What is the DPDP Act?
The Digital Personal Data Protection Act, 2023 is India's law for processing digital personal data. It applies to personal data collected digitally, or collected offline and then digitised, and it is enforced by the Data Protection Board of India. The detailed operating rules - the DPDP Rules, 2025 - were notified on 13 November 2025.
When do businesses actually have to comply?
In phases. Provisions creating the Data Protection Board took effect on 13 November 2025. Consent Manager registration opens from 13 November 2026. The main obligations - notices, consent, security safeguards, breach reporting, data principal rights, and children's data protections - bind from 13 May 2027.
DPDP Rules 2025, Rule 1
Does the DPDP Act apply to my business?
If you process digital personal data of people in India, yes - there is no turnover or size threshold. It also applies outside India when goods or services are offered to people in India. Purely personal or domestic use and data the individual has made publicly available themselves are outside its scope.
Section 3
What is a Data Fiduciary and a Data Principal?
The Data Principal is the individual the personal data is about. A Data Fiduciary is whoever decides the purpose and means of processing that data - typically the business. A Data Processor processes data on a fiduciary's behalf under a contract, but the fiduciary stays responsible.
Section 2
What counts as valid consent under the DPDP Act?
Consent must be free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action, and limited to data necessary for the stated purpose. A notice must come before or with the request. Withdrawing consent must be as easy as giving it was.
Sections 5 and 6
What must a privacy notice contain?
An itemised description of the personal data and the purposes, the goods or services involved, how the person can exercise their rights and withdraw consent, and how to complain to the Data Protection Board. The notice must be understandable on its own, and available in English or any of the 22 languages of the Eighth Schedule.
Section 5, Rule 3
What are the penalties for getting it wrong?
The Schedule to the Act caps penalties per instance: up to Rs 250 crore for failing to take reasonable security safeguards, up to Rs 200 crore for failing to notify a breach or for breaching children's data duties, and up to Rs 50 crore for most other violations. The Data Protection Board decides the amount based on the nature, gravity, and duration of the breach.
Section 33, Schedule
What is a Consent Manager?
A Consent Manager is a platform registered with the Data Protection Board that lets a person give, manage, review, and withdraw consent through a single interoperable point. Registration requirements - including minimum net worth and technical standards - apply from 13 November 2026. Most businesses will not become one, but may need to work with them.
Section 2, Rule 4
What is a Significant Data Fiduciary?
A class of Data Fiduciary the Central Government notifies based on factors like the volume and sensitivity of data, risk to individuals, and impact on India. Significant Data Fiduciaries carry extra duties: a Data Protection Officer based in India, an independent data auditor, periodic Data Protection Impact Assessments, and algorithmic due diligence.
Section 10, Rule 13
How does the Act protect children's data?
Processing a child's data - anyone under 18 - requires verifiable consent of a parent or lawful guardian. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited. The Rules describe how parental consent is verified and the limited exemptions.
Section 9, Rule 10
What happens if we have a data breach?
Every affected person must be informed promptly, in plain language, with what happened and what they can do. The Data Protection Board must also be informed - an initial intimation without delay, followed by a detailed report within 72 hours. Preparing the runbook and templates before an incident is the only realistic way to meet this.
Section 8(6), Rule 7
What rights do individuals get?
A Data Principal can ask for a summary of their data and how it is processed, demand correction and erasure, use grievance redressal that must respond within the period the Rules set, and nominate someone to exercise their rights if they die or are incapacitated.
Sections 11 to 14
How is the DPDP Act different from GDPR?
The DPDP Act is consent-centric with fewer lawful bases, applies only to digital personal data, has no data classification into special categories, and sets penalties as fixed caps rather than turnover percentages. Tools and templates built for GDPR do not map one-to-one - notices, consent flows, and breach timelines all differ.
I can get an LLM to write my privacy policy - why do I need anything more?
A written policy is the easy 10 percent. The Act judges what your website and systems actually do: whether trackers really wait for consent, whether withdrawal really works, whether the notice matches what you truly collect, in the languages your users need, kept current as Rules roll out. A generated document changes none of that - and a notice that promises what your site does not do makes things worse, not better.
I take orders on WhatsApp and Instagram - does the Act still apply?
Yes. Digital personal data is covered wherever you process it - chat commerce included. Names, numbers, and addresses collected over WhatsApp for orders are personal data you are the Data Fiduciary for. Your notice, consent for marketing messages, and erasure duties all still apply.
My store runs on Shopify or Wix - is compliance their job or mine?
Yours. The platform is your Data Processor; you decide the purpose, so you are the Data Fiduciary. You still need your own notice, honest consent, a grievance contact, and processor terms with the platform. Their tools help, but their defaults do not discharge your duties.
Does the Act cover our employees' data too?
Yes - employee personal data is personal data. Section 7 permits processing for employment purposes without fresh consent, but the security safeguards, breach duties, and erasure obligations still apply to HR systems, payroll, and monitoring tools.
Will anyone really check a small business like mine?
Enforcement starts with complaints, and the complaint button belongs to your customers: the notice must tell them how to complain to the Data Protection Board. One unhappy customer, ex-employee, or competitor can file. The Board weighs gravity and duration - a small business that prepared honestly is in a very different conversation from one that ignored the law.
What should we do before 13 May 2027?
Map what personal data you collect and why. Publish a compliant notice. Fix consent so it is affirmative and as easy to withdraw as to give. Put security safeguards, retention limits, and a grievance contact in place. Prepare the breach runbook. Then re-check regularly - websites drift.
This page explains the law in plain language for orientation. It is not legal advice - for decisions about your specific situation, involve your counsel.