India Digital Personal Data Protection Act (DPDPA 2025): Updated Guide

The Digital Personal Data Protection Act of 2023, commonly referred to as the DPDP Act, is India’s data privacy law. It balances the rights of individuals and the need for data processing. Ever since the famous Puttaswamy judgment recognised the right to privacy as a fundamental right, digital privacy has been a hot topic in the country. DPDPA took effect partially on 13 November 2025 and will be in full effect by 13 May 2027.

On November 13 2025, the Ministry of Electronics and Information Technology officially announced the DPDP rules and the establishment of the Data Protection Board of India.

India’s Digital Personal Data Protection Act was passed in early August of 2023. The law outlines the rights of data principals, obligations of data fiduciaries, and penalties for data breaches. It also introduces a special category called significant data fiduciaries.

Unlike GDPR and other US privacy laws, India’s DPDP Act does not expressly define sensitive data. DPDPA mandates verifiable consent for children and persons with disabilities.

The law will take effect in three phases:

• Nov 13, 2025: Establishment of the Data Protection Board and administrative provisions.

• Nov 13, 2026: Registration for consent managers open

• May 13, 2027: All other provisions, including the consent, privacy notice, and security requirements, become effective.

The Data Protection Board of India (DPB) is the enforcement authority under the DPDP Act. The act also designates the Telecom Disputes Settlement and Appellate Tribunal as the appellate authority.

The following are the key parties to DPDA Act:

Data principal (data subject)

A data principal is a person to whom the personal data relates. For children, their parents or legal guardians are the data principals, and for persons with disability, it is the legal guardian.

Data fiduciary (data controller)

A data fiduciary is a person who controls the purpose and means of handling personal data. It can be a small business, a startup, or even a bank.

Data processor

A data processor is a person who handles/processes data for the data fiduciary.

Significant data fiduciary (SDF)

The Central government may designate a data fiduciary as an SDF based on several factors like the volume and sensitivity of the data processed, or risk to national security and electoral democracy, etc.

It has a few additional obligations like appointing a Data Protection Officer (DPO) and a data auditor, conducting regular impact assessments and data audits, etc.

The law applies to any person who processes digital personal data other than for a personal or domestic context if:

• The processing of personal data takes place within Indian territory
• Overseas processing of digital personal data offering goods or services to individuals in India

It applies to personal data collected in digital or non-digital form and digitised thereafter. Data processed in a household/personal context is excluded.

A person under India’s Digital Personal Data Protection Act is not just an individual or a business. Here is the list of the entities that are included in this category.

• Any individual
• Hindu Joint Family
• Company
• Firm
• An association of persons, regardless of whether they are registered or not
• The state, as defined under Article 12 of the Indian Constitution
• Other legal persons not specified above

Any data that can potentially identify an individual is called personal data.

India DPDPA defines personal data as ”any data about an individual who is identifiable by or in relation to such data”.

– Sub-clause (t) of section 2 of the DPDP Act.

Public information is not considered personal data. Information published by the data principal herself or authorised government agencies is termed public information. However, it is not personal data if it was published to a specified audience.

#1 Data minimisation

Only collect the necessary data required for the specific purpose and delete when no longer necessary or if the data principal withdraws consent. Furthermore, take steps to get the personal data deleted by the processor as well.

#2 Purpose limitation

Data fiduciaries should limit the use of personal data to the specific purpose for which the user consented. They can, however, process the personal data without express consent if the data principal voluntarily gave the personal data and did not indicate non-consent to its processing.

Additionally, the law allows data fiduciaries to use personal data for various purposes, including:

• Complying with the law and court orders
• Processing by the state or its agencies to provide benefits, subsidies, certificates, licenses, or permits with prior consent or if the data is already in the database
• Performance of governmental functions or to protect the sovereignty, integrity, and security of India
• Maintaining public order, medical emergencies, and treatments
• Taking measures for epidemics and safeguarding employers from losses

#3 Privacy notice

Privacy notices and consent requests should be provided in English or any language included in the Eighth Schedule of the Indian Constitution. They must be clear, accessible, specific, and easy to understand.

Under the DPDP Act, data fiduciaries must provide a privacy notice along with the request for consent. The notice and the request should include details regarding the:

•  Categories of personal data collected
•  Specific purposes for which personal data is collected
•  The process of exercising consumer rights
•  The procedure to revoke consent
•  The procedure to file complaints with the Data Protection Board of India

Businesses must also display their contact information in an accessible manner, enabling data principals to ask questions regarding data processing.

#4 Consent 

Under Indian privacy law, data may be processed on two legal bases: either for a lawful purpose with the data principal’s consent, or for a legitimate use.

Legitimate uses specified under the law are:

• A specific purpose for which the Data Principal voluntarily provided her data, unless she has indicated that she does not consent
• Provisions of Government services (Subject to limitations)
• Statutory functions of the state
• Medical emergencies

Individuals can withdraw their consent at any time. Make the process of revocation of consent easy and convenient.

Obtain verifiable consent from the parents/legal guardians of children or legal guardians in the case of persons with disability. A child is an individual under the age of 18 years. We will discuss the consent requirements in more detail in the following section.

#5 Accuracy of data affecting individuals

The data fiduciary should ensure the accuracy, completeness, and consistency of the personal data processed in a way that is:

• Likely to be used to make a decision affecting the data principal

• If it is going to be shared with another data fiduciary

#6 Implement security measures

Organisations must implement necessary safety measures at the technical and organisational levels to prevent any data breaches.

