India's Digital Personal Data Protection Act Explained

For almost a decade, Indian citizens lived under a digital regime that had no real privacy law. The Information Technology Act of 2000 had a few thin provisions, and the Puttaswamy judgment in 2017 confirmed that privacy was a fundamental right, but there was no statute that told companies how to collect data, how long to keep it, or what users could do if things went wrong. That gap finally closed on August 11, 2023, when the Digital Personal Data Protection Act was notified, and it began phased enforcement from November 13, 2025.

I have spent the last two years reading the Act line by line, sitting through draft rule consultations, and trying to answer the one question that keeps coming up in reader emails: what does this law actually do for me. The short answer is that it gives you a named set of rights over your personal data for the first time in Indian history, and it puts real money on the line for companies that ignore those rights. The long answer is more interesting, and that is what this guide is about.

What the DPDPA Actually Is

The Digital Personal Data Protection Act 2023, usually written as DPDPA or DPDP Act, is India's first horizontal data protection law. Horizontal means it applies across sectors rather than being written for a single industry. Banks, hospitals, ecommerce platforms, dating apps, matrimony sites, edtech companies, and government departments are all covered if they process the personal data of Indian residents in digital form.

The Act defines personal data as any data about an individual who can be identified by or in relation to such data. That is a broad definition on purpose. It includes the obvious items like your name, Aadhaar number, phone number, and bank details, but it also covers less obvious things like device identifiers, location history, and behavioural data that can be linked back to you.

Four terms do most of the work in the statute, and understanding them will save you a lot of confusion later.

• Data Principal: You. The individual whose data is being processed.
• Data Fiduciary: The company or entity that decides how and why your data is processed.
• Data Processor: A third party that handles data on behalf of a fiduciary, like a cloud provider or analytics vendor.
• Data Protection Board of India (DPBI): The statutory enforcement authority that investigates complaints and levies penalties.

Supratim Chakraborty, Partner at Khaitan and Co and one of the lawyers who consulted on early drafts, has described the shift in a line I keep returning to. "The DPDPA puts the individual at the centre of the data relationship for the first time in Indian law. The burden of lawful processing now sits on the fiduciary, not the user."

The Implementation Timeline

The Act is not fully in force yet. It is rolling out in phases, and this matters because the rights you can exercise today are narrower than what you will have in 2027.

Phase	Date	What Activates
Phase 1	November 13, 2025	Data Protection Board constituted, administrative rules notified
Phase 2	November 13, 2026	Consent Manager framework, registration of Significant Data Fiduciaries
Phase 3	May 13, 2027	Full enforcement of consent, notice, grievance, and penalty provisions

Until Phase 3, companies are expected to move toward compliance but the Board cannot yet levy the full penalty range on most violations. This has created what privacy lawyers call the compliance grace period, and a December 2025 Nishith Desai Associates survey found that only 34 percent of large Indian companies had completed their DPDPA gap assessment by the start of 2026.

Your Rights as a Data Principal

The Act names seven rights that belong to you, the Data Principal. Each of them is enforceable once the corresponding rule is notified.

Right to information. You can ask any data fiduciary for a summary of the personal data it is processing about you, the purpose of processing, and the identities of any third parties it has shared your data with. The fiduciary must respond within a reasonable period, which the draft rules currently peg at 30 days.

Right to correction and erasure. You can demand correction of inaccurate data and deletion of data that is no longer needed for the stated purpose. The right is not absolute. A fiduciary can refuse deletion if there is a legal obligation to retain the data, for example under RBI anti-money-laundering rules or income tax law.

Right to grievance redressal. Every fiduciary must publish a grievance officer's contact details and respond to your complaint within a defined timeline. If you are not satisfied, you can escalate to the Data Protection Board.

Right to nominate. In case of your death or incapacity, you can nominate another individual to exercise your rights on your behalf. This is a novel provision that does not exist in GDPR.

Right to withdraw consent. You can withdraw consent for any purpose for which you gave it, and the fiduciary must stop processing data for that purpose and notify any processors downstream.

Right to be heard. Before the Board takes a significant decision, you have a right to be heard.

Right to portability. This is not in the main Act but is anticipated in sectoral regulations, particularly under RBI and TRAI rules that reference DPDPA compatibility.

This is a meaningful set of rights, but I want to flag an honest limitation. The Right to Information under DPDPA is narrower than the equivalent GDPR right. Under GDPR Article 15, you can demand a full copy of the personal data held about you. Under the Indian Act, you get a summary. In practice, that means companies are likely to respond with a high-level description rather than raw data exports, and Indian users will need to push harder for substantive disclosures.

Consent and Notice Rules

The DPDPA takes a strict view of consent. To be valid, consent must be free, specific, informed, unconditional, and unambiguous, and it must be given through a clear affirmative action. Pre-ticked boxes, inferred consent, and bundled consent for unrelated purposes are all invalid.

Every consent request must be preceded by a notice. The notice has to describe the personal data being collected, the purposes of collection, and the rights of the Data Principal. Crucially, Section 6(3) requires the notice to be available in English and in any of the 22 languages listed in the Eighth Schedule of the Constitution. I find this provision quietly radical. It is one of the first times an Indian privacy law has taken linguistic accessibility seriously.

Consent Managers are a structurally interesting part of the Act. These will be registered intermediaries that let you view, grant, and revoke consent across multiple platforms from a single dashboard. The concept is modelled on the RBI Account Aggregator framework and is scheduled to go live in 2026. Whether it works in practice will depend on how many fiduciaries integrate voluntarily.

