The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law, and it is now in force on a phased schedule. It governs how organizations process the digital personal data of people in India. The law is built on notice and consent. The Data Protection Board of India enforces it, with penalties reaching up to INR 250 crore.
The Act reaches any business worldwide whose visitors include people in India. This guide covers what it requires, when each obligation starts through the 2027 rollout, and what it means for the cookie banner on your site.
What Is India's DPDP Act?
The DPDP Act, or DPDPA, is a 2023 Indian law that gives people in India rights over their digital personal data. It also imposes duties on the businesses that process it. It is India's first comprehensive data protection law, replacing the older rules under the Information Technology Act, 2000.
Parliament passed the Act in August 2023: the Lok Sabha on 7 August, the Rajya Sabha on 9 August. Presidential assent followed on 11 August 2023.
It stayed largely dormant for two years while the government drafted its operating rules. The Ministry of Electronics and Information Technology notified the final DPDP Rules 2025 on 13 November 2025. Those Rules now govern how the Act's provisions come into force.
The Act sits inside a broader shift toward comprehensive privacy legislation worldwide. It joins the growing map of global data privacy laws that already spans the EU and the US.
When Does the DPDP Act Take Effect? (Rules and Timeline)
The DPDP Act is enacted and now in force on a phased schedule. MeitY notified the final DPDP Rules 2025 on 13 November 2025, after releasing draft Rules on 3 January 2025 for consultation.
The notified Rules stagger the Act's provisions across three effective dates. The list below groups them by the Rules that switch on at each stage.
- August 2023: Parliament passes the Act, and it receives presidential assent on 11 August.
- 3 January 2025: MeitY releases the draft DPDP Rules for public consultation.
- 13 November 2025 (immediate): The final Rules are notified. Rules 1, 2, and 17 to 21 take effect at once, covering the Act's application, the defined terms, and the Data Protection Board's establishment, powers, investigations, adjudications, and appeals to the Appellate Tribunal.
- 13 November 2026: Rule 4 takes effect, covering Consent Manager registration and obligations.
- 13 May 2027 (the main compliance deadline): Rules 3, 5 to 16, 22, and 23 take effect together. They cover notice, consent, reasonable security safeguards, breach intimation and data retention, Data Protection Officer contact details, verifiable consent for children and persons with disabilities, Significant Data Fiduciary obligations, data principal rights management, and cross-border transfers.
That schedule gives most businesses a 12 to 18 month runway from the November 2025 notification to the May 2027 deadline. The Rules are final, not draft or proposed.
Who Does the DPDP Act Apply To?
The Act applies to "Data Fiduciaries," meaning any business or organization that decides why and how digital personal data is processed. That duty applies whenever the business handles the data of people in India.
Coverage extends to businesses based in India and to foreign businesses offering goods or services to people in India. It only reaches personal data collected or processed in digital form.
Coverage does not depend on company size. Three categories define who is in scope.
- Any business operating in India that processes digital personal data
- Any foreign business offering goods or services to people in India, regardless of where it is based
- Only digital personal data; the Act does not regulate non-personal or non-digital data
Even a 3-person startup is covered the moment it collects a name, email, or phone number from an Indian visitor. The same rule applies to a 300-person company. Purely non-digital records and non-personal data stay outside the Act's scope entirely. That gap is why the current privacy regime for those categories remains the older IT Act rules.
A Significant Data Fiduciary is a category the government designates based on the volume and sensitivity of data processed. It faces added duties on top of the baseline rules. Those include appointing an India-based Data Protection Officer, running independent audits, and completing annual Data Protection Impact Assessments.
Does the DPDP Act Apply to Businesses Outside India?
Yes, the Act is extraterritorial. It reaches any organization, wherever it is based, that processes the digital personal data of people in India. That coverage applies whenever the processing connects to offering those people goods or services.
One narrow exception applies. Under Section 17(1)(d), an Indian entity processing the personal data of individuals located outside India falls outside the Act's core obligations. That exemption applies only when the processing happens under a foreign party's contract.
That carve-out protects outsourcing and IT-services arrangements where the data subjects are never in India. It does not exempt a foreign company that markets to Indian users.
What Are the Key Terms in the DPDP Act? (Data Fiduciary, Data Principal, Consent Manager)
The DPDP Act uses its own vocabulary, and four terms matter most for a website owner.
| Term | What it means |
|---|---|
| Data Fiduciary | Any person who, alone or with others, decides the purpose and means of processing personal data, comparable to a "controller" under other privacy laws |
| Data Principal | The individual the data is about; for a child under 18 or a person with a disability, their parent or lawful guardian acts on their behalf |
| Data Processor | Anyone who processes personal data on behalf of a Data Fiduciary, typically under contract |
| Consent Manager | A person or entity registered with the Data Protection Board that runs a single, interoperable platform for a Data Principal to give, manage, review, and withdraw consent |
A Significant Data Fiduciary is a Data Fiduciary the government designates for extra scrutiny. The designation depends on how much data it processes and how sensitive that data is. It triggers a Data Protection Officer requirement, independent audits, and annual impact assessments that ordinary Data Fiduciaries do not face.
