The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data privacy law, enacted on 11 August 2023. It governs how any organisation (called a Data Fiduciary) collects, processes, and stores the personal data of people in India (called Data Principals). The DPDP Rules 2025 were notified on 13 November 2025, making the full framework operational. The full compliance deadline for most obligations is 13 May 2027.

Who does the DPDPA apply to?

The DPDPA applies to any entity (Data Fiduciary) that collects or processes the personal data of individuals in India — including foreign companies targeting Indian users online. There are no exemptions for company size: a startup with a contact form is subject to the same core obligations as a large enterprise.

What is the DPDPA compliance deadline?

Most DPDP Rules (including Rules 3, 5–16 governing notice, consent, security, breach notification, and cross-border transfers) come into force on 13 May 2027 — eighteen months after the gazette date of 13 November 2025. The Consent Manager framework has an earlier deadline of 13 November 2026 (twelve months after gazette).

What are the maximum penalties under DPDPA?

The maximum penalty under the DPDPA is ₹250 crore per violation for the most serious breaches — including failure to obtain consent (Section 6), failure to maintain security safeguards (Section 8(5)), failure to fulfil rights of Data Principals (Section 11), and non-compliance with Board directions. Failures in notice obligations (Section 5), children's data protection (Section 9), and breach notification (Section 8(6)) carry penalties up to ₹200 crore.

DPDPA Knowledge Hub

India's Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025 — explained in plain language for businesses, developers, and compliance teams.

On this page

What is the DPDPA? Who does it apply to? Key dates & timeline Section 5 — Notice Section 6 — Consent Section 7 — Legitimate uses Section 8 — Data Fiduciary duties Section 9 — Children's data Section 10 — Significant Data Fiduciaries Sections 11–14 — Data Principal rights Section 16 — Cross-border transfers DPDP Rules 2025 — Key rules Penalty schedule Glossary

What is the DPDPA?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data privacy law, enacted on 11 August 2023. It is the first Indian law to comprehensively regulate how personal data about Indian citizens can be collected, processed, stored, and transferred.

The Act is supplemented by the DPDP Rules, 2025, notified on 13 November 2025 (G.S.R. 846(E)), which specify the detailed procedural requirements for compliance. The Data Protection Board of India (DPBI) is the independent regulatory body that enforces the Act and adjudicates complaints.

Why it matters now: Although most Rules come into force in May 2027, implementing consent mechanisms, updating privacy notices, and establishing breach response procedures takes months of technical and legal work. Organisations that start now will not be scrambling at the deadline — and demonstrate good-faith compliance intent to the DPBI in the interim.

Who does it apply to?

The DPDPA applies to any entity that acts as a Data Fiduciary — i.e., any organisation that determines the purpose and means of processing personal data about people in India (Data Principals). This includes:

Indian companies and startups with any user data — regardless of size or sector
Foreign companies whose websites or apps are accessed by Indian users
Government bodies (with limited exemptions)
Partners and vendors acting as Data Processors on behalf of a Data Fiduciary

There is no exemption based on company size. A bootstrapped startup with a contact form collecting email addresses is subject to the same notice and consent obligations as a listed company with millions of users. The Act does recognise a higher tier — Significant Data Fiduciaries — for entities processing at very large scale, which attract additional obligations (see Section 10).

What counts as "personal data"?

Under Section 2(t), personal data means any data about an individual who is identifiable by or in relation to such data. This is intentionally broad and includes:

Category	Examples
Identity	Name, photograph, date of birth, Aadhaar number, PAN
Contact	Email address, phone number, postal address
Device & online	IP address, device ID, cookies, browsing history
Financial	Bank account number, UPI ID, transaction history
Biometric	Fingerprints, face data, retinal scans
Health & medical	Medical records, prescriptions, diagnosis data
Location	GPS coordinates, geolocation, visited places
Behavioural	Purchase history, app usage patterns, search queries

Note: The DPDPA does not create a separate "sensitive personal data" tier the way GDPR's Article 9 does. All personal data is covered by the same framework — the Act instead uses contextual sensitivity (e.g., children's data under Section 9, cross-border transfers under Section 16) to apply additional requirements where risk is higher.

Key dates & timeline

11 August 2023

DPDPA enacted

The Digital Personal Data Protection Act, 2023 receives Presidential assent and is published in the Official Gazette.

