This Tab — Find Out Where You Actually Stand
Reading about DPDP is step one. Knowing whether your website is already exposed is step two.
Most businesses assume they’re fine — until they actually check. A missing consent banner, a privacy notice written in 2019, a third-party script silently collecting user data in the background — these are the gaps that regulators notice first.
We built the DPDP Readiness Report to give you that answer in minutes, not months.
Point it at your domain, and it audits your:
- Webpage and data flows — what’s being collected, by whom, and whether consent exists for it
- Privacy notice — whether it meets DPDP’s plain language and disclosure requirements
- Loopholes and gaps — exactly what’s non-compliant and what to fix first
You get a clear, prioritised report — not a generic checklist, but a diagnosis specific to your domain.
[Run Your Free DPDP Readiness Report →]
No sign-up needed to get started. Takes under 2 minutes.