Some of the reasonable security measures under the DPDP rules, 2025 include:

• Encryption, obfuscation, masking or the use of virtual tokens mapped to specific personal data.
• Access controls and access logs, and their regular reviews.
• Data backups to ensure the continuity of processing, even in scenarios like loss of data or access.
• Data retention for at least one year to support breach detection, investigation, and prevent recurrence.
• Contractual provisions between data fiduciaries and processors to safeguard personal data

#7 Redressal mechanisms

Data fiduciaries must implement effective and convenient redressal mechanisms. Provide the procedures for exercising consumer rights in the privacy notice and appoint a person to oversee grievances.

Always respond to consumer requests within a reasonable time. Publish details of the Data Protection Officer or anyone else authorised to answer requests or concerns on the data fiduciary’s behalf.

#8 Prohibitions concerning children

The Act prohibits tracking, behavioural monitoring, and targeted advertising of children without the central government’s permission.

The law imposes a duty upon the data fiduciaries not to process children’s data if it is likely to cause any detrimental effects.

#9 Report of breaches

Data fiduciaries must report all data breaches to the Data Protection Board as well as to the affected person promptly.

#10 Other obligations

• If the Government of India has issued any notification restricting data transfer to any country, businesses must abide by it
• Have a contractual relationship with your data processors and ensure their compliance with DPDPA
• Deliver the consumer requests within a reasonable time

A consent manager under the DPDP Act is a registered entity that acts as an intermediary or a connection between data principals and data fiduciaries, allowing the data principals to grant, manage and withdraw consent.

It should be registered with the board and is accountable to the data principals.

Chapter III of the DPDP Act enumerates the rights of the data principals.

Right to access

A data principal can obtain a summary of the personal data processed, the activities of the data fiduciaries, and other information on data processing. They can also request the details of all data fiduciaries and processors who have access to their personal data

Right to correction

A data principal can request the data fiduciaries to do the following with their personal data collected by them:

• Correct any inaccuracies
• Update their personal data
• Complete their personal data

A data fiduciary who gets such a request must fulfil the request within a reasonable time.

Right to erasure

They can also request the deletion of their personal data. However, a business/data fiduciary may retain the data if necessary for a specific purpose or legal compliance. 

Right to grievance redressal

Data fiduciaries must provide individuals with an accessible grievance redressal mechanism to resolve issues related to data fiduciaries’ obligations or the enforcement of data principal rights. An individual can approach the Data Protection Board only if their grievance remains unsolved through this mechanism. 

Right to nominate

They can nominate an individual to exercise their rights under this act in the event of their death, unsoundness of mind or infirmity of body.

Right to revoke consent

A data principal can revoke the consent at any time. However, the data principal should bear any consequences arising from such revocation. The data fiduciaries are bound to stop and also cause the data processors to stop processing the personal data of the data principal in the event of revocation of consent.

Definition of consent

The definition of consent is broad and almost similar to the GDPR’s definition, except for the word unconditional.

For consent to be valid, the following conditions should be satisfied:

• Consent should be free, specific, informed, and unconditional.
• There should be a clear indication of consent to such action.
• Agrees to the processing of personal data for the specified purposes.

Consent obligations

The Digital Personal Data Protection Act requires consent from users for processing their personal data, except for certain legitimate uses.

The consent request must be accompanied by a privacy notice that contains the:

• categories and purpose of personal data processed
• grievance redressal mechanism, and
• method to enforce the rights of data principals.

If a user directly provides personal data and does not indicate that they do not consent, separate consent is not required.

For consent obtained prior to the Act, notify the data principal of the collected data, its purpose, their rights under the Act, and available grievance redress mechanisms. Organisations can process the personal data until the consent is withdrawn.

For children’s data, parents or guardians can give verifiable consent. The DPDP rules clarify that this verification can be through existing information, details provided by them or using virtual tokens issued by authorised entities or verified by Digital Locker service providers.

The DPDP Act defines a personal data breach as ”Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”.

All breaches need to be reported, whether or not damage was caused. Notify the data principals and the Data Protection Board of the breaches within 72 hours.

The breach notification must contain details such as the nature and extent of the breach, the timing and location of its occurrence, consequences, mitigating measures, etc.

The Indian privacy law determines the penalty based on various factors like the gravity of the breach and its duration, the category of personal data impacted by the breach, its repetitive nature, the impact of the monetary penalty on the violator, etc. The penalties can reach a heavy sum of INR 250 crore (~ $30 million).

Unlike many other data privacy laws worldwide, India’s privacy law does not mention a cure period. However, the violators will be allowed to be heard, which is a principle of natural justice.

Nature of violation/breach	Penalty
Failure to implement security safeguards	Up to INR 250 crores (~ $30.213 million)
Failure to notify a breach to the board	Up to INR 200 crores (~ $24.17 million)
Non-compliance with the special provisions regarding children	Up to INR 200 crores (~ $24.17 million)
Non-compliance with the obligations of SDF	Up to INR 150 crores (~ $18.127 million )
Non-compliance of obligations by the data principals	Up to INR 10,000 (~ $120)
Violation of any voluntary undertaking if any	Up to the extent applicable to that breach
Violation of all other provisions than mentioned	Up to INR 50 crore (~ $6 million)

• Obtain valid consent before processing personal data
• Provide a clear privacy notice along with the request for consent
• Limit the collection of data to what is required for the specific purpose of processing
• Implement security safeguards
• Respond to data principals’ requests within a reasonable time
• Avoid behavioural monitoring, target advertising, and tracking of children
• Keep the personal data complete, accurate, and consistent
• Conduct audits and impact assessments if you are categorised as a Significant Data Fiduciary
• Have a contractual relationship with the data processors
• Inform the DPB in case of any breach, regardless of the volume of risk