13 November 2025

DPDP Rules 2025 notified

G.S.R. 846(E) — the implementing Rules are published. Rules 1, 2, 4, 6(3), 17–21, and 24 come into force immediately. The Data Protection Board of India (DPBI) becomes operational.

Now — 13 November 2026

Consent Manager registration window

Entities wishing to operate as a Consent Manager (Rule 4) must register with the DPBI within twelve months of gazette notification. This is the first concrete compliance milestone for the ecosystem.

13 May 2027

Full compliance deadline

Rules 3, 5–16, 22, and 23 come into force — covering notice format, consent, children's data, security safeguards, breach notification, retention, grievance timelines, and cross-border transfers. This is the primary deadline for most organisations.

Section 5 — Notice

Section 5 + Rule 3

What it requires

Before or at the time of collecting personal data, the Data Fiduciary must give the Data Principal a clear, standalone notice that explains:

What personal data will be collected and for what specific purpose
How to exercise the rights of access, correction, erasure, and grievance
How to make a complaint to the Data Protection Board of India
How to withdraw consent

Under Rule 3, the notice must be a standalone document — not buried inside Terms of Service. It must be in English and any language from the Eighth Schedule that the Data Principal requests.

What this means in practice

Your privacy policy must be accessible at a dedicated URL (e.g., /privacy-policy) — not folded into a general legal page
Privacy notices embedded in Terms and Conditions or under a combined "Legal" page do not satisfy Rule 3(1)
The notice must be available in Hindi (mandatory) and in the regional language of your primary user base
Every form that collects personal data should link to the notice at the point of collection

Penalty exposure: Failure to provide notice as required under Section 5 — up to ₹200 crore.

Section 6 — Consent

Section 6

What it requires

Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous — expressed through a clear affirmative action. Pre-ticked boxes, inferred consent, and bundled consent (agreeing to all purposes with one click and no granularity) are explicitly invalid.

Key sub-sections:

Section 6(1): Processing requires prior, informed, specific, unconditional, and unambiguous consent
Section 6(4): Withdrawal of consent must be as easy as giving it — a "Reject All" option must be as prominent as "Accept All"
Section 6(5): Withdrawal does not affect the lawfulness of processing before withdrawal
Section 6(6): On withdrawal, the Data Fiduciary must cease processing within a reasonable time
Section 6(10): The burden of proving valid consent was obtained rests with the Data Fiduciary — you must maintain consent records

What consent looks like in practice

Requirement	Compliant	Non-compliant
Mechanism	Unchecked checkbox + clear label	Pre-ticked box; continuing to use the site
Granularity	Separate toggles per purpose (analytics, marketing)	Single "Accept All" with no breakdown
Withdrawal	Reject button equally prominent as Accept	Reject hidden in settings; small text link
Proof	Server-side log of {sessionId, choices, timestamp}	No record kept
Timing	Consent obtained before any tracking loads	Trackers fire on page load before consent

Penalty exposure: Failure to obtain valid consent — up to ₹250 crore per violation. This is the highest penalty category in the Act.

Section 7 — Certain legitimate uses (processing without consent)

Section 7

What it permits

Consent is not required in specific, narrow circumstances. Section 7 lists the legitimate grounds for processing without consent. These are limited and should not be treated as a blanket opt-out from consent requirements:

Section 7(a): Voluntary disclosure by the Data Principal for a specific purpose — e.g., filling in a contact form where the purpose is self-evident
Section 7(b): Fulfilment of a legal obligation — e.g., tax filings, KYC required by RBI, regulatory reporting
Section 7(c): Compliance with a court order or judgment
Section 7(d): Threat to life or health — emergency situations
Section 7(e): Public health and epidemics
Section 7(f): Employment-related processing — HR, payroll, access control within an organisation
Section 7(g): Processing by the State for delivery of public services

Common misuse: Many organisations try to fit analytics, marketing, and user profiling into a "legitimate use" grounds to avoid consent requirements. The DPDPA's legitimate uses are narrow and specific — they do not provide a backdoor equivalent to GDPR's legitimate interest basis for commercial profiling.

