India's Digital Personal Data Protection Act (DPDP Act, 2023) is now in force, with full compliance required by May 13, 2027. Every business, website, and app that collects personal data from Indian citizens must comply — or face penalties up to ₹250 crore. This guide explains what the DPDP Act requires, who it applies to, and deadlines.
The DPDP Act applies to any entity that processes personal data of Indian citizens, regardless of where the entity is physically located. If you answer "yes" to any of these questions, the DPDP Act applies to you:
Key term: Data Fiduciary — Under DPDP, any entity that determines the purpose and means of processing personal data is called a "Data Fiduciary." If you decide why and how to collect and use personal data, you are a Data Fiduciary and must comply with DPDP obligations.
✓ Quick Test: If you have a contact form on your website that collects names and emails from Indian visitors → You are a Data Fiduciary → DPDP applies to you.
The DPDP Act imposes 7 core obligations on Data Fiduciaries. Every business must implement these requirements before the May 2027 compliance deadline:
You must obtain free, specific, informed, and unambiguous consent from users before collecting their personal data. Consent must be:
You must publish a privacy policy that explains what personal data you collect, why you collect it, how long you retain it, who you share it with, and how users can exercise their rights. The privacy policy must be written in clear and plain language, available in English and any of the 22 scheduled Indian languages used by your audience.
You must implement "reasonable security safeguards" to prevent data breaches, unauthorized access, and data loss. This includes encryption of sensitive data, access controls, regular security audits, and incident response plans.
If you experience a data breach, you must notify the Data Protection Board of India (DPB) within 72 hours. You must also notify affected users if the breach is likely to cause them harm.
Users (called "Data Principals" under DPDP) have the right to access their data, correct inaccurate data, delete their data, withdraw consent, and nominate a representative. You must provide a mechanism for users to exercise these rights easily.
If your business is classified as a Significant Data Fiduciary (high data volume, sensitive data, or children's data), you must appoint a Data Protection Officer (DPO) based in India. Note: Most small businesses and startups will NOT be classified as Significant Data Fiduciaries and do not need a DPO.
If you collect data from users under 18 years old, you must obtain verifiable parental consent before processing their data. You are also prohibited from tracking or behavioral monitoring of children and targeted advertising directed at children.
The Data Protection Board of India has the authority to impose fines on Data Fiduciaries who violate DPDP requirements. Penalties are tiered based on the severity of the violation:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore |
| Processing children's data without verifiable parental consent | ₹200 crore |
| Failure to notify data breach within 72 hours | ₹200 crore |
| Processing data without valid consent | ₹50 crore |
| Failure to honor Data Principal rights | ₹50 crore |
| Non-publication of privacy policy | ₹50 crore |
Important context: These are maximum penalties. The DPB will likely impose proportionate fines based on the nature and severity of the violation, number of Data Principals affected, and whether the violation was intentional.
⚠️ Reality Check: Even a ₹10 lakh fine (0.04% of the maximum) is devastating for most Indian startups. The risk is real. Compliance is not optional.
Data Fiduciary: The entity that decides why and how to process personal data (your business). Data Processor: An entity that processes data on behalf of the Data Fiduciary (e.g., your cloud hosting provider). You (Data Fiduciary) are responsible for ensuring your Data Processors comply with DPDP.
A Consent Manager is a registered intermediary that helps users manage consent across multiple Data Fiduciaries. Think of it as a centralized consent dashboard. Consent Managers must register with the Data Protection Board by November 2026.
Data Fiduciaries that process large volumes of data, sensitive data, or children's data may be classified as SDFs and have additional obligations including appointing a DPO and conducting regular audits.
| Date | Milestone |
|---|---|
| August 11, 2023 | DPDP Act passed by Parliament |
| November 13, 2025 | DPDP Rules 2025 finalized |
| November 13, 2026 | Consent Manager registration deadline |
| May 13, 2027 | Full compliance required for all Data Fiduciaries |
| May 14, 2027 onward | Data Protection Board begins enforcement |
Yes. The DPDP Act does not have a revenue threshold or employee count exemption. If you process personal data of Indian citizens, DPDP applies.
Yes, if you offer goods or services to Indian users. DPDP has extraterritorial application.
No. While DPDP borrows concepts from GDPR, there are significant differences including cross-border data transfer rules, the Consent Manager system, penalty structures, and age thresholds. A GDPR-compliant privacy policy is NOT automatically DPDP-compliant.
Yes, with conditions. The DPDP Act allows cross-border data transfers to countries notified by the Indian government as having adequate data protection laws. Transfers to non-whitelisted countries will require additional safeguards.
You must notify the Data Protection Board of India within 72 hours and affected users if the breach is likely to cause harm. Failure to notify can result in penalties up to ₹200 crore.
Only if you are classified as a Significant Data Fiduciary. Most small businesses and startups will not be SDFs.
Yes, but you need proper consent. You must obtain user consent before activating Google Analytics tracking, disclose it in your privacy policy, enable IP anonymization, and ensure you have a Data Processing Agreement with Google.
Answer 10 questions about your Business → get a score + gap report.
DPDP Compliance Checker Free →Free forever. No credit card required.