India Data Privacy Laws: DPDP Act Compliance Guide (2026)
What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first dedicated, comprehensive data protection statute. Enacted on August 11, 2023, after receiving Presidential assent, it replaced a patchwork of rules that had governed data protection in India since the Information Technology Act of 2000.
India became the 19th country within the G20 to pass a comprehensive data protection law. The DPDP Act applies to the processing of digital personal data within India, whether collected online or collected offline and later digitized. It also covers processing outside India when it involves providing goods or services to individuals within India.
The Act introduces two central roles. A Data Fiduciary is any person, company, or government entity that determines the purpose and means of processing personal data. A Data Principal is the individual whose personal data is being processed. This terminology distinguishes the Indian framework from the "controller" and "data subject" language used in the European GDPR.
The DPDP Rules 2025, finalized and notified by India's Ministry of Electronics and Information Technology (MeitY) on November 13, 2025, provide the operational details for how the Act is implemented. These rules address consent management, breach notification, cross-border transfers, children's data protections, and the structure of the enforcement body.
The Legacy Framework: IT Act 2000 and SPDI Rules
Before the DPDP Act, India's data protection framework rested on Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly known as the SPDI Rules.
Section 43A made corporate bodies liable for negligence in implementing reasonable security practices when handling sensitive personal data. The SPDI Rules defined categories of sensitive personal data or information (SPDI), including passwords, financial information, health conditions, sexual orientation, medical records, and biometric data.
This legacy framework had significant limitations. It applied only to corporate bodies, not to government agencies. Its definition of sensitive data was narrow and did not account for modern data processing practices. Enforcement mechanisms were weak, and penalties were insufficient to deter large-scale data misuse.
The DPDP Act, once fully enforced by May 2027, will repeal Section 43A and the SPDI Rules entirely, replacing them with a unified regime that covers both private and government data processing.
Consent Framework and Lawful Processing
Consent is the primary legal basis for data processing under the DPDP Act. Unlike the GDPR, which provides six distinct legal bases for processing, the DPDP Act relies primarily on consent, supplemented by a limited set of "legitimate uses" defined by the law.
How Consent Works
Before collecting personal data based on consent, a Data Fiduciary must provide a clear, plain-language notice explaining what personal data is being collected, the purpose of processing, the methods available to exercise Data Principal rights, and how to file complaints with the Data Protection Board.
Consent must be free, specific, informed, unconditional, and unambiguous. It must relate to a specific purpose and can be withdrawn at any time. Upon withdrawal, the Data Fiduciary must stop processing and delete the data unless retention is required by law.
Legitimate Uses (Processing Without Consent)
The Act identifies several situations where processing is permitted without consent. These include voluntary provision of data for a specified purpose, processing necessary for state benefits or subsidies, processing required by law or court order, medical emergencies and threats to life, and employment-related processing where the employer is the Data Fiduciary.
Consent Managers: A Unique Indian Innovation
One of the DPDP Act's most distinctive features is the formal recognition of Consent Managers, entities registered with the Data Protection Board that serve as intermediaries helping Data Principals manage their consent across multiple platforms.
The consent manager framework becomes operational on November 13, 2026 under Phase 2 of the rollout. To qualify for registration, a consent manager must be a company incorporated in India, maintain a minimum net worth of INR 2 crore (approximately USD 240,000), demonstrate adequate technical and operational capacity including AES-256 encryption, and maintain clear conflict-of-interest policies.
Consent Managers are required to act in a fiduciary capacity toward Data Principals. They must maintain records of all consent activity for at least seven years, provide those records in machine-readable format, and submit to regular audits by the Data Protection Board. They cannot simultaneously serve as a Data Fiduciary or processor for the same Data Principal whose consent they manage.
Data Principal Rights
The DPDP Act grants several rights to Data Principals, although fewer than the GDPR framework provides. Notably absent are the right to data portability and the right to object to automated decision-making.
Right to Information and Access
Data Principals have the right to obtain a summary of their personal data being processed and the processing activities carried out by the Data Fiduciary. This includes information about what data is held, for what purposes, and to whom it has been shared.
Right to Correction and Erasure
Data Principals may request correction of inaccurate or misleading data, completion of incomplete data, updating of outdated data, and erasure of data that is no longer necessary for the purpose it was collected.
