DPDP Act 2023 and DPDP Rules 2025

The DPDP Act, answered in plain language

The questions Indian businesses actually ask - answered factually, with the exact section for each, and kept current as the Rules roll out. Last reviewed July 2026.

The three dates that matter

  1. Aug 2023

    Act passed

    The DPDP Act becomes law.

  2. 13 Nov 2025

    Rules notified

    Data Protection Board provisions take effect.

  3. Today (current position)

    Preparation window

    The only stretch where readiness is cheap.

  4. 13 Nov 2026

    Consent Managers

    Registration with the Board opens.

  5. 13 May 2027

    Main obligations bind

    Notices, consent, safeguards, breach reporting, rights.

Penalties at a glance

Maximum penalties per instance under the Schedule to the DPDP Act 2023
FailureMaximum penalty per instance
Reasonable security safeguards not taken₹250 crore
Breach notification duties not met₹200 crore
Children's data duties breached₹200 crore
Most other violations of the Act or Rules₹50 crore

Source: Schedule to the DPDP Act 2023. The Data Protection Board weighs nature, gravity, and duration when deciding amounts.

Who is most exposed

Everyone processing digital personal data is covered, but exposure is not equal - it follows the volume and sensitivity of data, and the sections with the biggest penalty caps.

  • Ecommerce and D2C stores

    Very high

    High volume of names, phones, addresses, and payment flows - plus marketing pixels that fire before consent. Security safeguards (the Rs 250 crore cap) and consent are the pressure points.

  • Edtech, gaming, and anything children use

    Very high

    Under-18 data needs verifiable parental consent, and tracking or targeted ads at children are prohibited outright - with a Rs 200 crore cap.

  • Fintech, lending, and insurance

    Very high

    Financial data, government IDs, and scale make Significant Data Fiduciary designation likely - adding a DPO in India, audits, and impact assessments.

  • Healthcare and diagnostics

    High

    Health data draws the closest scrutiny, and breach notification duties are unforgiving. Retention and access control matter most here.

  • Hospitality and travel

    High

    ID documents at check-in, passport details, and location history - collected at volume and often kept far too long.

  • Any business with a marketing list

    Real

    Even a small shop with a loyalty list must show valid consent, honour withdrawal, and answer grievances. Small does not mean exempt.

Your questions, answered

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 is India's law for processing digital personal data. It applies to personal data collected digitally, or collected offline and then digitised, and it is enforced by the Data Protection Board of India. The detailed operating rules - the DPDP Rules, 2025 - were notified on 13 November 2025.

When do businesses actually have to comply?

In phases. Provisions creating the Data Protection Board took effect on 13 November 2025. Consent Manager registration opens from 13 November 2026. The main obligations - notices, consent, security safeguards, breach reporting, data principal rights, and children's data protections - bind from 13 May 2027.

DPDP Rules 2025, Rule 1

Does the DPDP Act apply to my business?

If you process digital personal data of people in India, yes - there is no turnover or size threshold. It also applies outside India when goods or services are offered to people in India. Purely personal or domestic use and data the individual has made publicly available themselves are outside its scope.

Section 3

What is a Data Fiduciary and a Data Principal?

The Data Principal is the individual the personal data is about. A Data Fiduciary is whoever decides the purpose and means of processing that data - typically the business. A Data Processor processes data on a fiduciary's behalf under a contract, but the fiduciary stays responsible.

Section 2

What counts as valid consent under the DPDP Act?

Consent must be free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action, and limited to data necessary for the stated purpose. A notice must come before or with the request. Withdrawing consent must be as easy as giving it was.

Sections 5 and 6

What must a privacy notice contain?

An itemised description of the personal data and the purposes, the goods or services involved, how the person can exercise their rights and withdraw consent, and how to complain to the Data Protection Board. The notice must be understandable on its own, and available in English or any of the 22 languages of the Eighth Schedule.

Section 5, Rule 3

What are the penalties for getting it wrong?

