DPDP Act 2023: Complete Guide to India's Data Protection Law

I have spent the past two years watching Indian businesses misread this law. Some assume it only applies to tech companies. Others believe compliance is optional until the penalties start. A handful have confused it with the old IT Act rules and built their data practices on a framework that no longer exists.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is none of those things. It is India's first standalone data protection law, and it applies to virtually every business that handles the personal data of people in India. The full penalty regime activates in May 2027. By that point, your consent mechanisms, privacy notices, breach protocols, and data subject rights infrastructure must be operational, or you face fines that can reach ₹250 crore per violation.

This guide walks through every major provision of the Act, section by section. No generalities. No recycled GDPR commentary dressed up in Indian terminology.

Key Takeaways

• The DPDP Act 2023 applies to all digital personal data processed within India and to offshore entities serving Indian consumers.
• Consent must be free, specific, informed, and unambiguous, with a clear affirmative action from the Data Principal.
• Section 7 creates a "legitimate uses" framework allowing processing without consent in defined scenarios, including employment and medical emergencies.
• Penalties range from ₹10,000 (for Data Principals filing false complaints) to ₹250 crore (for security failures leading to breaches).
• Full enforcement of all substantive provisions begins May 13, 2027. The Data Protection Board became operational in November 2025.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11, 2023. It establishes a comprehensive framework for processing digital personal data in India, replacing the patchwork of provisions under the Information Technology Act, 2000 and the IT (Reasonable Security Practices) Rules, 2011 that previously governed this space.

The Act is built on two foundational principles: the right of individuals to protect their personal data, and the recognition that businesses need to process such data for lawful purposes. It attempts to balance both without tilting entirely toward either.

As of February 2026, the DPDP Rules 2025 have been notified, providing the operational detail the Act left to subordinate legislation. For a detailed breakdown of those Rules, see our DPDP Rules 2025 analysis.

Who Does the DPDP Act Apply To?

Section 3 of the DPDP Act defines the scope. Two categories of processing fall within the Act:

1. Processing within India: Any processing of digital personal data collected online, or collected offline and subsequently digitised, within the territory of India.

2. Processing outside India: Any processing of personal data of Indian Data Principals by entities outside India, where such processing is in connection with offering goods or services to individuals in India.

This extraterritorial reach is significant. A SaaS company headquartered in Singapore that serves Indian customers falls squarely within the Act's jurisdiction. So does a US-based e-commerce platform shipping to Indian addresses that collects names, payment details, and delivery addresses.

The Act does not apply to personal data processed by an individual for personal or domestic purposes, or to data that has been made publicly available by the Data Principal or under any law.

What is "Personal Data" Under DPDP?

Section 2(t) defines personal data as "any data about an individual who is identifiable by or in relation to such data." This is deliberately broad.

Names, email addresses, phone numbers, Aadhaar numbers, payment details, IP addresses, device identifiers, and location data all qualify. The key test: can a real person be identified from this data, either directly or in combination with other available information?

Unlike the EU's GDPR, the DPDP Act does not create a separate category of "sensitive personal data" with heightened protections. All personal data receives the same level of protection under the Act. This is a conscious design choice, one that simplifies compliance but also means there is no lighter regime for basic contact information versus health records.

How Does Consent Work Under the DPDP Act?

Consent is the primary legal basis for processing personal data under the DPDP Act. Sections 5 and 6 establish a consent framework that, while influenced by GDPR, has its own distinct architecture.

What Makes Consent Valid?

Under Section 6, consent must be:

• Free: Not obtained through coercion, undue influence, or bundled with unrelated conditions
• Specific: Given for a defined purpose, not blanket authorisation
• Informed: The Data Principal must understand what data is being collected and why
• Unconditional: Not contingent on accepting unrelated terms
• Unambiguous: Demonstrated through a clear affirmative action

Pre-ticked boxes, buried consent toggles, and "by continuing to use this website you consent to everything" banners do not meet this standard. The Act requires a clear affirmative action, which means the Data Principal must actively opt in.

The Notice Requirement (Section 5)

Before collecting consent, the Data Fiduciary must provide a notice to the Data Principal. This notice must specify:

• The personal data being collected and the purpose of processing
• How the Data Principal can exercise their rights under the Act
• How to file a complaint with the Data Protection Board

Under the DPDP Rules 2025, this must be a standalone notice, not something hidden in a 40-page terms of service document that nobody reads to completion.

Withdrawal of Consent

Section 6(4) gives Data Principals the right to withdraw consent at any time. The process for withdrawal must be as straightforward as the process for giving consent. If you make someone click through three screens to consent, you cannot require twelve steps to withdraw.

