What is the DPDP Act? India's data law, explained

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. Parliament passed it in August 2023. The DPDP Rules, 2025, the operating manual that makes the Act enforceable, were notified on 14 November 2025. The clock is now running.

If you collect a name, an email, or a phone number from anyone in India, this law applies to you. There is no revenue floor. No headcount floor. A two-person Shopify store and a bank carry the same core obligations. Penalties go up to ₹250 crore per breach.

The short version

The Act says this: before you collect personal data from someone, tell them exactly what you are taking and why, get their clear permission for each purpose, protect the data, and let them change their mind as easily as they said yes. Keep proof of all of it.

That last part matters. When the Data Protection Board asks how you got consent for a specific email address, "we had a banner" is not an answer. A timestamped record is.

The vocabulary, decoded

The Act has its own names for everyone involved. Four terms cover most of it.

There is also the Significant Data Fiduciary, a label the government can apply to companies handling large volumes of sensitive data. They get extra homework: a data protection officer in India, annual audits, and impact assessments. Most small teams will not be notified as one. The base obligations still apply to everyone.

What counts as personal data

Any data about an identifiable person, in digital form. Names, emails, phone numbers, addresses, payment details, device identifiers, support tickets with a customer's name in them. The Act does not have a special category for "sensitive" data the way GDPR does. It is one bucket, and almost everything you collect is in it.

The seven things the law asks of you

1. Consent, per purpose. Permission must be free, specific, informed, and unambiguous. One pre-ticked "I agree to everything" box fails on all four counts. Marketing and analytics need separate yeses.
2. Notice, before collection. An itemized notice: what data, what purpose, how to complain. The Data Principal can ask for it in English or any of the 22 languages in the Eighth Schedule.
3. Easy withdrawal. Withdrawing consent must be as easy as giving it. One click in, one click out. Section 6(4) says so explicitly.
4. Security safeguards. Reasonable measures to prevent a breach. This carries the biggest fine in the Schedule: up to ₹250 crore.
5. Breach reporting. Under the 2025 Rules, you notify affected users without delay and file details with the Board within 72 hours.
6. Data rights handling. People can ask what you hold, get it corrected, get it erased, and nominate someone to act for them. You need a working channel for each.
7. Erasure when done. When consent is withdrawn or the purpose is served, the data goes. Yours and your processors' copies.

What happens if you ignore it

The Schedule to the Act lists the fines. Security failures top out at ₹250 crore. Missing a breach notification: ₹200 crore. Mishandling children's data: ₹200 crore. Everything else: up to ₹50 crore per breach, and the Board can stack them. The full breakdown is in our guide to DPDP penalties.

When it kicks in

The Rules set a phased schedule. The Data Protection Board provisions took effect on 14 November 2025. Consent Manager registration opens on 14 November 2026. The obligations that touch your website, consent, notice, and data rights, become enforceable on 13 May 2027. That sounds far away. It is one product cycle. The dates are mapped in our DPDP compliance timeline.

What to do this week

You do not need a war room. You need an inventory of what you collect, a consent banner that records purpose-wise permission, a privacy notice that matches reality, and a place to receive data rights requests. Our DPDP compliance checklist walks through each item. Most small sites can close the list in a day.