The Consent Manager is unique to the DPDP framework. It must be incorporated in India and meet minimum net worth and governance requirements. It also has to operate independently of the Data Fiduciaries whose consent it manages, avoiding conflicts of interest by design.
How Does the DPDP Act Handle Consent and Notice?
Consent is the DPDP Act's primary legal ground for processing personal data. Under Section 6, consent must be free, specific, informed, unambiguous, and given through a clear affirmative action, before a business processes anyone's data.
Before collecting data, a Data Fiduciary must give a clear, independent notice. That notice has to itemize the personal data being collected, state the specific purpose of processing, and describe the goods or services the processing enables.
It must also use plain, independent language. It needs a working link to withdraw consent, exercise rights, or complain to the Data Protection Board.
Consent cannot be bundled. It must stay limited to what a specific purpose actually needs, so a single blanket "accept everything" checkbox does not satisfy Section 6. Dark patterns like pre-ticked boxes are prohibited outright.
The Act does allow a narrow set of non-consent grounds under Section 7, called certain legitimate uses. These cover voluntarily provided data with no objection, plus legal obligations. Judicial duties, medical emergencies, public order breakdowns, and employment purposes count too.
Unlike other major privacy laws, the DPDP Act has no general "legitimate interests" or "contractual necessity" basis. Consent stays the default for nearly everything else.
Notices and terms should also be made available in all 22 languages listed in the Eighth Schedule of the Indian Constitution, reflecting India's linguistic diversity.
What Rights Does the DPDP Act Give People?
Under the DPDP Act, every Data Principal gets a set of rights they can exercise against any business holding their data.
- Right to access: request a summary of the personal data a Data Fiduciary holds, the purposes it is processed for, and who it has been shared with
- Right to correction and erasure: fix inaccurate or incomplete data, update outdated records, or request deletion once the purpose no longer applies
- Right to grievance redressal: complain first to the Data Fiduciary or its Consent Manager, then escalate an unresolved complaint to the Data Protection Board
- Right of nomination: name someone to exercise these rights on the Data Principal's behalf in the event of death or incapacity
- Right to withdraw consent: revoke consent at any time, with withdrawal made as easy as giving consent was in the first place
Withdrawing consent triggers deletion. Once a Data Principal withdraws consent, the Data Fiduciary must stop processing that data within a reasonable time and cause its processors to stop too. The only exception is when another law requires the data to be retained. Withdrawal does not undo the legality of processing that already happened before the withdrawal.
What Are the Penalties Under the DPDP Act?
The Data Protection Board can impose monetary penalties on a fixed statutory schedule, reaching up to INR 250 crore for the most serious failures. That top tier applies specifically to a Data Fiduciary that fails to take reasonable security safeguards to prevent a personal data breach.
Other violations carry lower ceilings on the same schedule:
- Up to INR 250 crore for failing to take reasonable security safeguards against a data breach
- Up to INR 200 crore for failing to notify the Board or affected individuals of a breach
- Up to INR 200 crore for breaching the Act's additional obligations around children's data
- Up to INR 150 crore for a Significant Data Fiduciary breaching its extra obligations
- Up to INR 50 crore for any other breach of the Act or its Rules
- Up to INR 10,000 for a Data Principal's own breach of their statutory duties
Penalties are cumulative: multiple simultaneous violations can produce multiple penalties on the same entity. Only Data Fiduciaries face penalties under this schedule; the small individual-duty penalty applies to Data Principals, not businesses. Data Fiduciaries must also notify the Board of a breach without delay, then follow up with a detailed report within 72 hours.
Who Enforces the DPDP Act? (The Data Protection Board of India)
The Data Protection Board of India enforces the Act. It is an independent, digital-first adjudicatory body: every complaint, hearing, and piece of evidence is submitted and processed online.
The Board investigates complaints from Data Principals whose rights have been violated. It examines the circumstances of reported data breaches and issues directives ordering remedial or corrective action for systemic non-compliance. It also imposes the penalties described above.
Its Chairperson and members are appointed by the central government through a search-cum-selection process. Any party dissatisfied with a Board ruling can appeal to the Telecom Disputes Settlement and Appellate Tribunal.
What Does the DPDP Act Mean for Cookie Consent on Your Website?
The DPDP Act never uses the word "cookies," but the personal data your cookies and trackers collect falls squarely under it. A covered website needs a real consent mechanism before those cookies load.
The consent and notice rules translate into five concrete actions for a website. Each one maps a Section 6 or Section 7 requirement onto the cookie banner.
