Every founder I speak to about the DPDP Act 2023 has the same first question: "What does this mean for my business?" And every time, the honest answer is: it depends on your industry.
The Act itself is industry-agnostic. It applies the same obligations to a hospital processing patient records and a D2C brand collecting email addresses at checkout. But once you layer in the DPDP Rules 2025, the sectoral regulations from RBI, IRDAI, TRAI, and NMC, and the practical realities of how each sector handles personal data, the compliance picture looks completely different depending on where you sit.
I have spent the past year writing sector-specific guides for five industries. What struck me in the process is how rarely the cross-sector view gets discussed. A fintech compliance lead dealing with the RBI data retention conflict has no idea that healthcare providers received a children's data exemption that EdTech platforms did not. An e-commerce CTO planning consent flows does not know that WhatsApp-based businesses face a triple compliance layer that web-based businesses avoid entirely.
This guide provides that cross-sector view. It is not a summary of the Act (our complete guide covers that). It is a practical comparison of where the obligations land differently, so you can see how your industry stacks up and what your competitors in other sectors are dealing with.
Key Takeaways
- The DPDP Act applies uniformly, but the DPDP Rules 2025 create sector-specific thresholds: e-commerce and social media platforms with 2 crore+ users face a 3-year data retention ceiling. Online gaming platforms hit the same ceiling at 50 lakh users.
- Healthcare providers received a targeted exemption from children's data restrictions (Section 9) for treatment purposes. EdTech and e-commerce did not. This creates a compliance gap of up to 200 crore in penalty exposure for platforms serving users under 18.
- Fintech is the only sector where three separate breach notification authorities (CERT-In, DPBI, RBI) must be notified for a single incident, with the tightest window being 6 hours.
- WhatsApp-based businesses face a triple compliance layer: the DPDP Act, potential TRAI OTT regulation, and Meta's own platform policies. A business can be DPDP-compliant but still lose its WhatsApp account.
- No sector is exempt from the 72-hour breach notification to the Data Protection Board or the May 2027 enforcement deadline.
How Does the Same Obligation Look Different Across Industries?
The best way to understand DPDP's sector-specific impact is to look at how the same five obligations play out differently depending on your industry. These are the five pressure points where I consistently see the most confusion and the widest divergence.
1. Consent: Same Principle, Different Operational Challenges
Section 6 of the DPDP Act requires consent to be free, specific, informed, unconditional, and demonstrated through a clear affirmative action. The principle is identical for everyone. The implementation is not.
| Industry | Primary Consent Challenge | What Makes It Harder |
|---|---|---|
| E-commerce | Separating order fulfilment consent from marketing consent at checkout | High transaction volume; customers expect a fast checkout, not a consent questionnaire |
| Fintech | Layering DPDP consent on top of existing RBI Account Aggregator consent architecture | Two consent frameworks that share principles but differ in execution; neither references the other |
| Healthcare | Distinguishing treatment consent from data processing consent in high-pressure clinical settings | Emergency exceptions (Section 7) apply for acute care but not for follow-up or marketing; the line is often unclear in practice |
| EdTech | Obtaining verifiable parental consent (not self-declaration) before any processing of student data | The DPDP Rules 2025 prescribe specific verification methods (DigiLocker, government ID, OTP); self-declared age gates do not qualify |
| WhatsApp Business | Collecting DPDP-compliant consent when the entire customer relationship happens inside a messaging app | No control over the consent UX; WhatsApp does not provide a native consent mechanism for DPDP purposes |
The e-commerce companies I speak to tend to underestimate this. They think adding a second checkbox at checkout solves the problem. It does not, because the issue is not the checkbox. The issue is that their existing Shopify or WooCommerce flow treats "place order" as blanket consent for everything from delivery updates to retargeting ads. Under Section 6, each of those is a separate purpose requiring separate consent.
Fintech has a different problem entirely. The Account Aggregator consent framework already captures purpose, duration, frequency, and scope of data sharing. But the DPDP Act adds "unconditional" as a requirement. If your AA-based service demands consent to all data sharing as a precondition for using the service, that might be bundled consent, which Section 6 does not allow. No fintech I have spoken to has fully resolved this tension.
For healthcare, the consent challenge is operational, not legal. Hospitals with 10,000 patient interactions daily cannot manage DPDP-compliant consent on paper forms. The Section 7 medical emergency exception helps for acute care, but the moment you are scheduling a follow-up appointment or sending a wellness newsletter, you are back in Section 6 territory. For a full breakdown of these healthcare-specific consent rules, see our guide to DPDP for healthcare.
