Guide to India’s Digital Personal Data Protection Act (DPDP Act) 

The Digital Personal Data Protection Act of 2023, commonly referred to as the DPDP Act is India’s data privacy law. It is a meticulous blend of recognition of the rights of individuals and the need for data processing. On January 3, 2025, the Ministry of Electronics and Information Technology also published the DPDP rules detailing the operational framework for compliance.

Ever since the famous Puttaswamy judgment recognised the right to privacy as a fundamental right, digital privacy has been a hot topic in the country. Now that the DPDP Act has received the assent of the President, India is ready to enter its digital privacy era. 

The Digital Personal Data Protection Act was passed in early August of 2023. The law outlines the rights of data principals, obligations of data fiduciaries, penalties for data breaches, and introduces a special category called significant data fiduciaries. It also mandates verifiable consent for children and persons with disabilities.

Unlike GDPR and other US privacy laws, DPDPA does not expressly define sensitive data. However, the central government may classify personal data into different categories in the future.

The Data Protection Board (DPB) is the enforcement authority under the DPDP Act. The act also designates the Telecom Disputes Settlement and Appellate Tribunal as the appellate authority.

Who are the important parties to DPDPA?

Data principal

A data principal is a person to whom the personal data relates. For children, their parents or legal guardians are the data principals and for persons with disability, it is the legal guardian. The act does not specifically define a person with a disability. However, it is assumed to be the same as the definition under the People with Disability Act of 1995.

Data fiduciary

A data fiduciary is a person who controls the purpose and means of handling personal data. It can be a small business, a startup, or even a bank.

Data processor

A data processor is a person who handles/processes data for the data fiduciary.

Significant data fiduciary

The Central government may designate a data fiduciary as an SDF based on several factors like the volume and sensitivity of the data processed or risk to national security and electoral democracy etc.

It has a few additional obligations like appointing a Data Protection Officer (DPO) and a data auditor, conducting regular impact assessments and data audits, etc.

Consent managers

A consent manager is a registered entity that acts as an intermediary or a connection between data principals and data fiduciaries allowing the data principals to grant, manage and withdraw consent.

Some of the requirements to register as a consent manager include:

• Must be a company incorporated in India
• Have a net worth of 2 crore rupees
• Capable of fulfilling its obligations as a consent manager
• Must have adequate business potential and sound financial health
• Reputed directors, senior management and key managerial personnel
• Implemented adequate security measures

The law applies to any person who processes digital personal data other than for personal or domestic context if:

• The processing of personal data takes place within Indian territory
• Overseas processing of digital personal data offering goods or services to individuals in India

The law applies to personal data collected in digital or non-digital form and digitised thereafter. It does not apply to data processed in a household/personal context.

A person under the Digital Personal Data Protection Act is not just an individual or a business. Here is the list of the entities that are included in this category.

• Any individual
• Hindu Joint Family
• Company
• Firm
• An association of persons regardless of whether they are registered or not
• The state as defined under Article 12 of the Indian constitution
• Other legal persons not specified above

Any data that can be potentially identify an individual is called personal data. Public information does not come under the category of personal data. 

The act defines personal data as ” any data about an individual who is identifiable by or in relation to such data”.

Information published by the data principal herself or authorised government agencies is termed public information. However, it is not personal data if it was published to a specified audience.

Data minimisation

Only collect the necessary data required for the specific purpose and delete when no longer necessary or if the data principal withdraws consent. Furthermore, take steps to get the personal data deleted by the processor as well.

The DPDP rules also specify the time frames after which each class of data fiduciary must delete the data if they no longer need it for the specified purpose. For example, an e-commerce entity with more than 2 crores users is required to delete the data within 3 years from the date the user last approached them.

Purpose limitation

Data fiduciaries should limit the use of personal data to the specific purpose for which the user consented to. They can however process the personal data without express consent if the data principal volutarily gave the personal data and did not indicate non-consent to its processing.

