India – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting India. Notice/consent layer must consider English plus Hindi (and the 22 Eighth-Schedule scheduled languages for Significant Data Fiduciaries). Sectoral overlay (RBI, SEBI, IRDAI, CERT-In) is touched only where it intersects with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

DPDPA 2023 Stricter

Digital Personal Data Protection Act, 2023

India's first horizontal data-protection statute. Standalone — no upstream EU-style framework. Applies to digital personal data processed (a) in India or (b) outside India in connection with offering goods/services to data principals in India. Notice + consent + data-fiduciary obligations + Significant Data Fiduciary (SDF) regime + cross-border transfer rules + Data Protection Board enforcement.

§ 4–6 Lawful processing — consent or specified 'legitimate use' (employment, public interest, medical emergency, court order)
§ 5 Notice in English plus any Eighth-Schedule language the data principal selects; § 5(7) — foreign data fiduciaries must designate an Indian representative
§ 9 Children — verifiable parental consent for anyone under 18; ban on tracking, behavioural monitoring, and targeted advertising directed at children
§ 10 Significant Data Fiduciary — Central Government designates by notification; mandatory DPO + independent audit + DPIA
§ 16 Cross-border transfers — Central Government may notify a 'negative list' of restricted countries (blacklist model, not whitelist)
§ 33 Penalties up to ₹250 crore (~€27.5M) per breach instance — imposed by the Data Protection Board

Act No. 22 of 2023, assented 11 August 2023, published in The Gazette of India Extraordinary Part II Section 1. Operational provisions phased through Draft DPDP Rules 2025 (MeitY public consultation Jan 2025).

SPDI Rules 2011 (superseded)

IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Pre-DPDPA SPDI regime: written consent for sensitive personal data (passwords, financial info, health, biometrics, sexual orientation), grievance officer, ISO 27001 as a 'reasonable security practice' safe harbour. Most pre-2024 enforcement (BigBasket, Domino's, MobiKwik, JustPay) sits under this framework.

Rule 3 Definition of Sensitive Personal Data or Information (SPDI)
Rule 5 Written consent for SPDI collection + privacy-policy disclosure
Rule 8 ISO 27001 as a reasonable-security-practices safe harbour

Notified 11 April 2011 under § 43A of the IT Act 2000. Subsumed by DPDPA 2023 — operative residue limited until DPDPA rules are fully notified.

IT Act § 43A + § 72A

Information Technology Act, 2000 — residual data-protection sections

Civil liability for negligent handling of sensitive data (§ 43A, no upper cap on compensation) plus criminal liability for breach-of-contract disclosure (§ 72A — up to 3 years' imprisonment + ₹5 lakh fine). CERT-In Directions 28 April 2022 (six-hour incident reporting + 180-day log retention) sit alongside.

§ 43A Civil compensation for failure of reasonable security practices in handling SPDI
§ 72A Criminal liability for unlawful disclosure of personal information obtained under contract
CERT-In 2022 Six-hour cyber-incident reporting + 180-day system-log retention for service providers

Act No. 21 of 2000, § 43A inserted by IT (Amendment) Act 2008. § 72A criminalises disclosure of information in breach of contract.

Telecom Act 2023 + TCCCPR

Telecommunications Act 2023 + TRAI Telecom Commercial Communications Customer Preference Regulations 2018

Direct marketing — SMS/voice opt-in via DLT-registered headers + DND registry compliance. Email marketing implicitly governed by DPDPA consent + IT Act spam provisions. Double-opt-in is the regulatory expectation for SMS and increasingly for email.

Telecom Act § 28 Unsolicited commercial communication — civil penalty up to ₹2 lakh per instance
TCCCPR 2018 DLT-header registration + content-template approval for SMS/voice; entity-level penalties
DND Registry Mandatory pre-send check against TRAI Do Not Disturb list

Telecommunications Act 2023 (Act No. 44 of 2023, assented 24 December 2023). TRAI TCCCPR 2018 + DLT (Distributed Ledger Technology) registration regime + DND (Do Not Disturb) registry.

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

DPB · Data Protection Board of India

Sole DPDPA enforcement body — established under Chapter V of DPDPA 2023. Fully constituted January 2025 with Chairperson + members notified by Central Government. Adjudicates complaints, imposes penalties up to ₹250 crore per breach, issues compliance directions.

https://www.meity.gov.in/data-protection-board-of-india

Coordination body

MeitY-DPB-CERT-In · Ministry of Electronics and Information Technology — Data Protection Board — CERT-In division of responsibilities

India operates a deliberately separated rule-making vs. enforcement architecture. MeitY (Ministry of Electronics and Information Technology) issues rules, notifications, and SDF designations under DPDPA. The DPB is a quasi-judicial enforcement body — it cannot make rules, only adjudicate. CERT-In runs in parallel under § 70B of the IT Act for cyber-incident reporting (six-hour rule, 180-day log retention). RBI/SEBI/IRDAI sectoral regulators retain financial-data primacy.