2. Data Retention: The Sector Where You Sit Determines How Long You Keep Data
Section 8(7) of the DPDP Act establishes one principle: erase personal data when the purpose is fulfilled or consent is withdrawn. Simple. But the DPDP Rules 2025 and sectoral regulations create wildly different retention landscapes depending on your industry.
| Industry | DPDP Retention Rule | Sectoral Override | Practical Retention Period |
|---|---|---|---|
| E-commerce (2cr+ users) | 3-year ceiling from last user interaction (Third Schedule) | GST: 6 years for transaction records; Consumer Protection Act: dispute resolution period | Transaction records: 6-8 years. Account profiles: 3 years of inactivity, then delete. |
| Fintech | Erase when purpose fulfilled (Section 8(7)) | RBI KYC: 5 years after relationship ends; AML: 10 years beyond closure | KYC data: 5-10 years post-closure. Non-KYC data: delete when purpose fulfilled. |
| Healthcare | Erase when purpose fulfilled (Section 8(7)) | Clinical Establishments Act: varies; IRDAI: policy tenure + 8 years; ICMR: clinical trial records per ethical guidelines | Treatment records: often 5-10 years depending on the specific regulation. Research data: indefinite if anonymised. |
| EdTech | Erase when purpose fulfilled (Section 8(7)) | No sector-specific retention mandate | Course duration + reasonable buffer (12 months). Marketing data: until consent withdrawn. |
| WhatsApp Business | Erase when purpose fulfilled (Section 8(7)) | No sector-specific retention mandate | Conversation data: resolve + delete. Consent records: document and retain. |
The asymmetry is striking. A fintech must retain KYC records for five to ten years after a customer leaves. An EdTech platform has no sectoral retention mandate at all, so the DPDP Act's "erase when done" principle applies with full force. If a student withdraws consent after completing a course, the platform must delete their data. There is no RBI-style carve-out to fall back on.
E-commerce sits in the middle. The DPDP Rules 2025 Third Schedule created a specific 3-year inactivity trigger for platforms with 2 crore or more registered users. Before deleting, you must send a 48-hour pre-erasure notice. If the user does not respond, delete. If they re-engage, the clock resets. Smaller e-commerce businesses below that threshold follow the general Section 8(7) principle: erase when the purpose is fulfilled.
The practical advice I give to every business: build a purpose-tagged retention schedule that maps each data field to its legal retention basis. The data retention guide walks through this process in detail with a ready-to-use framework.
3. Children's Data: The Uneven Playing Field
Section 9 of the DPDP Act is where the sector-specific divergence is sharpest, and where the penalty exposure is highest. The provisions are simple: verifiable parental consent before processing any data from anyone under 18 (Section 9(1)), and an absolute ban on tracking, behavioural monitoring, and targeted advertising directed at children (Section 9(3)). The penalties reach 200 crore per violation.
But the DPDP Rules 2025 created an exemption that benefits one sector and leaves others fully exposed.
Healthcare gets an exemption. Under Rule 11, read with the Fourth Schedule, registered clinical establishments, mental health establishments, and registered healthcare professionals are exempt from Section 9(1) (verifiable parental consent) and Section 9(3) (tracking and monitoring ban) when processing children's data for treatment and healthcare services. A paediatrician can treat a child and maintain their medical records without obtaining separate verifiable parental consent for data processing. This makes operational sense; requiring DigiLocker verification before treating a sick child would be absurd.
EdTech gets no exemption. This is the most impactful regulatory asymmetry in the DPDP framework. EdTech platforms serve users who are, by definition, predominantly under 18. Yet they receive no equivalent exemption. Every student under 18 requires verifiable parental consent before the platform can collect a single data point. The verification must use a method prescribed by Rule 10: DigiLocker tokens, government ID verification, or OTP-based consent via a parent's registered mobile number. A checkbox that says "My parent agrees" does not qualify.
The practical impact for EdTech is severe. Your onboarding flow must include age verification, parental identity verification, and a waiting period before the student can access any content that generates personal data. For a full analysis of how to implement this, see the EdTech compliance guide.
E-commerce faces Section 9 in a different way. If your platform sells products popular with teenagers (fashion, gaming accessories, electronics), a significant portion of your user base may be under 18. Personalised recommendations driven by browsing behaviour constitute behavioural monitoring of children, which Section 9(3) prohibits absolutely. You need an age-gating mechanism at account creation, and for users identified as minors, your recommendation engine must be disabled or limited to non-personalised suggestions.