For large platforms with at least 20 million users in India, the DPDP Rules treat a specified purpose as no longer served after three years of user inactivity. In those cases, the platform must send a 48-hour pre-erasure alert to the Data Principal before deleting the data.
Right to Grievance Redressal
Data Fiduciaries must publish clear procedures for raising grievances and respond to complaints within a published timeline not exceeding 90 days. If the Data Fiduciary fails to resolve the grievance satisfactorily, the Data Principal may escalate to the Data Protection Board.
Right to Nominate
A unique provision allows Data Principals to designate a trusted individual to exercise their data rights on their behalf in the event of death or incapacity. This nomination right ensures continuity of data protection beyond a person's capacity to manage it themselves.
Children's Data Protections
The DPDP Act defines a child as any person under 18 years of age and imposes strict requirements on processing their data. Before processing a child's personal data, a Data Fiduciary must obtain verifiable parental consent.
The verification process requires platforms to confirm the user is a child, validate the guardian's identity and age, verify the legitimacy of the parent-child relationship, and collect verifiable consent from the parent or guardian.
The Act expressly prohibits behavioral monitoring, tracking, and targeted advertising directed at children. Data Fiduciaries cannot process children's data in any manner likely to cause harm.
An important flexibility mechanism exists: the Central Government may lower the age threshold from 18 to 16 or even 13 for specific Data Fiduciaries if it is satisfied that the entity processes children's data in a verifiably safe manner. This provision acknowledges that rigid age thresholds can create usability problems for platforms designed for younger users.
Significant Data Fiduciaries
The Central Government may designate certain entities as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of personal data they process, the risk of harm to Data Principals, and the potential impact on India's sovereignty, security, or public order.
SDFs face additional obligations beyond those required of standard Data Fiduciaries. They must appoint a Data Protection Officer (DPO) based in India, conduct a Data Protection Impact Assessment (DPIA) at least once every 12 months, undergo an independent data protection audit annually, and share significant findings with the Data Protection Board.
SDFs may also face data localization requirements. The Central Government may specify categories of personal data that an SDF must process exclusively within India, prohibiting transfer of that data and its associated traffic data outside the country.
Cross-Border Data Transfers
The DPDP Act takes a "negative list" or "blacklist" approach to cross-border data transfers, which is markedly different from the GDPR's adequacy-based system.
Under this framework, personal data may be transferred to any country unless the Central Government specifically restricts or prohibits transfers to that jurisdiction. The government is not required to provide justifications for its decisions, nor does the law require alternative transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
As of early 2026, the government has not yet published a list of restricted jurisdictions. Until such a list is issued, transfers to all countries remain permissible under the Act. However, organizations should monitor developments closely, as the government retains authority to restrict transfers at any time.
This approach provides operational flexibility for multinational businesses but introduces uncertainty because the rules can change without the extended assessment processes that GDPR adequacy decisions require.
Data Breach Notification
The DPDP Rules establish a two-tier notification process for personal data breaches. The notification window starts from when the Data Fiduciary becomes aware of the breach, not from when the breach actually occurred.
Immediate notification: Data Fiduciaries must inform the Data Protection Board of the likely impact and description of the breach, including its nature, extent, timing, and location, without delay.
Detailed report within 72 hours: Within 72 hours of becoming aware of the breach, the Data Fiduciary must provide an updated description, the circumstances leading to the breach, remedial and mitigation measures implemented, and findings regarding who caused the breach.
The Data Protection Board may grant extensions beyond the 72-hour window upon written request. Data Principals must also be informed of the breach within the same timeframe.
Unlike the GDPR, which only requires notification when a breach is "likely to result in a risk to the rights and freedoms of natural persons," the DPDP Act requires reporting of all personal data breaches regardless of assessed risk level. This is a stricter standard.
Penalties and Enforcement
The DPDP Act establishes a tiered penalty structure under Section 33 with maximum fines that rank among the highest in the Asia-Pacific region.
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards leading to a data breach | INR 250 crore (approx. USD 30 million) |
| Failure to notify the Board and affected individuals of a data breach | INR 200 crore (approx. USD 24 million) |
| Breach of obligations relating to children's data | INR 200 crore (approx. USD 24 million) |
| Breach of Significant Data Fiduciary obligations | INR 150 crore (approx. USD 18 million) |
| All other violations | INR 50 crore (approx. USD 6 million) |
Penalties are not automatic. The Data Protection Board must conduct an investigation and consider factors including the nature, gravity, and duration of the breach, the type of data affected, whether the breach was repetitive, any gain realized from the breach, and the effectiveness of mitigation actions taken.