Crucially, withdrawal is prospective: it does not affect the legality of processing that occurred before the withdrawal.

When Can You Process Data Without Consent?

This is the provision most businesses get wrong. Section 7 of the DPDP Act establishes "certain legitimate uses" where personal data can be processed without obtaining explicit consent. For a comprehensive analysis of each ground, see our guide to legitimate uses under DPDP.

The legitimate use grounds include:

Legitimate Use Ground	Section	Practical Example
Voluntary provision for a specified purpose	Section 7(a)	A customer provides their email at checkout to receive an order confirmation
Employment purposes	Section 7(b)	Processing employee payroll data, preventing corporate espionage
Medical emergencies	Section 7(c)	Processing health data during a medical emergency threatening life
Public health threats	Section 7(c)	Epidemic surveillance and outbreak management
Safety and security	Section 7(d)	Processing data for disaster response or public order maintenance
Legal compliance	Section 7(e)	Court orders, regulatory reporting requirements
Public interest functions	Section 7(f)	Sovereign functions, subsidies, licenses issued by the State

Note that "legitimate interest," the catch-all ground that European businesses rely on under GDPR, does not exist in the DPDP Act. Indian law takes a more prescriptive approach: you either have consent, or you fall into one of the enumerated grounds above. There is no balancing test you can apply to justify processing based on your own business interests.

What Are the Obligations of a Data Fiduciary?

A Data Fiduciary is any person or entity that determines the purpose and means of processing personal data (Section 2(i)). If your business decides what data to collect, why to collect it, and how to process it, you are a Data Fiduciary.

Section 8 imposes a comprehensive set of obligations:

Accuracy and Completeness (Section 8(3))

Data Fiduciaries must ensure the completeness, accuracy, and consistency of personal data, particularly when it is used to make decisions affecting the Data Principal or when it will be shared with another Data Fiduciary.

Security Safeguards (Section 8(4))

Data Fiduciaries must implement "reasonable security safeguards" to prevent personal data breaches. The DPDP Rules 2025 have specified these safeguards in operational terms: encryption, masking, access controls, activity logging, and backup procedures.

Breach Notification (Section 8(6))

In the event of a personal data breach, the Data Fiduciary must notify both the Data Protection Board and each affected Data Principal. The DPDP Rules 2025 specify a 72-hour notification window to the Board. For a detailed walkthrough of the breach notification process, see our DPDP breach notification guide.

Data Retention and Erasure (Section 8(7))

Personal data must be erased once the purpose for which it was collected has been fulfilled and retention is no longer necessary for that purpose, or when the Data Principal withdraws consent. You cannot retain data indefinitely "just in case."

Contractual Obligations (Section 8(2))

When engaging a Data Processor (any entity that processes data on behalf of the Data Fiduciary), the Data Fiduciary must have a valid data processing agreement in place. The obligation to comply with the Act rests with the Data Fiduciary even when processing is outsourced.

What is a Significant Data Fiduciary?

Section 10 creates a heightened compliance tier. The Central Government may designate certain Data Fiduciaries as "Significant Data Fiduciaries" (SDFs) based on factors including:

• Volume and sensitivity of data processed
• Risk to the rights of Data Principals
• Potential impact on India's sovereignty and integrity
• Risk to electoral democracy
• Security of the State

SDFs face additional obligations beyond those of ordinary Data Fiduciaries:

Obligation	Ordinary Data Fiduciary	Significant Data Fiduciary (SDF)
Appoint a DPO based in India	Not required	Required (Section 10(2)(a))
Appoint independent data auditor	Not required	Required (Section 10(2)(b))
Conduct Data Protection Impact Assessment	Not required	Required (Section 10(2)(c))
Periodic audit of compliance	Not required	Required (Section 10(2)(b))
All standard obligations (consent, notice, security, breach notification)	Required	Required

As of February 2026, the Central Government has not yet published the criteria or notification designating specific entities as SDFs. This is expected before the May 2027 full enforcement date.

What Rights Do Data Principals Have?

Sections 11 through 14 establish four core rights for Data Principals (the individuals whose data is processed):

Right to Access (Section 11)

Data Principals can request a summary of the personal data being processed and the processing activities undertaken. They are also entitled to know the identities of all Data Fiduciaries and Data Processors with whom their data has been shared.

Right to Correction and Erasure (Section 12)

Data Principals can require the Data Fiduciary to correct inaccurate or misleading data, complete incomplete data, update data that is no longer current, and erase data that is no longer necessary for the purpose for which it was collected.

Right to Grievance Redressal (Section 13)

Every Data Fiduciary must provide a readily accessible grievance redressal mechanism. If the Data Principal is not satisfied with the Data Fiduciary's response, they can escalate to the Data Protection Board.

