What is the DPDP Act? India's Data Protection Law Explained [2026]
The DPDP Act (Digital Personal Data Protection Act, 2023) is India's comprehensive data protection law that regulates how businesses collect, process, and store personal data of Indian citizens. It applies to any entity — Indian or foreign — that processes personal data of people in India.
Key facts: Compliance mandatory from May 13, 2027 • Penalties up to ₹250 crore • Applies to all businesses with Indian users • Requires privacy policy, consent, and data security measures.
Jump to Section
DPDP Act: Official Definition
The Digital Personal Data Protection Act, 2023 (commonly called the DPDP Act) is India's primary data protection legislation. It was passed by the Indian Parliament on August 11, 2023, and received Presidential assent on the same day.
The DPDP Act regulates the processing of digital personal data — meaning any operation performed on personal data in digital form, including collection, storage, use, sharing, and deletion.
🇮🇳 India-Specific Context: The DPDP Act replaces the outdated Information Technology Act, 2000 as the primary data protection framework. It was developed after years of consultation, including the 2018 Personal Data Protection Bill and 2019 revised bill, which were eventually withdrawn in favor of this simpler, business-friendly version.
What "Personal Data" Means Under DPDP
Personal data is any data about an individual who is identifiable by or in relation to such data. This includes:
- Names, email addresses, phone numbers
- Physical addresses, postal codes
- IP addresses, device IDs, cookies
- Financial information (bank accounts, UPI IDs, transaction history)
- Aadhaar numbers, PAN cards, passport numbers
- Health records, medical history
- Biometric data (fingerprints, facial recognition)
- Location data, browsing history
Important: Even if you only collect email addresses through a newsletter signup form, you are processing personal data and must comply with DPDP.
Why Was the DPDP Act Created?
India created the DPDP Act for three primary reasons:
1. Protect Citizens' Privacy Rights
Before DPDP, India had no comprehensive data protection law. The Supreme Court of India declared privacy a fundamental right under Article 21 of the Constitution in the landmark 2017 K.S. Puttaswamy vs Union of India judgment. The DPDP Act operationalizes this constitutional right.
2. Address Digital India's Growth
India has over 850 million internet users (as of 2026), making it the world's second-largest online market. The explosion of digital services, fintech, EdTech, e-commerce, and healthtech created an urgent need for data protection regulation.
3. Align with Global Standards
The DPDP Act brings India in line with global data protection frameworks like the EU's GDPR and California's CCPA. This is crucial for Indian businesses operating internationally and for attracting foreign investment.
⚠️ Reality Check: India saw several high-profile data breaches in 2023-2025, including leaks affecting millions of citizens. The DPDP Act gives the government enforcement powers to penalize companies that fail to protect user data.
Who Does the DPDP Act Apply To?
The DPDP Act has extraterritorial application, meaning it applies beyond India's borders. Here's who must comply:
✅ The DPDP Act Applies To:
- Indian businesses of any size — Startups, SMEs, enterprises, sole proprietors
- Foreign companies with Indian users — US, EU, Singapore-based companies offering services to Indians
- Websites and apps — Any digital platform collecting data from Indian users
- E-commerce platforms — Online stores, marketplaces, delivery apps
- SaaS companies — B2B software, CRM tools, productivity apps
- Fintech and EdTech — Payment apps, investment platforms, online learning
- Healthcare providers — Telemedicine, health records, fitness apps
- Social media and gaming — Platforms with user-generated content
❌ The DPDP Act Does NOT Apply To:
- Processing of non-digital personal data (paper records, offline forms)
- Personal or domestic purposes (e.g., maintaining personal contacts)
- Publicly available data (with some conditions)
✓ Quick Test: If you have a website with a contact form that Indian visitors can fill out → DPDP applies to you, even if you're based in New York or London.
What Does the DPDP Act Require from Businesses?
