DPDP compliance timeline: every date that matters

12 June 2026 · 6 min read

Three dates run the show: 14 November 2025, 14 November 2026, and 13 May 2027. What switched on at each, and how to pace the work backwards from the last one.

India's data protection regime arrives on a published schedule. The DPDP Rules, 2025 set a phased rollout, and the phase that touches your website ends on 13 May 2027. Here is every date, what switched on, and what it means for a small team.

The timeline at a glance

DPDP Act and Rules, key dates
DateWhat happened or happens
11 Aug 2023DPDP Act, 2023 receives presidential assent. The law exists, but waits for rules.
3 Jan 2025Draft DPDP Rules published for public consultation.
14 Nov 2025Final DPDP Rules notified. Data Protection Board provisions take effect immediately.
14 Nov 2026Consent Manager registration opens, twelve months after notification.
13 May 2027Eighteen-month mark. Consent, notice, data rights, breach reporting, and the rest of the substantive obligations become enforceable.

Phase 1: live since 14 November 2025

The administrative skeleton. The Data Protection Board of India is constituted and operational: chairperson, members, digital-first proceedings. The regulator that will hear complaints and write penalties is no longer hypothetical. It is staffed and waiting for the obligations it enforces to mature.

Phase 2: 14 November 2026, Consent Managers register

Consent Managers are registered intermediaries that let users give, manage, and withdraw consent across many services from one place. Registration opens on 14 November 2026; until then, nobody can lawfully claim to be one. What they are and how they will plug into your stack is covered in our Consent Managers explainer.

For most businesses this phase changes nothing directly. Your own consent collection is your job regardless. But tools you pick now should be ready to integrate with registered Consent Managers when they appear.

Phase 3: 13 May 2027, everything else

The date that matters for your website. From 13 May 2027 the core obligations are enforceable:

  • Purpose-wise consent before processing personal data
  • Itemized notice, available in English and the 22 Eighth Schedule languages
  • Withdrawal as easy as consent
  • Breach notification: affected users without delay, the Board within 72 hours
  • Data rights: access, correction, erasure, nomination, grievance redressal
  • Erasure when consent is withdrawn or the purpose is served

From that morning, every gap on the compliance checklist is a live liability with the penalty schedule behind it. Up to ₹250 crore for safeguard failures, up to ₹50 crore for the everyday breaches like consent taken wrong.

Why "May 2027" actually means "this quarter"

Three reasons the comfortable reading of the deadline is wrong.

  1. Records only count from the day they start. Consent collected in 2026 with proper receipts is evidence. A banner that went live the week before the deadline protects nothing that happened earlier.
  2. Enterprise customers will not wait for the Board. DPDP questionnaires are already standard in procurement. Your compliance date is whenever your next big customer asks, not May 2027.
  3. Refreshing old consent is slow. Data collected before the Act still needs valid notice, and re-permissioning a list takes months of sends and decays your reachable base. Earlier start, smaller loss.

A sane schedule for a small team

Working backwards from 13 May 2027
WhenWhat to finish
This monthData inventory, purpose mapping, processor list. A few hours of honest work.
This quarterBanner live, notice published, trackers autoblocked, records accumulating. About 30 minutes with a consent kit.
Q4 2026Data rights channel tested end to end. Breach playbook drilled once. Watch Consent Manager registrations open.
Q1 2027Refresh consent for legacy lists. Counsel review if you handle anything sensitive.
13 May 2027Nothing. It is already handled.

Not legal advice

Dates reflect the DPDP Rules, 2025 as notified on 14 November 2025. The government can amend timelines by notification; we keep this page updated when it does.

Frequently asked questions

What is the deadline for DPDP compliance?

13 May 2027. The DPDP Rules, 2025 gave an eighteen-month runway from their notification on 14 November 2025 for the substantive obligations: consent, notice, data rights, and breach reporting.

Is the DPDP Act already in force in 2026?

Partly. The Data Protection Board provisions have been live since 14 November 2025. The obligations that affect websites and apps become enforceable on 13 May 2027, and Consent Manager registration opens on 14 November 2026.

When were the DPDP Rules notified?

14 November 2025. Draft rules were published for consultation on 3 January 2025, and the final rules followed ten months later with the phased implementation schedule.

Should I wait until 2027 to get compliant?

No. Consent records only protect you from the day they begin, enterprise customers already ask for DPDP compliance in procurement, and refreshing consent on old lists takes months. Waiting saves nothing and costs evidence.

Beat the deadline by a year, not a weekend

Skope puts the banner, notice, autoblock, and consent ledger live in about 30 minutes. Sign up by 12 July 2026 and Growth is free for six months.

Start free

Keep reading

Penalties

DPDP Act penalties: every fine in the Schedule, explained

₹250 crore is the headline, but the Schedule has seven rows and the Board can stack them. What each fine attaches to, and what actually protects you.

12 Jun 2026 · 7 min read

Checklist

The DPDP compliance checklist for small teams (2026)

Twelve items between you and DPDP compliance. Work through them in order, tick them off, keep the proof. Print the page or save it as a PDF for your team.

12 Jun 2026 · 8 min read

Explainer

Consent Managers under the DPDP Rules, explained

India invented a new species of intermediary: one dashboard where a person manages consent across every service they use. Registration opens 14 November 2026. Here is how it will work.

12 Jun 2026 · 6 min read