India's Privacy Law 2023

The DPDP Act,
explained simply

No legalese. Just clear, plain-language guidance on India's Digital Personal Data Protection Act 2023 — what it means for your business, your users, and your data.

Explore the law →
1.4B
People protected
₹250 Cr
Maximum penalty per breach
8
Core rights for individuals
2023
Year enacted

Overview

What is the DPDP Act?

The Digital Personal Data Protection Act 2023 is India's first comprehensive law governing how personal data is collected, stored, processed, and shared — both within India and beyond its borders.

🔒

Purpose limitation

Data may only be collected for a specific, clearly stated purpose. Using it for anything else requires fresh consent.

Consent-based processing

Personal data of adults can only be processed with free, informed, specific, and unconditional consent.

🌐

Cross-border transfers

Data can flow to countries notified by the central government — giving India flexibility to regulate global data flows.

🏛️

Data Protection Board

A new independent body — the DPBI — will hear complaints, investigate breaches, and impose financial penalties.

👶

Children's data

Processing data of anyone under 18 requires verifiable parental consent. Targeted advertising to children is banned.

🔔

Breach notification

In the event of a personal data breach, both the DPBI and the affected individuals must be notified promptly.

Scope

Who does it apply to?

The Act applies to any entity that processes digital personal data in India, or processes data outside India if it's in connection with offering goods or services to people in India.

Covered

Data fiduciaries

  • Indian startups and enterprises
  • Global companies with Indian users
  • Government bodies (with exceptions)
  • Processors acting on behalf of fiduciaries
Exempt

Exclusions

  • Personal or domestic use
  • Journalistic, research, or archival purposes
  • Certain national security processing
  • Offline / non-digitised personal data
Special category

Significant fiduciaries

  • Designated by the central government
  • Must appoint a Data Protection Officer
  • Must conduct periodic audits
  • Higher compliance obligations apply

Individual rights

Rights of the data principal

Under the DPDP Act, every person whose data is processed — the "data principal" — holds the following rights.

Right to information

Know what data is held about you and how it's being processed.

Right to correction

Have inaccurate or incomplete personal data corrected or updated.

Right to erasure

Request deletion of personal data when consent is withdrawn or processing is no longer necessary.

Right to grievance redressal

Raise a complaint directly with the data fiduciary and have it addressed in a timely manner.

Right to nominate

Nominate another person to exercise your rights in the event of death or incapacity.

Right to withdraw consent

Withdraw consent at any time; withdrawing it is as easy as giving it was.

Compliance

Obligations for data fiduciaries

If your organisation collects or processes personal data, these duties apply to you.

Obtain valid consent

Before processing, get free, specific, informed, and unconditional consent via a clear notice in the user's language.

Maintain data accuracy

Make reasonable efforts to ensure personal data processed is accurate, complete, and up to date.

Storage limitation

Delete personal data once the stated purpose has been fulfilled and there is no legal obligation to retain it.

Security safeguards

Implement reasonable technical and organisational measures to prevent data breaches and unauthorised access.

Breach notification

Notify the Data Protection Board of India and affected individuals in the event of a personal data breach.

Grievance officer

Appoint a contact person for data-related queries and ensure complaints are resolved promptly.

Enforcement

Penalties for non-compliance

The Data Protection Board of India can levy financial penalties for breaches. Significant fiduciaries face higher limits.

Violation Maximum penalty
Breach of children's data safeguards ₹200 crore
Failure to implement security safeguards resulting in a breach ₹250 crore
Non-compliance with provisions or Board directions ₹50 crore
Failure to notify breach to the Board / affected individuals ₹200 crore
Breach of additional obligations for Significant Fiduciaries ₹150 crore

Key milestones

Timeline

How the law has developed — and what's still ahead.

August 2023
DPDP Act receives Presidential assent
The Digital Personal Data Protection Act 2023 is enacted — India's first standalone data protection law.
2023–2024
Draft rules consultation
The Ministry of Electronics and Information Technology (MeitY) publishes draft implementation rules for public consultation.
2025
Rules expected to be finalised
The DPDP Rules are expected to be notified, setting out the operational framework for consent managers, breach timelines, and more.
TBD
Data Protection Board constituted
The DPBI will be set up to receive complaints and enforce the Act once rules are in place and the government notifies commencement dates.

FAQ

Frequently asked questions

Plain answers to the questions we hear most often.

Is the DPDP Act in force right now?
The Act was enacted in August 2023, but most of its provisions come into effect only after the central government notifies commencement dates section by section. As of mid-2025, the implementation rules are being finalised. Businesses should use this time to prepare.
Does it apply to my company if we're based outside India?
Yes, if you offer goods or services to individuals in India or process their personal data in connection with any activity targeting people in India, the Act applies — regardless of where your servers or headquarters are located.
What counts as "personal data" under the Act?
Any data about an identifiable individual — their name, email, phone number, location, device ID, financial details, health information, and so on. It does not cover anonymised data that cannot be linked back to a person.
Do small businesses have lighter obligations?
The Act allows the central government to exempt certain classes of data fiduciaries — including startups — from some requirements. However, the base obligations around consent, security, and breach notification are expected to apply broadly.
What's a "consent manager"?
A consent manager is a registered intermediary that allows individuals to give, manage, review, and withdraw their consent across multiple data fiduciaries through a single platform. They must be registered with the DPBI.
How is this different from GDPR?
The DPDP Act is India's own framework and differs in several ways: it doesn't require a lawful basis beyond consent (for most processing), it has no "legitimate interest" ground, penalties are capped differently, and the Board operates independently rather than through a network of DPAs. There is no right to data portability in the current version.

Start your compliance journey today

Whether you're a startup or a large enterprise, getting DPDP-ready is simpler with the right guidance.

Read the full guide