The DPDP Act introduces 7 core obligations for entities that process personal data (called "Data Fiduciaries"):
1. Obtain Valid Consent
You must obtain free, specific, informed, and unambiguous consent from users before collecting their data. Consent must be:
- Given for a specific purpose (you can't collect data "just in case")
- Easy to withdraw (users can revoke consent anytime)
- Not bundled with unrelated services (no "accept all or nothing")
- Recorded and maintained (you must prove consent was obtained)
2. Publish a Privacy Policy
You must publish a clear privacy policy explaining what data you collect, why you collect it, how long you keep it, who you share it with, and how users can access, correct, or delete their data.
The policy must be in clear and plain language — no legal jargon. It must be available in English and any of the 22 scheduled Indian languages if your audience uses those languages.
3. Implement Data Security Measures
You must protect personal data with "reasonable security safeguards" including encryption, access controls, regular security audits, and incident response plans.
4. Notify Data Breaches Within 72 Hours
If you experience a data breach, you must notify the Data Protection Board of India within 72 hours. You must also inform affected users if the breach is likely to cause them harm.
5. Honor Data Principal Rights
Users (called "Data Principals") have the right to access their data, correct inaccurate data, delete their data (with some exceptions), withdraw consent, and nominate someone to manage their data rights after death.
6. Appoint a Data Protection Officer (for Large Entities)
If you're classified as a Significant Data Fiduciary (high data volume, children's data, or sensitive data), you must appoint a Data Protection Officer (DPO) based in India. Most startups and small businesses will NOT be SDFs.
7. Special Rules for Children's Data
If you process data from anyone under 18 years old, you need verifiable parental consent. You're also banned from tracking children's behavior and targeted advertising to children.
What Are the Penalties for DPDP Violations?
The Data Protection Board of India can impose fines ranging from ₹50 crore to ₹250 crore depending on the violation:
| Violation | Maximum Fine |
|---|---|
| Failure to implement security safeguards | ₹250 crore |
| Processing children's data without consent | ₹200 crore |
| Not notifying breach within 72 hours | ₹200 crore |
| Processing data without valid consent | ₹50 crore |
| Not honoring data principal rights | ₹50 crore |
| No privacy policy published | ₹50 crore |
Important: These are maximum penalties. The Board will impose proportionate fines based on severity, but even a ₹10 lakh fine can be devastating for most Indian startups.
When Does DPDP Compliance Become Mandatory?
Here's the complete DPDP timeline:
| Date | Milestone |
|---|---|
| August 11, 2023 | DPDP Act passed by Parliament |
| November 13, 2025 | DPDP Rules 2025 notified by government |
| May 13, 2027 | Full compliance required (18 months from Rules) |
| May 14, 2027 onward | Enforcement begins - penalties can be issued |
Common Questions About the DPDP Act
What does DPDP stand for?
DPDP stands for Digital Personal Data Protection. The full name is the Digital Personal Data Protection Act, 2023.
Is DPDP the same as GDPR?
No. While DPDP is inspired by GDPR, there are key differences including cross-border data transfer rules, consent mechanisms, and penalty structures. A GDPR-compliant privacy policy is not automatically DPDP-compliant.
Does DPDP apply to B2B companies?
Yes, if you process any personal data. Even B2B SaaS companies collect employee emails, contact information, and usage data from users. DPDP applies to all personal data processing, regardless of B2B or B2C.
Can I transfer data outside India?
Yes, with conditions. You can transfer data to countries the Indian government has notified as having adequate data protection laws. For other countries, you'll need additional safeguards like Standard Contractual Clauses.
Do I need a DPO if I'm a startup?
Probably not. Only Significant Data Fiduciaries need a DPO. Most startups won't qualify as SDFs unless they process large volumes of sensitive data or children's data.
What happens if I don't comply by May 2027?
You risk fines and enforcement action. The Data Protection Board can investigate, issue notices, and impose penalties. Non-compliance could also damage your reputation and customer trust.
Check if DPDP applies to you
Answer 10 questions about your Business → get a score + gap report.
DPDP Compliance Checker Free →Free forever. No credit card required.