Section 8 — General obligations of Data Fiduciaries

Section 8 + Rule 6, Rule 7, Rule 8

What it requires

Section 8 imposes ongoing obligations on all Data Fiduciaries — regardless of whether a specific incident has occurred:

Section 8(1): Process data only for the specific, stated purpose and within the scope of consent given
Section 8(3): Ensure completeness, accuracy, and consistency of personal data used for decisions affecting the Data Principal
Section 8(4): Implement appropriate technical and organisational security safeguards — including encryption, access control, and activity logging
Section 8(5): Take reasonable security safeguards consistent with Rule 6 (see below)
Section 8(6): In the event of a personal data breach, notify the DPBI within 72 hours and notify all affected Data Principals without delay (Rule 7)
Section 8(7): Erase personal data when the purpose is served, consent is withdrawn, or when no longer necessary — and ensure Data Processors do the same (Rule 8)
Section 8(9): Publish the contact details of the Data Protection Officer (DPO) or person responsible for grievances

Rule 6 — Security safeguards (practical requirements)

Safeguard	What it means
Encryption in transit	All personal data transmitted over networks must use TLS 1.2 or higher. HTTP sites are non-compliant for any page that handles personal data.
Access control	Personal data must only be accessible to authorised personnel. Implement role-based access controls and least-privilege principles.
Activity logging	Log access to and processing of personal data. Rule 8(3) requires processing logs to be retained for a minimum of 1 year.
Security headers	HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options) are standard safeguards under Rule 6(g)'s general requirement for "reasonable security measures".

Rule 7 — Breach notification (72-hour rule)

There is no materiality threshold — every breach must be reported, not only "significant" ones. The notification to the DPBI must include:

Nature, extent, timing, and location of the breach
Likely consequences for affected Data Principals
Measures taken or planned to mitigate harm
Contact details of the responsible person

Penalty exposure: Failure to implement security safeguards — up to ₹250 crore. Failure to notify a breach — up to ₹200 crore.

Section 9 — Processing of children's personal data

Section 9 + Rule 10, Rule 11

What it requires

A "child" under the DPDPA is anyone under the age of 18. Before processing a child's personal data, the Data Fiduciary must:

Obtain verifiable parental consent (Rule 10) — a simple age-gate checkbox or self-declaration does not satisfy this
Not process personal data of children in a way that causes detrimental effects on their well-being
Not undertake tracking, behavioural monitoring, or targeted advertising directed at children — Section 9(3)
Implement technical measures to verify parental identity and consent

Rule 11 prescribes the method for age verification — data-minimising and privacy-respecting mechanisms must be used.

Who this applies to: If your service is child-directed (aimed at children or teenagers, or if children can reasonably be expected to be users), Section 9 obligations apply. You cannot avoid them by simply adding a "I am 18+" checkbox — that does not constitute verifiable parental consent.

Penalty exposure: Failure to meet children's data obligations — up to ₹200 crore.

Section 10 — Significant Data Fiduciaries (SDFs)

Section 10 + Rule 13

What it requires

The Central Government may notify specific entities as Significant Data Fiduciaries (SDFs) based on:

Volume and sensitivity of personal data processed
Risk to sovereignty and integrity of India, national security, or public order
Risk to rights of children or Data Principals
Potential impact on electoral democracy

Once notified as an SDF, Rule 13 requires:

Annual Data Protection Impact Assessment (DPIA) covering all high-risk processing activities
Independent annual audit by a certified Data Auditor
Appointment of a Data Protection Officer (DPO) who is India-resident and holds key managerial personnel status (board-level or equivalent)
Retention of a qualified Data Auditor from a list to be notified by MeitY
Data localisation for specific categories designated by the Government (Rule 13(4))

No SDFs have been notified yet. As of June 2026, the Central Government has not published the SDF notification. The specific thresholds (user counts, data sensitivity criteria) are not yet public. Organisations with millions of Indian users should begin DPIA readiness and DPO identification proactively — SDF notification may arrive with little warning.

Sections 11–14 — Rights of Data Principals

Sections 11–14

The four data rights under the DPDPA

Section 11 — Right to access information

A Data Principal can request a summary of: (a) personal data being processed, (b) processing activities undertaken, and (c) identities of all Data Processors and other Data Fiduciaries to whom data has been shared. The Data Fiduciary must respond within the timeline set by the DPBI.