The Data Protection Board of India
The Data Protection Board of India (DPBI) is the adjudicatory body established under the DPDP Act to enforce compliance, hear grievances, and impose penalties.
The DPBI was formally constituted on November 13, 2025 under Phase 1 of the rollout. It is headquartered in New Delhi and will consist of a chairperson and four members serving renewable two-year terms. A government-appointed search-cum-selection committee was constituted in December 2025 to appoint the Board's members.
The Board's key functions include monitoring compliance with the Act and Rules, directing Data Fiduciaries to take necessary measures following a breach, hearing grievances from Data Principals, and imposing penalties for violations. Appeals from the Board's decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Government Exemptions
The DPDP Act includes broad exemptions for government processing, which have drawn criticism from privacy advocates. The Central Government may exempt specific instrumentalities from most provisions of the Act when processing is deemed necessary for safeguarding India's sovereignty, integrity, or security, maintaining friendly relations with foreign states, maintaining public order, or preventing incitement to commit crimes.
When an exemption is granted, most Data Principal rights and Data Fiduciary obligations cease to apply, though the obligation to implement reasonable security safeguards persists even for exempt processing.
The Act also exempts processing for research and statistical purposes, provided the results are not used to make decisions specific to any individual Data Principal.
Phased Compliance Timeline
The DPDP Act and Rules are being enforced through a three-phase rollout:
Phase 1 (November 13, 2025): Establishment of the Data Protection Board, its powers, processes, and operational framework. The Board's adjudicatory functions and complaint-handling mechanisms become active.
Phase 2 (November 13, 2026): The consent manager registration framework becomes operational. This includes registration requirements, obligations of consent managers, and the Board's authority to inquire into breaches and impose penalties related to consent management.
Phase 3 (May 13, 2027): All remaining core obligations take effect. This includes consent and notice requirements, Data Principal rights, duties of Data Fiduciaries, Significant Data Fiduciary obligations, data breach notification requirements, data retention and erasure triggers, and security safeguard mandates.
Organizations operating in India or processing data of Indian residents should be working toward full compliance well before the May 2027 deadline.
How the DPDP Act Compares to the GDPR
While the DPDP Act draws clear inspiration from the GDPR, several differences stand out.
The DPDP Act applies only to digital personal data, while the GDPR covers all forms of personal data including paper records. The DPDP Act does not create special categories of sensitive data requiring heightened protection, treating all personal data under the same compliance standard.
The GDPR provides six legal bases for processing; the DPDP Act relies primarily on consent plus a narrower set of legitimate uses. The GDPR grants more individual rights, including data portability and the right to object to automated decision-making, which the DPDP Act does not include.
Cross-border transfers follow fundamentally different approaches. The GDPR uses an adequacy and safeguards model, while India uses the negative list system. The DPDP Act's consent manager concept has no direct GDPR equivalent.
On breach notification, the DPDP Act is actually stricter, requiring notification for all breaches rather than only those likely to pose a risk to individual rights.
Sources and References
Sources and References
- Digital Personal Data Protection Act, 2023 - Ministry of Electronics and Information Technology (MeitY)(meity.gov.in).gov
- The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) - Official Gazette Text(meity.gov.in).gov
- India Code: Digital Personal Data Protection Act, 2023(indiacode.nic.in).gov
- The Digital Personal Data Protection Bill, 2023 - PRS Legislative Research(prsindia.org)
- With rules finalized, India DPDPA takes force - IAPP(iapp.org)
- Top 10 operational impacts of India DPDPA: Cross-border data transfers - IAPP(iapp.org)
- Top 10 operational impacts of India DPDPA: Enforcement and the Data Protection Board - IAPP(iapp.org)
- DPDP Rules 2025: Comprehensive Guide - DPDPA.com(dpdpa.com)
- Rule 13: Additional Obligations of Significant Data Fiduciary(dpdpa.com)
- Data Protection Laws and Regulations Report 2025-2026 India - ICLG(iclg.com)