| Sector | Section 9 Exposure | Exemption Available? | Key Risk |
|---|---|---|---|
| Healthcare | High (paediatric care) | Yes (Rule 11, Fourth Schedule) | Exemption covers treatment only; marketing to child patients remains prohibited |
| EdTech | Very High (majority of users are under 18) | No | Every student interaction requires verified parental consent; onboarding redesign required |
| E-commerce | Medium (depends on product category) | No | Personalised recommendations for minors are prohibited; age-gating is essential |
| Fintech | Low (most users are adults) | No | Some platforms serve college students (17-year-olds) opening first accounts; edge case |
| WhatsApp Business | Low to Medium | No | If your customer base includes minors, marketing messages to them require parental consent |
4. Breach Notification: Three Different Clocks
Every industry faces the same DPDP Act obligation: notify the Data Protection Board of India within 72 hours of identifying a personal data breach (Section 8(6)), and notify each affected Data Principal. But certain sectors face additional reporting obligations that compress the timeline or multiply the effort.
| Authority | Timeline | Applies To | What Triggers It |
|---|---|---|---|
| CERT-In | 6 hours from detection | All entities, all sectors | Any cybersecurity incident (broader than personal data breaches) |
| Data Protection Board of India | 72 hours from identification | All entities processing personal data | Personal data breaches specifically |
| RBI | "Immediately" (varies by circular) | RBI-regulated entities (banks, NBFCs, payment aggregators, fintechs) | IT security incidents affecting banking/payment operations |
Fintech is the only sector that must report to all three authorities for a single incident. A data breach at a payment aggregator triggers CERT-In (6 hours), RBI (immediate), and DPBI (72 hours), with each authority requiring different information formats and expecting different levels of detail. Missing any one of these is a separate violation with its own penalty structure. This triple-notification requirement is detailed in our fintech compliance guide.
Healthcare faces a dual obligation (CERT-In + DPBI) but not the RBI layer. E-commerce, EdTech, and WhatsApp businesses face the same dual obligation.
The practical takeaway: your incident response plan must have templates and owners for each reporting authority that applies to your sector. A tabletop exercise that only simulates DPBI notification is incomplete if you are also regulated by RBI or must report to CERT-In within 6 hours.
5. Sectoral Regulatory Overlap: The Compliance Stack
This is the dimension that surprises most founders. The DPDP Act does not replace your existing regulatory obligations. It adds a new layer on top of them. The thickness of that combined stack varies dramatically by industry.
Fintech: The Thickest Stack
Indian fintechs answer to the DPDP Act, RBI KYC Directions, RBI Digital Lending Directions, the Account Aggregator framework, CERT-In Directions, and potentially SEBI or IRDAI regulations depending on their specific business model. The DPDP layer adds consent requirements, Data Principal rights, and breach notification to an already dense regulatory landscape. Data localisation requirements from RBI (all payment data stored in India) are stricter than the DPDP Act's cross-border framework, meaning fintechs must comply with the more restrictive RBI mandate for payment data. Our fintech guide covers every intersection.
Healthcare: The Most Complex Exemptions
Healthcare providers navigate the DPDP Act alongside ABDM data governance standards, IRDAI guidelines for insurance data, NMC professional confidentiality obligations, CERT-In Directions, and ICMR ethical guidelines for research. The DPDP Rules 2025 provide targeted exemptions (children's data for treatment, research under Section 17(2)(b)) that reduce the compliance burden in specific areas but add complexity to implementation: you must know exactly which exemption applies to which processing activity. See the healthcare guide for the full mapping.
E-commerce: The Consumer Protection Overlap
E-commerce businesses must comply with both the DPDP Act and the Consumer Protection (E-Commerce) Rules, 2020. The two frameworks overlap on grievance redressal (Consumer Protection requires a grievance officer; DPDP requires a mechanism for Data Principal complaints), record-keeping (Consumer Protection requires transaction records for dispute resolution; DPDP requires erasure when purpose is fulfilled), and consent standards (Consumer Protection restricts "dark patterns"; DPDP requires granular, purpose-specific consent). The e-commerce guide breaks down every overlap point.
EdTech: The Standalone Burden
EdTech has the least sectoral regulatory overlay but the heaviest DPDP-specific burden. There is no EdTech-specific regulator, no pre-existing data framework to build on, and no exemption from Section 9. The industry is essentially building its compliance infrastructure from scratch around children's data requirements that are more stringent than any other sector faces. Our EdTech guide walks through the implementation roadmap.
WhatsApp-based Businesses: The Platform Dependency
Businesses operating primarily through WhatsApp face a unique triple compliance layer: the DPDP Act, potential TRAI regulation of OTT messaging (expected but not yet effective as of March 2026), and WhatsApp's own Business Platform policies. The risk here is layered: you can be fully DPDP-compliant but lose your WhatsApp Business account for violating Meta's quality thresholds or template policies. And you have no control over the platform's consent UX, which means implementing DPDP consent requires workarounds (linked forms, in-chat consent messages, or external collection points). See the WhatsApp compliance guide for practical approaches.
What Does This Mean for Your Compliance Strategy?