Additionally, the law allows data fiduciaries to use personal data for various purposes including:

• Complying with the law and court orders
• Processing by the state or its agencies to provide benefits, subsidies, certificates, licenses, or permits with prior consent or if the data is already in the database
• Performance of governmental functions or to protect the sovereignty, integrity, and security of India
• Maintaining public order, medical emergencies, and treatments
• Taking measures for epidemics, and safeguarding employers from losses

Privacy notice

Privacy notices/privacy policy and requests for consent must be accessible in English as well as in all languages provided in the 8th schedule of the Indian Constitution. They should be given in a clear and accessible manner. The privacy notice should be specific and easy to understand.

Under the DPDP Act, data fiduciaries must provide a privacy notice along with the request for consent. The notice and the request should include details regarding the:

•  Categories of personal data collected
•  Specific purposes for which personal data is collected
•  The process of exercising consumer rights
•  The procedure to revoke consent
•  The procedure to file complaints with the data protection board

Businesses must also display their contact information in an accessible manner enabling data principals to ask questions regarding data processing.

Consent 

Data fiduciaries cannot process personal data without the consent of the data principal unless it is for legitimate use or is exempted by the act. Data principals can withdraw their consent at any time. Make the process of revocation of consent easy and convenient.

Obtain verifiable consent from the parents/legal guardians of children or legal guardians in the case of persons with disability. A child is an individual under the age of 18 years. We will discuss the consent requirements more elaboratively in the following section.

Data affecting data principals

The data fiduciary should ensure the accuracy, completeness, and consistency of the personal data processed in a way that is:

• Likely to be used to make a decision affecting the data principal

• If it is going to be shared with another data fiduciary

Implement security measures

Data fiduciaries must implement necessary safety measures at technical and organisational levels to prevent any data breaches.

Some of the reasonable security measures under the DPDP rules, 2025 include:

• Implementing measures like encryption, obfuscation, masking or the use of virtual tokens mapped to specific personal data
• Maintain access controls and access logs,
• Review and monitor the access logs regularly to detect any unauthorised activity
• Implement reasonable measures like data backups to ensure the continuity of processing even in scenarios like loss of data or access
• Retain data for at least one year to support breach detection, investigation and prevent recurrence
• Include provisions in contracts between data fiduciaries and processors to safeguard personal data

Redressal mechanisms

Data fiduciaries must implement effective and convenient redressal mechanisms. Provide the procedures for exercising consumer rights in the privacy notice and appoint a person to oversee grievances.

Always respond to consumer requests within a reasonable time. Publish details of the Data Protection Officer or anyone else authorised to answer requests or concerns on the data fiduciary’s behalf.

Prohibitions concerning children

The Act prohibits tracking, behavioural monitoring, and targeted advertising of children without central government’s permission.

The law imposes a duty upon the data fiduciaries to not process children’s data if it is likely to cause any detrimental effects.

Report of breaches

Data fiduciaries must report all data breaches to the Data Protection Board as well as to the affected person promptly.

Other obligations

• If the Government of India has issued any notification restricting data transfer to any country, businesses must abide by it
• Have a contractual relationship with your data processors and ensure their compliance with DPDPA
• Deliver the consumer requests within a reasonable time

Chapter III of the DPDP Act enumerates the rights of the data principals.

Right to access

A data principal can obtain the summary of their personal data processed, activities of the data fiduciaries and other information on data processing. They can also request the details of all data fiduciaries and processors who have access to their personal data

Right to correction

A data principal can request the data fiduciaries to do the following to their personal data collected by them:

• Correct any inaccuracies
• Update their personal data
• Complete their personal data

A data fiduciary who gets such a request must fulfil the request within a reasonable time.

Right to erasure

They can also request the deletion of their personal data. However, a business/data fiduciary may retain the data if necessary for a specific purpose or legal compliance. 

Right to grievance redressal

Data fiduciaries must provide individuals with an accessible grievance redressal mechanism to resolve issues related to data fiduciaries’ obligations or enforcement of data principal rights. An individual can approach the Data Protection Board only if their grievance remains unsolved through this mechanism. 

Right to nominate

They can nominate an individual to exercise their rights under this act in the event of their death, unsoundness of mind or infirmity of body.

