Guide7 min read

What Is the DPDP Act 2023? India's Data Protection Law, Explained

What is the DPDP Act? A plain-language guide to India's Digital Personal Data Protection Act 2023 and the DPDP Rules 2025: who must comply, what it requires, and the enforcement timeline.

The DPDP Act, formally the Digital Personal Data Protection Act, 2023, is India's first comprehensive data protection law. It governs how businesses collect, use, and store the personal data of people in India. Parliament passed it in August 2023, but the Act mostly sat dormant until the Digital Personal Data Protection Rules, 2025 (the DPDP Rules) were notified on 13 November 2025, turning its broad principles into specific, enforceable obligations.

If you run a website, app, or any digital service that touches Indian users, this law applies to you. Here is what it actually says, without the drafting language.

The two roles the Act creates

  • Data Fiduciary: the company that decides why and how personal data is processed. If you run the product, you are almost certainly the Data Fiduciary. This is the DPDP equivalent of a "data controller" under GDPR.
  • Data Principal: the individual the data is about. Your user, customer, or employee. This is the DPDP equivalent of a "data subject".

A third role, the Consent Manager, is unique to the Indian framework: a Board-registered platform through which a Data Principal can give, manage, and withdraw consent across multiple companies from one place. Consent Manager obligations take effect on 13 November 2026.

What the Act actually requires

  • Clear notice and specific consent. Before processing personal data, you must give a plain-language notice describing what data you collect and why, and get consent that is free, specific, informed, and unconditional [Rule 3].
  • Reasonable security safeguards. Encryption or equivalent protection, access controls, monitoring logs, and backup measures, with a minimum one-year retention of security logs regardless of your other retention policies [Rule 6].
  • 72-hour breach notification. On becoming aware of a personal data breach, you must notify affected users without delay and give the Data Protection Board a detailed report within 72 hours [Rule 7].
  • A published contact person. Every Data Fiduciary must publish the contact details of a Data Protection Officer, or a person able to answer data-processing questions, prominently on its website or app [Rule 9].
  • Data Principal rights. Users can request access to their data, correction, erasure, and can nominate someone to exercise these rights on their behalf if they are unable to. Your grievance redressal system must respond within 90 days [Rule 14].
  • Verifiable parental consent for children. Anyone processing a child's data (under 18) needs verifiable consent from a parent or lawful guardian, and cannot use that data for tracking, behavioural monitoring, or targeted advertising [§9, Rule 10].

Who counts as a Significant Data Fiduciary

The government can designate certain companies as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process, their revenue, and potential risk to India's sovereignty or public order. SDFs carry extra obligations: an annual Data Protection Impact Assessment and audit, additional algorithmic due diligence, and data localisation requirements for specified categories of data [Rule 13].

Most early-stage startups will not be designated SDFs, but the core obligations (notice, consent, security, breach response, and rights) apply to every Data Fiduciary regardless of size.

When it actually takes effect

DateWhat changes
13 November 2025DPDP Rules notified. Data Protection Board of India constituted and rules on Board procedure take effect immediately.
13 November 2026Consent Manager registration and obligations take effect [Rule 4].
13 May 2027All other substantive rules take effect: notice, security safeguards, breach notification, retention, children's consent, SDF obligations, and Data Principal rights [Rules 3, 5 to 16, 22, 23].

What happens if you do not comply

Penalties range up to ₹250 crore per violation for failures of security safeguards, ₹200 crore for breach-notification failures and violations involving children's data, and ₹50 crore for other breaches of the Act. The Data Protection Board of India investigates complaints and imposes these penalties; its orders can be appealed to the Appellate Tribunal.

For a deeper walkthrough of what to do about all this, see our DPDP Act compliance checklist. If you already run a GDPR programme, read DPDP vs GDPR to see exactly what carries over and what does not. To see exactly where your own website stands, run a free Compliance Score below.

Frequently asked questions

What does DPDP stand for?

DPDP stands for Digital Personal Data Protection. The full name of the law is the Digital Personal Data Protection Act, 2023, and it is implemented through the Digital Personal Data Protection Rules, 2025.

Is the DPDP Act in force right now?

Partially. Provisions relating to the Data Protection Board took effect on 13 November 2025. Consent Manager provisions take effect on 13 November 2026. All other substantive obligations, including consent, security, and breach notification, become enforceable on 13 May 2027.

Does the DPDP Act apply to my company if we are small?

Yes. The Act applies to any entity that determines the purpose and means of processing personal data of individuals in India, regardless of size. Additional obligations apply only to entities designated as Significant Data Fiduciaries.

How is the DPDP Act different from GDPR?

The DPDP Act is shorter and more principle-based than GDPR, uses a blacklist approach to cross-border data transfer rather than an adequacy-list approach, has no separate "special category" data classification, and creates the Consent Manager role, which has no GDPR equivalent. See our full [DPDP vs GDPR comparison](/blogs/dpdp-act-vs-gdpr) for details.

Compliance Score

Where does your website stand against the DPDP Act?

Run a free Compliance Score: privacy policy, cookie consent, and retention posture, checked in 60 seconds. No signup.