DPDPA is about rights on paper — but the felt experience tells you whether an app actually respects them:

What Counts as Deemed Consent

Section 7 of the Act creates a category called Certain Legitimate Uses, which used to be called Deemed Consent in the 2022 draft. Under these provisions, a fiduciary does not need fresh consent for:

• Processing where the principal has voluntarily provided data and has not indicated any objection
• Medical emergencies and disaster response
• Employment-related processing with proportionality limits
• Compliance with any judgment, decree, or order
• Any function of the State related to subsidies, benefits, or services

The Legitimate Use carve-outs are the most criticised part of the Act. The Internet Freedom Foundation filed detailed objections during the consultation, arguing that the State-function exemption is too broad and that the employment exemption lacks clear limits. Apar Gupta, who co-founded IFF, has called it "a compliance burden on private actors with a blank cheque for the government."

Penalties

The Act sets four tiers of penalty. The highest tier is up to Rs 250 crore per instance, roughly 30 million US dollars at current rates, for failing to take reasonable security safeguards that results in a personal data breach. Other tiers include Rs 200 crore for failing to notify the Board of a breach, Rs 150 crore for violations of children's data rules, and Rs 50 crore for violating duties of a Data Principal.

These numbers sit at the high end of global privacy regimes. For comparison, the maximum GDPR penalty is either 20 million euros or 4 percent of global turnover, whichever is higher. The DPDPA does not use turnover as a base, which actually means it can hit small fiduciaries harder in proportional terms than GDPR does, even if the absolute numbers look smaller for multinationals.

As of March 2026, the Board has opened preliminary inquiries against 17 entities, but no final penalty orders have been issued. The first contested adjudication is expected in late 2026.

Children and Persons With Disabilities

DPDPA sets 18 as the age of majority for data processing, which is stricter than GDPR's 16 and the US COPPA's 13. A data fiduciary must obtain verifiable parental consent before processing the personal data of a child, and must not undertake behavioural tracking or targeted advertising directed at children.

The practical challenge here is verification. How does a dating app, a gaming platform, or a social network verify that the consent giver is actually a parent. The draft rules reference a trust framework using government-issued identifiers, which privacy advocates have warned could push the whole industry toward Aadhaar-linked age gates. The final mechanism will be notified in subsequent rules.

What DPDPA Means for Your Digital Life

Here is the practical picture in 2026. If you are an Indian resident using an Indian or foreign digital service, you can already do the following.

• Write to the grievance officer. Every fiduciary has to publish grievance contact details. You can write, ask for a data summary, or demand deletion. If they ignore you, keep the email thread.
• Withdraw consent. Go into your account settings and look for a Data Consent or Privacy section. Under DPDPA, withdrawal must be as easy as giving consent in the first place.
• File a complaint with the Board. Once internal grievance channels are exhausted, you can escalate to the Data Protection Board of India. The procedure is online and does not require a lawyer.

You cannot yet sue a fiduciary directly in civil court for damages under the Act. DPDPA does not create a private right of action, which is another significant limitation. If a data breach harms you financially, you can still file under IT Act Section 43A, but a DPDPA-specific compensation claim is not available.

For privacy-sensitive contexts like online dating, matrimony, telehealth, or mental health apps, DPDPA adds a layer of legal accountability that did not exist before. Apps built around anonymity, such as Hidnn, benefit because data minimisation as a design principle becomes a compliance asset rather than a trade-off. The less personal data a fiduciary holds, the smaller its DPDPA risk surface.

Frequently Asked Questions

Does DPDPA apply to foreign apps that I use in India?

Yes. Section 3 extends the Act to processing of personal data outside India if it is in connection with offering goods or services to Data Principals in India. In practice, this means that foreign apps like Instagram, Tinder, Bumble, and ChatGPT all fall within scope when serving Indian users. Enforcement against entities with no Indian presence remains practically difficult, but the legal jurisdiction is clear.

Can I ask a company to delete all my data under DPDPA?

You can request erasure, but a fiduciary can refuse if it has a legal obligation to retain the data. For example, a bank must retain KYC records under RBI rules for up to ten years. The right to erasure is meaningful for non-essential data but not a universal reset button.

Is Aadhaar protected by DPDPA?

Aadhaar is already protected by the Aadhaar Act 2016 and the Supreme Court's Puttaswamy II judgment. DPDPA adds a second layer of protection because Aadhaar numbers qualify as personal data under the broad Section 2 definition. Processing Aadhaar without lawful basis now violates two statutes rather than one.

Can the government access my data without consent?

Section 17(2)(a) exempts State processing in the interest of sovereignty, security, public order, and friendly relations with foreign states. This is the exemption IFF and other civil liberties groups have criticised most heavily. In short, yes, the government retains substantial powers to access data without Data Principal consent, and the Act does not create independent judicial oversight of that access.

How do I file a complaint with the Data Protection Board?

Once the Board's online complaint portal is fully operational in 2026, you will be able to submit a complaint describing the fiduciary, the violation, and the relief sought. The Board will first require proof that you have exhausted the fiduciary's internal grievance process. Keep records of all correspondence.

The Honest Verdict

DPDPA is a meaningful improvement over the vacuum that preceded it. It creates enforceable rights, forces companies to think about data as a liability rather than an asset, and gives Indian users a legal hook to demand accountability. It is also narrower than GDPR in important ways, carves out wide State exemptions, and lacks a private right of action. It is a beginning, not a destination.

For most Indian readers, the practical takeaway is this. You now have legal rights you did not have before. Use them. Write the grievance email. Withdraw consent where you do not need to give it. Choose services that practise data minimisation by default. The law is only as strong as the people who exercise the rights it grants, and 1.4 billion people exercising those rights is a much louder signal than any statute by itself.

The privacy regime in India is not going to be perfect in 2027. But for the first time since the internet arrived in this country, it has a floor. That is worth something.