Right to revoke consent

A data principal can revoke the consent at any time. However, the data principal should bear any consequences arising from such revocation. The data fiduciaries are bound to stop and also cause the data processors to stop processing the personal data of the data principal in the event of revocation of consent.

Definition of consent

The definition of consent is broad and almost similar to the GDPR’s definition except for the word unconditional.

For consent to be valid, the following conditions should be satisfied:

• Consent should be free, specific, informed, and unconditional.
• There should be a clear indication of consenting to such action.
• Agrees to the processing of personal data for the specified purposes.

Consent obligations

The DPDPA requires data fiduciaries to request consent from the data principals before processing their personal data. However, consent is not required for certain legitimate uses.

The consent request must be accompanied by a privacy notice that contains the categories and purpose of personal data processed, the grievance redressal mechanism, and the method to enforce the rights of data principals.

Data fiduciaries need not get consent if the data principal voluntarily gives any personal data without indicating non-consent. For example, imagine an online platform for recruitment. On the website, there is a form where users can add their resume along with relevant information. If they voluntarily fill out the form, the platform can use it to assist them with the job-hunting process.

If consent was given before the enforcement of the act, give notice to such data principal containing the details of the data collected, the purpose of collection, rights under the act, and the grievance redressal mechanism. Data fiduciaries can process the personal data until the consent is withdrawn.

Businesses must also obtain verifiable consent from parents or guardians before processing children’s personal data. The DPDP rules clarify that this requires verifying the parent’s identity through existing information, details provided by them or using virtual tokens issued by authorised entities or verified by Digital Locker service providers.

The act also obligates the data fiduciaries to recognise consent managers and thereby enable data principals to entrust such registered consent managers to act on their behalf. Consent managers provide a transparent mechanism to give, manage, review, or withdraw consent. It acts as a single point of contact for the data principals to manage their consent.

The DPDP Act defines a personal data breach as ” any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data”.

All breaches need to be reported whether or not damage was caused. Notify the data principals and the Data Protection Board of the breaches promptly.

The breach notification must contain details such as the nature and extent of the breach, the timing and location of its occurrence, consequences, mitigating measures, etc.

The Indian privacy law determines the penalty based on various factors like the gravity of the breach and its duration, the category of personal data impacted by the breach, its repetitive nature, the impact of monetary penalty on the violator, etc. The penalties can reach a heavy sum of INR 250 crore (~ $30 million).

Unlike many other data privacy laws worldwide, India’s privacy law does not mention a cure period. However, the violators will be allowed to be heard which is a principle of natural justice.

Nature of violation/breach	Penalty
Failure to implement security safeguards	Up to INR 250 crores (~ $30.213 million)
Failure to notify a breach to the board	Up to INR 200 crores (~ $24.17 million)
Non-compliance with the special provisions regarding children	Up to INR 200 crores (~ $24.17 million)
Non-compliance with the obligations of SDF	Up to INR 150 crores (~ $18.127 million )
Non-compliance of obligations by the data principals	Up to INR 10,000 (~ $120)
Violation of any voluntary undertaking if any	Up to the extent applicable to that breach
Violation of all other provisions than mentioned	Up to INR 50 crore (~ $6 million)

• Obtain valid consent before processing personal data
• Provide a clear privacy notice along with the request for consent
• Make privacy notices and consent requests accessible in English and 22 other languages in the 8th schedule
• Limit the collection of data to what is required for the specific purpose of processing
• Implement security safeguards
• Obtain verifiable consent to process data of children and people with disability
• Delete data within a reasonable time if the data principal revokes consent requests deletion, or when the specific purpose exhausts
• Respond to data principals’ requests within a reasonable time
• Avoid behavioural monitoring, target advertising, and tracking of children
• Keep the personal data complete, accurate, and consistent
• Conduct audits and impact assessments if you are categorised as a Significant Data Fiduciary
• Confirm that you do not sell personal data to countries in the negative list as notified by the government
• Have a contractual relationship with the data processors
• Inform the DPB in case of any breach regardless of the volume of risk