Section 12 — Right to correction, completion, and erasure

A Data Principal may request correction of inaccurate or misleading data, completion of incomplete data, or erasure of data that is no longer necessary for the stated purpose. The Data Fiduciary must fulfil reasonable requests and update any Data Processors who hold the same data.

Section 13 — Right to grievance redressal

Every Data Fiduciary must publish the contact details of a Grievance Officer (or the person responsible for grievances). Under Rule 14:

Complaints must be acknowledged within 48 hours
Complaints must be resolved within 30 days
If not resolved within 30 days, the Data Principal may appeal to the DPBI within the following 90 days

Section 14 — Right to nominate

A Data Principal may nominate another person to exercise their data rights on their behalf in the event of death or incapacity. This is a unique right not found in most other data protection regimes.

Penalty exposure: Failure to honour rights of Data Principals — up to ₹250 crore.

Section 16 — Cross-border data transfers

Section 16 + Rule 15

What the law actually says

India has adopted a negative list regime for cross-border transfers — transfers are freely permitted unless the Central Government restricts transfers to a specific country by notification. The exact text of Section 16(1):

"The Central Government may, after such assessment as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may not transfer personal data of a Data Principal..."

Rule 15 implements this with an identical negative-list approach: transfers are permitted subject to any requirements the Central Government may specify. No countries are currently on the restricted list.

Important timing note: Rule 15 itself does not come into force until 13 May 2027 (Rule 1(4) — 18 months after gazette). There is no current legal obligation or penalty exposure for cross-border transfers.

What this means today: If your website uses Google Analytics, Meta Pixel, or any US-based SaaS tool, data is being transferred to the US. This is currently permitted under the DPDPA. There is no obligation to disclose cross-border transfers in your privacy notice under Rule 3's explicit list of notice requirements. Voluntary disclosure is good practice — but claiming it is a current legal violation (as some scanners do) is not legally accurate.

Monitor meity.gov.in for Rule 15 notifications — if the Government restricts transfers to a country where your vendors operate, you will need to comply within the grace period specified in that notification.

DPDP Rules 2025 — Key rules at a glance

Rule	Subject	Key requirement	In force
Rule 3	Notice format	Standalone document; English + Eighth Schedule languages; itemised list of data, purpose, rights, DPBI complaint link	13 May 2027
Rule 4	Consent Managers	Entities acting as Consent Manager must register with DPBI within 12 months of gazette (by 13 Nov 2026)	Now
Rule 5	Consent (additional)	Deemed consent in certain contexts; Consent Manager integration requirements	13 May 2027
Rule 6	Security safeguards	Encryption, access control, activity logging, monitoring for breaches	13 May 2027
Rule 7	Breach notification	Notify DPBI within 72 hours; notify affected Data Principals without delay; no materiality threshold	13 May 2027
Rule 8	Data retention	Erase when purpose served; processing logs retained minimum 1 year; Third Schedule sets class-specific minimums (3 years for large platforms)	13 May 2027
Rule 9	Grievance Officer publication (SDF only)	Significant Data Fiduciaries must publish DPO contact prominently on the website — not only inside the privacy policy	13 May 2027
Rule 10	Children's data — verifiable consent	Technical and organisational measures to verify parental identity and consent before processing a child's data	13 May 2027
Rule 11	Age verification	Data-minimising age verification methods; must not require excessive personal data to determine age	13 May 2027
Rule 13	SDF obligations	Annual DPIA, annual independent audit, India-resident DPO (key managerial personnel), Data Auditor retention, data localisation for designated categories	13 May 2027
Rule 14	Grievance timelines	Acknowledge within 48 hours; resolve within 30 days; DPBI appeal right within 90 days thereafter	13 May 2027
Rule 15	Cross-border transfers	Negative list — transfers permitted unless Government restricts specific country. No countries currently restricted.	13 May 2027

Penalty schedule

Penalties under the DPDPA are determined by the Data Protection Board of India based on the severity of the violation, the number of Data Principals affected, the Data Fiduciary's compliance history, and evidence of remediation. The figures below are statutory maxima, not baseline or expected outcomes.