If you have read this far, the pattern should be clear: a generic DPDP compliance approach will leave gaps specific to your industry. Here is how to think about prioritisation based on where you sit.
If you are in fintech: Your biggest risk is the regulatory gap between RBI and DPDP. Start with a unified data inventory that tags every field against both frameworks. Build purpose-tagged retention policies with automated deletion workflows. Your breach response plan must cover three authorities, not one.
If you are in healthcare: Your biggest advantage is the children's data exemption for treatment purposes. Your biggest risk is the dual breach notification timeline (6 hours for CERT-In, 72 hours for DPBI). Build digital consent infrastructure to handle the volume of daily patient interactions, and ensure your research activities are clearly documented under Section 17(2)(b) or covered by standard consent.
If you are in e-commerce: Your biggest operational change is granular consent at checkout. Your biggest retention question is reconciling the 3-year inactivity ceiling (if you have 2 crore+ users) with 6-year GST obligations for transaction records. Start your data audit and consent redesign now; 15 months is tighter than it sounds when you factor in engineering cycles.
If you are in EdTech: Your biggest challenge is parental consent verification. It will fundamentally change your onboarding flow and your conversion funnel. Start building the verification infrastructure now, and strip out any analytics that constitutes behavioural monitoring of students. The 200 crore penalty ceiling for children's data violations is the highest in the Act.
If you operate through WhatsApp: Your biggest risk is operating without documented consent records. Audit your contact list. For every contact who receives promotional messages, can you prove when they consented, how, and for what purpose? If not, they should not be on your broadcast list. Build consent collection into your customer journey before the enforcement deadline.
Frequently Asked Questions
Does the DPDP Act apply differently to different industries?
The Act itself applies uniformly. Every entity that determines the purpose and means of processing personal data is a Data Fiduciary under Section 2(i), regardless of industry. However, the DPDP Rules 2025 create sector-specific thresholds and exemptions. The Third Schedule imposes a 3-year data retention ceiling on large e-commerce, social media, and gaming platforms. The Fourth Schedule exempts registered healthcare establishments from children's data restrictions when processing data for treatment. These sector-specific Rules, combined with pre-existing regulatory frameworks (RBI, IRDAI, TRAI, NMC), create meaningfully different compliance landscapes by industry.
Which industry faces the highest penalty risk under DPDP?
EdTech platforms face the highest concentration of penalty risk because their primary users are children (under 18), and Section 9 violations carry penalties up to 200 crore per instance. The penalty exposure is structural, not hypothetical: a platform with 100,000 student accounts that processes data without valid parental consent faces theoretical exposure that would be existential for most companies. Healthcare providers face similar potential exposure for security breaches (up to 250 crore) but benefit from targeted exemptions that reduce the likelihood of violation. Fintech faces high exposure due to the volume of personal data processed, but the per-violation risk is typically in the 50 crore range for consent and obligation breaches.
Can I use a single compliance approach across multiple industries?
Only partially. The DPDP Act's core obligations (consent under Section 6, notice under Section 5, security safeguards under Section 8(4), breach notification under Section 8(6)) apply everywhere and should be implemented consistently. But retention policies, children's data handling, breach notification timelines, and consent architectures must be tailored to your specific regulatory environment. A company operating in both fintech and e-commerce, for example, needs separate retention logic for RBI-governed KYC data and DPDP-governed customer account data.
What is the enforcement deadline, and are there industry-specific extensions?
The full compliance deadline is May 13, 2027. There are no sector-specific extensions. Every industry, from healthcare to e-commerce to EdTech, faces the same date. The DPDP Rules 2025 are being implemented in phases (the Data Protection Board rules took effect immediately upon notification on November 14, 2025; Consent Manager registration becomes effective November 2026; full compliance by May 2027), but these phases are functional, not industry-based.
Where should I start if I do not know my industry's specific DPDP obligations?
Start with a data audit. Map every personal data field your organisation processes, where it comes from, where it goes, who accesses it, and why. Then check whether any sectoral regulator (RBI, IRDAI, TRAI, NMC, CERT-In) imposes requirements on that data. The DPDP compliance checklist provides a step-by-step framework that applies across industries. From there, review the industry-specific guide for your sector to identify the obligations that go beyond the general framework.
Start Your Industry-Specific Compliance Journey
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
The DPDP Act applies to every Indian business, but the compliance path depends on your industry, your data volumes, and the regulatory stack you are already navigating. ComplyZero is a self-serve DPDP compliance platform built for Indian businesses: automated consent management, privacy notices in 22 Indian languages, cookie scanning, and audit-ready records. Whether you are in e-commerce, fintech, healthcare, or EdTech, the platform adapts to your compliance needs without requiring a consultancy engagement.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.
Get Started Free