- Show a clear cookie notice and banner before any non-essential cookie loads
- Ask for free, specific, informed consent separately for each purpose, never one bundled "accept all" toggle
- Give an equally easy reject option alongside accept, and a clear way to withdraw consent later
- Block tracking and advertising scripts until the visitor actually consents
- Keep records of what each visitor consented to and when
These actions apply the Section 6 consent rules and the Section 7 notice requirements described above to a website's cookie banner. The same discipline applies to what a compliant cookie banner must do under GDPR. Both laws converge on granular, revocable, pre-consent blocking, even though the legal grounds behind them differ.
How Is the DPDP Act Different from GDPR?
The DPDP Act is often called "India's GDPR," but the two differ in several material ways.
| Attribute | DPDP Act | GDPR |
|---|---|---|
| Scope | Digital personal data only | Digital and physical personal data |
| Legal bases | Consent, plus narrow Section 7 legitimate uses | Six bases, including consent, contract, and legitimate interests |
| Sensitive data | No separate tier; all personal data treated uniformly | Special categories get heightened protection |
| Terminology | Data Fiduciary, Data Principal, Data Processor | Controller, Data Subject, Processor |
| Consent infrastructure | Registered Consent Manager, an interoperable third-party platform | No equivalent third-party consent-broker construct |
| Cross-border transfers | Allowed except to government-restricted countries (a blocklist model) | Allowed to countries with an adequacy decision, or under safeguards |
The DPDP Act is narrower in scope but stricter on consent. It drops GDPR's "legitimate interests" and "contractual necessity" bases entirely, leaning almost fully on affirmative consent instead.
One industry estimate puts GDPR readiness at getting a business roughly 60 to 70 percent of the way to DPDP compliance. GDPR compliance still leaves India-specific consent mechanics, Consent Manager integration, and Significant Data Fiduciary obligations unaddressed.
How Consently Helps You Meet the DPDP Act's Cookie Consent Requirements
Consently gives your website the tools the DPDP Act's consent rules call for. A customizable cookie consent banner offers clear accept, reject, and manage options. A preference center lets visitors consent per purpose instead of through one bundled toggle.
Cookie and script auto-blocking holds non-essential trackers until a visitor actually agrees, matching the "block until consent" behavior the Act's notice-and-consent rules point toward. A floating revisit button lets visitors withdraw consent as easily as they gave it, mirroring the Act's own withdrawal standard.
Consent logs you can export give you a record of who consented and when, useful if you ever need to show your consent history. The cookie, privacy, and terms policy generators help you produce the itemized, purpose-specific notice the Act expects. Consently's banners also support 35 languages, a practical fit for the Act's multilingual notice expectation.
Consently is not a Board-registered Consent Manager under the DPDP Act, and using it does not make a site DPDP compliant on its own. Think of it as the operational layer for your consent banner, notice, withdrawal, and records. Legal compliance for your specific business stays your own responsibility, ideally with input from qualified counsel.
Consently's cookie consent banner and auto-blocking are free to try for 14 days, no credit card required. Try Consently free to see the banner and consent log in your own dashboard.
FAQs
What is the DPDP Act in simple terms?
The DPDP Act is India's first comprehensive data protection law. It gives people in India rights over their digital personal data and requires businesses to get clear consent before processing it.
When does the DPDP Act come into effect?
The Act is in force on a phased schedule after the DPDP Rules were notified on 13 November 2025. Consent Manager registration starts 13 November 2026, and the core obligations, including notice, consent, and security safeguards, apply from 13 May 2027.
Who has to comply with the DPDP Act?
Any business handling the digital personal data of people in India must comply, including foreign companies offering goods or services there. Even a 3-person startup is covered once it collects names, emails, or phone numbers from Indian visitors.
Does the DPDP Act apply to cookies?
The Act does not name cookies specifically, but the personal data cookies collect falls within its scope. A covered site needs a consent banner that asks before non-essential cookies load, with a separate choice per purpose.
What are the penalties under the DPDP Act?
The Data Protection Board can levy penalties up to INR 250 crore for the most serious failures, such as skipping reasonable security safeguards. Lower tiers on the same schedule apply to other violations.
Who enforces the DPDP Act?
The Data Protection Board of India, an independent and digital-first regulator, enforces the Act. It investigates breaches, resolves grievances, and its rulings can be appealed to the Telecom Disputes Settlement and Appellate Tribunal.
What is a Consent Manager under the DPDP Act?
A Consent Manager is a person or entity registered with the Board. It runs one interoperable platform for a Data Principal to give, manage, review, and withdraw consent. Registration obligations for Consent Managers take effect 13 November 2026.
Is the DPDP Act the same as GDPR?
No. The DPDP Act is digital-only and leans almost entirely on consent rather than GDPR's six legal bases. It also has no separate sensitive-data tier, and it uses its own terms, Data Fiduciary and Data Principal, in place of controller and data subject.