The Schedule to the Act caps penalties per instance: up to Rs 250 crore for failing to take reasonable security safeguards, up to Rs 200 crore for failing to notify a breach or for breaching children's data duties, and up to Rs 50 crore for most other violations. The Data Protection Board decides the amount based on the nature, gravity, and duration of the breach.

Section 33, Schedule

What is a Consent Manager?

A Consent Manager is a platform registered with the Data Protection Board that lets a person give, manage, review, and withdraw consent through a single interoperable point. Registration requirements - including minimum net worth and technical standards - apply from 13 November 2026. Most businesses will not become one, but may need to work with them.

Section 2, Rule 4

What is a Significant Data Fiduciary?

A class of Data Fiduciary the Central Government notifies based on factors like the volume and sensitivity of data, risk to individuals, and impact on India. Significant Data Fiduciaries carry extra duties: a Data Protection Officer based in India, an independent data auditor, periodic Data Protection Impact Assessments, and algorithmic due diligence.

Section 10, Rule 13

How does the Act protect children's data?

Processing a child's data - anyone under 18 - requires verifiable consent of a parent or lawful guardian. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited. The Rules describe how parental consent is verified and the limited exemptions.

Section 9, Rule 10

What happens if we have a data breach?

Every affected person must be informed promptly, in plain language, with what happened and what they can do. The Data Protection Board must also be informed - an initial intimation without delay, followed by a detailed report within 72 hours. Preparing the runbook and templates before an incident is the only realistic way to meet this.

Section 8(6), Rule 7

What rights do individuals get?

A Data Principal can ask for a summary of their data and how it is processed, demand correction and erasure, use grievance redressal that must respond within the period the Rules set, and nominate someone to exercise their rights if they die or are incapacitated.

Sections 11 to 14

How is the DPDP Act different from GDPR?

The DPDP Act is consent-centric with fewer lawful bases, applies only to digital personal data, has no data classification into special categories, and sets penalties as fixed caps rather than turnover percentages. Tools and templates built for GDPR do not map one-to-one - notices, consent flows, and breach timelines all differ.

I can get an LLM to write my privacy policy - why do I need anything more?

A written policy is the easy 10 percent. The Act judges what your website and systems actually do: whether trackers really wait for consent, whether withdrawal really works, whether the notice matches what you truly collect, in the languages your users need, kept current as Rules roll out. A generated document changes none of that - and a notice that promises what your site does not do makes things worse, not better.

I take orders on WhatsApp and Instagram - does the Act still apply?

Yes. Digital personal data is covered wherever you process it - chat commerce included. Names, numbers, and addresses collected over WhatsApp for orders are personal data you are the Data Fiduciary for. Your notice, consent for marketing messages, and erasure duties all still apply.

My store runs on Shopify or Wix - is compliance their job or mine?

Yours. The platform is your Data Processor; you decide the purpose, so you are the Data Fiduciary. You still need your own notice, honest consent, a grievance contact, and processor terms with the platform. Their tools help, but their defaults do not discharge your duties.

Does the Act cover our employees' data too?

Yes - employee personal data is personal data. Section 7 permits processing for employment purposes without fresh consent, but the security safeguards, breach duties, and erasure obligations still apply to HR systems, payroll, and monitoring tools.

Will anyone really check a small business like mine?

Enforcement starts with complaints, and the complaint button belongs to your customers: the notice must tell them how to complain to the Data Protection Board. One unhappy customer, ex-employee, or competitor can file. The Board weighs gravity and duration - a small business that prepared honestly is in a very different conversation from one that ignored the law.

What should we do before 13 May 2027?

Map what personal data you collect and why. Publish a compliant notice. Fix consent so it is affirmative and as easy to withdraw as to give. Put security safeguards, retention limits, and a grievance contact in place. Prepare the breach runbook. Then re-check regularly - websites drift.

Official sources

This page explains the law in plain language for orientation. It is not legal advice - for decisions about your specific situation, involve your counsel.

Reading is step one. Knowing where you stand is step two.

Run the free check - it maps your website to the sections you just read about.

Free. No card, no signup, about a minute.

Or see how the product works