Right to Nominate (Section 14)

Data Principals can nominate another individual to exercise their rights in the event of death or incapacity. This is a provision unique to Indian law and reflects a practical reality: families often need to manage the digital footprint of deceased or incapacitated relatives.

Duties of Data Principals (Section 15)

The DPDP Act is notable for imposing duties on Data Principals as well, not just rights. Data Principals must:

• Comply with applicable laws when exercising their rights
• Not register false or frivolous complaints
• Not furnish false or suppressed material particulars
• Not impersonate another person when providing personal data

Violation of these duties can attract a penalty of up to ₹10,000.

How Does the DPDP Act Handle Children's Data?

Section 9 establishes strict protections for the personal data of children (individuals under 18 years of age). This section carries some of the highest penalty risks under the Act.

Verifiable parental consent is required before processing any personal data of a child. The Data Fiduciary must make "reasonable efforts" to verify that consent is given by the parent or lawful guardian.

Additionally, Section 9(3) prohibits:

• Tracking or behavioural monitoring of children
• Targeted advertising directed at children
• Any processing that is likely to cause harm to a child

The Central Government may exempt certain Data Fiduciaries from the requirement for verifiable parental consent, but the prohibition on tracking and targeting remains absolute.

As of February 2026, the DPDP Rules 2025 have provided additional detail on age verification mechanisms and parental consent protocols. The consent manager registration framework, which activates in November 2026, will include specific provisions for children's consent management.

What is the Data Protection Board of India?

Sections 18 through 26 establish the Data Protection Board of India (DPBI) as the enforcement authority. The Board became operational in November 2025 with the notification of the DPDP Rules 2025.

The DPBI's powers include:

• Receiving and investigating complaints from Data Principals
• Conducting inquiries into data breaches and non-compliance
• Imposing financial penalties under Section 33
• Issuing directions to Data Fiduciaries for remedial action
• Referring matters to alternate dispute resolution where appropriate

The Board operates as a "digital by design" body, meaning proceedings, filings, and hearings are primarily conducted through digital infrastructure. Appeals against the Board's decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), not the regular courts.

Note that the DPBI is an adjudicatory body, not a rule-making body. It does not issue guidelines or rules; those come from the Central Government through MeitY. The Board's role is to enforce the law and impose penalties.

What Are the Penalties for Non-Compliance?

The Schedule to the DPDP Act specifies maximum penalties for different categories of violations. These are not fixed fines; the Board has discretion to set the amount within these upper limits based on the severity of the breach, the harm caused, and mitigating factors.

Violation	Maximum Penalty	DPDP Act Reference
Failure to take reasonable security safeguards, resulting in a data breach	₹250 crore	Schedule, Item 1
Failure to notify the DPBI and affected Data Principals of a breach	₹200 crore	Schedule, Item 2
Non-fulfilment of obligations related to children's data	₹200 crore	Schedule, Item 3
Non-fulfilment of additional obligations by Significant Data Fiduciaries	₹150 crore	Schedule, Item 4
Non-fulfilment of other obligations (consent, notice, retention, etc.)	₹50 crore	Schedule, Item 5
Breach of duties by Data Principals (false complaints, impersonation)	₹10,000	Schedule, Item 6

Three things to understand about this penalty regime.

First, these are penalties per violation, not annual caps. A company with systemic non-compliance across multiple data categories could face cumulative penalties that far exceed any individual ceiling.

Second, the DPDP Act does not provide for criminal liability. Unlike the IT Act, 2000, which included imprisonment provisions under Section 72A, the DPDP Act is entirely a civil penalty framework.

Third, the Board is empowered to consider "aggravating and mitigating factors" in determining the penalty amount. This includes whether the Data Fiduciary made good-faith efforts to comply, the duration of the contravention, and whether the fiduciary took voluntary corrective action.

What Are the Exemptions Under the DPDP Act?

Section 17 grants the Central Government broad powers to exempt government instrumentalities from the Act's provisions. These exemptions apply when processing is necessary in the interest of:

• Sovereignty and integrity of India
• Security of the State
• Friendly relations with foreign states
• Maintenance of public order
• Prevention, detection, investigation, or prosecution of offenses

The scope of these exemptions has drawn significant scrutiny. The Act gives the Central Government discretion to exempt specific entities from some or all provisions, which critics argue could create surveillance loopholes. As of February 2026, no specific exemption notifications have been issued under this section.

Section 17(2) also exempts processing for research, archival, and statistical purposes, subject to conditions prescribed by the Central Government.