Violation	Provision	Max penalty
Failure to obtain valid consent before processing personal data	Section 6	₹250 crore
Failure to implement reasonable security safeguards	Section 8(5) + Rule 6	₹250 crore
Failure to honour rights of Data Principals (access, correction, erasure)	Sections 11–13	₹250 crore
Non-compliance with a direction of the Data Protection Board of India	Section 33	₹250 crore
Failure to provide notice as required before collecting personal data	Section 5 + Rule 3	₹200 crore
Non-fulfilment of obligations for processing children's personal data	Section 9 + Rule 10	₹200 crore
Failure to notify a breach to the DPBI within 72 hours	Section 8(6) + Rule 7	₹200 crore
Failure to fulfil obligations of a Significant Data Fiduciary	Section 10 + Rule 13	₹200 crore
Breach of any other provision of the Act or Rules	General	₹50 crore

How penalties are assessed: The DPBI considers — the nature, gravity, and duration of the breach; the number of Data Principals affected; the type of personal data involved; whether the breach was intentional or negligent; prior violations; and steps taken to mitigate harm. A first-time, good-faith compliance gap by a startup that has already remediated is unlikely to attract the maximum penalty. Penalties up to ₹250 crore are reserved for large-scale, systemic, or wilful violations.

Glossary

Data Fiduciary: Any person or organisation that determines the purpose and means of processing personal data. The primary subject of obligations under the Act. Equivalent to "Data Controller" under GDPR. Examples: your company, any app or website that collects user data.
Data Principal: The individual whose personal data is being processed. The beneficiary of rights under the Act. Equivalent to "Data Subject" under GDPR.
Data Processor: Any person or organisation that processes personal data on behalf of a Data Fiduciary, under contract. Examples: cloud providers, analytics platforms, email service providers. Data Processors must follow the Data Fiduciary's instructions and are governed by their contractual terms.
Consent Manager: A new entity type created by the DPDPA — a registered intermediary that maintains records of consent given and withdrawn by Data Principals, and enables Data Principals to manage their consents across multiple platforms from a single interface. Must be registered with the DPBI (Rule 4 deadline: 13 November 2026).
Significant Data Fiduciary (SDF): A Data Fiduciary notified by the Central Government as processing data at a scale or sensitivity level that warrants additional obligations — annual DPIA, independent audit, India-resident DPO, and data localisation for designated categories. No SDFs have been notified yet as of June 2026.
Data Protection Board of India (DPBI): The independent regulatory body established under the DPDPA. Receives complaints from Data Principals, adjudicates disputes, issues directions to Data Fiduciaries, and imposes penalties for violations. Became operational in November 2025.
Personal Data Breach: Any unauthorised processing or disclosure of personal data that may cause harm to Data Principals — including data theft, accidental exposure, ransomware, insider access, or unauthorised sharing with a third party. All breaches (no materiality threshold) must be reported to the DPBI within 72 hours.
Data Protection Impact Assessment (DPIA): A structured assessment of the privacy risks created by a specific data processing activity, and the measures taken to mitigate those risks. Mandatory annually for Significant Data Fiduciaries; best practice for any high-risk processing by other Data Fiduciaries.
Grievance Officer: The named individual at a Data Fiduciary responsible for receiving and resolving data-related complaints from Data Principals. Must be published on the website. For Significant Data Fiduciaries, this role aligns with the Data Protection Officer (DPO), who must be India-resident key managerial personnel.
Eighth Schedule: The constitutional schedule listing India's 22 official languages. Rule 3(1) requires privacy notices to be available in English and any Eighth Schedule language requested by the Data Principal. Hindi is the most requested and effectively mandatory for national-audience services.
Third Schedule: A schedule in the DPDP Rules 2025 that specifies minimum data retention periods for specific platform types. E-commerce and social media platforms with 2 crore or more Indian users, and online gaming platforms with 50 lakh or more users, must retain most user data for a minimum of 3 years from last activity.
Negative List Regime (cross-border transfers): The approach adopted by India under Section 16 and Rule 15 for cross-border data transfers: transfers are permitted to all countries unless the Central Government specifically restricts a country by notification. No countries are currently restricted. Contrast with GDPR's positive adequacy model, where transfers require an adequacy decision or specific safeguards.

See how your website performs against DPDPA requirements — consent behaviour, privacy notice completeness, security headers, trackers, and more.

Check your website →