How Does the DPDP Act Compare to GDPR?

Indian businesses operating in both markets frequently ask this question. While the DPDP Act was clearly influenced by GDPR, there are material differences:

Feature	DPDP Act 2023	EU GDPR
Scope	Digital personal data only	All personal data (digital and physical)
Legal bases for processing	Consent + enumerated legitimate uses	6 legal bases including legitimate interest
Sensitive data category	Not distinguished	Special categories with heightened protections
Right to data portability	Not included	Included (Article 20)
Data Protection Officer	Required only for SDFs	Required for most significant processors
Maximum penalty	₹250 crore (fixed cap per violation type)	4% of global annual turnover or €20M
Regulatory body	Data Protection Board (adjudicatory only)	Supervisory Authorities (regulatory + adjudicatory)
Cross-border transfers	Restricted list (countries where transfers prohibited)	Default restriction with adequacy/safeguard mechanisms
Children's age threshold	18 years	16 years (member states may lower to 13)

The most operationally significant difference: GDPR's "legitimate interest" basis does not exist under DPDP. If your current data processing relies on legitimate interest assessments, those need to be re-evaluated for DPDP compliance using either the consent framework or the Section 7 enumerated grounds.

For Indian companies serving EU customers who need to comply with both frameworks simultaneously, see our DPDP Rules 2025 breakdown for the operational requirements that affect dual-compliance programmes, and the enforcement timeline section below for key milestones.

What is the DPDP Enforcement Timeline?

The DPDP Act is being implemented in three phases. As of February 2026, here is the official enforcement calendar:

Phase 1 - Foundation and Governance (November 13, 2025):

• Sections 1(2), 2, 18-26, 35, 38-43, and 44(1)(3) came into force
• Data Protection Board of India became operational
• Board appointment, governance, and appeal mechanisms activated
• DPDP Rules 2025 published in the Official Gazette

Phase 2 - Children's Data and Consent Managers (November 13, 2026):

• Section 6(9): Processing restrictions for children's data activate
• Section 27(1)(d): Penalties for child data protection violations
• Consent Manager registration framework opens

Phase 3 - Full Enforcement (May 13, 2027):

• Sections 3 through 17: All substantive obligations become enforceable
• Sections 28 through 44: Full penalty regime activates
• All consent, notice, security, breach notification, and data retention obligations must be operational

The practical implication: Indian businesses have until May 13, 2027 to achieve full compliance. But the children's data provisions activate a full six months earlier, in November 2026. Any business processing data of minors, including EdTech platforms, gaming companies, and social media services, needs to meet those requirements well before the general deadline.

Frequently Asked Questions

Does the DPDP Act apply to small businesses and startups?

Yes. The DPDP Act 2023 does not include a small business exemption. Any entity that determines the purpose and means of processing digital personal data, regardless of revenue, employee count, or company age, is a Data Fiduciary under the Act and must comply by May 2027. The compliance burden varies based on the volume and type of data you process, but the obligation itself is universal.

What is the difference between the DPDP Act 2023 and the DPDP Rules 2025?

The DPDP Act 2023 is the primary legislation passed by Parliament that establishes the legal framework: definitions, rights, obligations, penalties, and the institutional structure. The DPDP Rules 2025, notified by MeitY in November 2025, provide the operational detail needed to implement the Act, including specific timeframes (the 72-hour breach notification window), technical requirements (security safeguards), and procedural mechanisms (how to file complaints, how the Board conducts hearings).

Can I transfer personal data outside India under the DPDP Act?

The DPDP Act takes a "restricted list" approach under Section 16(1). Cross-border data transfers are permitted to all countries except those specifically restricted by the Central Government. As of February 2026, the restricted list has not been published. This means transfers are currently unrestricted, but businesses should monitor MeitY notifications and build flexibility into their data architecture to adapt when restrictions are announced.

What happens if I am already GDPR-compliant?

GDPR compliance provides a solid foundation but is not sufficient for DPDP compliance. Key gaps include: the absence of "legitimate interest" as a legal basis, different children's data rules (18 vs 16 age threshold), stricter consent requirements, and India-specific breach notification obligations to the DPBI and CERT-In. A gap analysis comparing your current GDPR program against DPDP requirements is the most efficient starting point.

When should I start preparing for DPDP compliance?

Now. The full enforcement date of May 13, 2027 sounds distant, but building a compliant consent architecture, updating privacy notices, establishing DSR workflows, mapping your data flows, training staff, and updating vendor agreements takes most organisations six to twelve months. Companies processing children's data face an even tighter deadline of November 2026. Starting in Q1 2026 gives you the runway to implement properly rather than scrambling at the last minute.