2023-08-11 · DPDPA assent — President assents to Digital Personal Data Protection Act 2023 — India's first horizontal data-protection statute, replacing the proposed PDP Bill 2019 / DPDP Bill 2022 lineage.
2025-01-03 · Draft DPDP Rules 2025 — MeitY publishes Draft Digital Personal Data Protection Rules 2025 for public consultation (closed 18 February 2025). Covers notice format, consent-manager registration, SDF designation criteria, child-consent verification, and the cross-border 'negative list' mechanism.
2025-01-XX · DPB constitution — Data Protection Board of India fully constituted January 2025 — Chairperson and members notified. First operational year — enforcement ramping up; no DPDPA-era fines published as of May 2026.

https://www.meity.gov.in/

Notable enforcement

India is in a transitional enforcement window. The Data Protection Board was only fully constituted in January 2025 and Draft DPDP Rules 2025 closed consultation in February 2025 — as of May 2026, no DPDPA-era fines have been published. All headline pre-2024 cases (BigBasket, Domino's, MobiKwik, JustPay, multiple Aadhaar leaks) are pre-DPDPA SPDI-era enforcement, typically pursued by CERT-In (incident reporting), RBI (financial-data overlay for fintech), or via § 43A civil claims rather than a unified data-protection regulator. DPDPA penalties are fixed-cap up to ₹250 crore (~€27.5M) per breach instance — there is no global-revenue-based ceiling like GDPR Art 83. Pre-DPDPA cases below are listed for context; expect the first DPB-issued fines to surface during the 2026-2027 review cycle.

GA4 status

GA4 is usable in India only with explicit consent or a documented 'legitimate use' justification under DPDPA § 4–6 (employment, public-interest, etc. — analytics rarely qualifies). Notice must be available in English plus any Eighth-Schedule language the data principal selects (§ 5). Cross-border transfer to Google's US servers is currently lawful under the § 16 negative-list model (no notified restriction on the US as of May 2026). SDFs face additional review.

DPA	Stance
DPB	Operational since Jan 2025 — no DPDPA-era GA4 enforcement issued; consent + multilingual notice baseline expected.
MeitY	Draft DPDP Rules 2025 contemplate consent-manager intermediaries — GA4 deployments may need to interoperate.
CERT-In	Incident-reporting overlay applies to GA4-related breaches if the controller is an in-scope service provider.
RBI / SEBI	Sectoral overlay for fintech/banking — payment-data localisation may force EU/US analytics gating.

Cross-border transfers + Schrems II

India operates a 'negative list' (blacklist) model under DPDPA § 16 — transfers are permitted by default, except to countries the Central Government explicitly notifies as restricted. As of last review (May 2026), no negative-list notification has been issued, so transfers to all jurisdictions remain lawful from a DPDPA standpoint. This is structurally inverse to the EU GDPR adequacy/whitelist approach. Significant Data Fiduciaries (SDFs) face additional transfer-review obligations and may be subject to sector-specific data-localisation rules (RBI 2018 Payment Data Localisation circular, MeitY Draft Health Data Rules).

DPDPA does not provide standardised contractual clauses. Controllers typically rely on contractual assurance + RBI/SEBI sectoral guidance + GDPR-style SCCs where the counterparty is in the EU. CERT-In Directions 2022 require Indian-residency for system logs of in-scope service providers regardless of overall transfer position.

Topic: International transfers

Employee data

Employee monitoring — when analytics enters HR

When analytics tools can monitor employees (Hotjar on internal dashboards, productivity-tracking pixels, server-side logs of staff behaviour, biometric attendance systems), three regimes overlay: DPDPA 2023 (consent or 'legitimate use' under § 7 for employment), the Industrial Disputes Act 1947 (notice/consultation for changes in service conditions), and the EPF Act / ESI Act (statutory wage and benefit data). Biometric attendance is specifically addressed by MeitY guidance — Aadhaar-based attendance is constrained by the Aadhaar Act 2016 + Puttaswamy proportionality test. Works-council-style co-determination does not exist in Indian labour law, but State Shops and Establishments Acts impose consultation duties. The Aadhaar leak cases (multiple, 2017-2019) are the canonical employee/citizen-data analytics cautionary tales pre-DPDPA.

Key thresholds

Child consent age

18 years

Article 27 representative

Required

Marketing consent

Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red

Vendor	Status	Rationale
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

Common questions

Is the DPDPA in force in India in 2026?

Partially. DPDPA 2023 was assented on 11 August 2023, but most operational provisions depend on rules notification. The Draft DPDP Rules 2025 closed public consultation on 18 February 2025 and the Data Protection Board was fully constituted in January 2025. As of May 2026 the Act is operational in framework but full enforcement is still ramping up — expect SDF designations and the first DPB fines during the 2026-2027 cycle.

When was the Data Protection Board of India constituted?

January 2025. The DPB is the sole DPDPA enforcement body — Chairperson and members were notified by the Central Government and the Board became operational in Q1 2025. It is a quasi-judicial body: it can adjudicate complaints and impose penalties up to ₹250 crore per breach, but it cannot make rules — that authority sits with MeitY.

What is the child-consent age in India?

18 — the highest globally. DPDPA § 9 requires verifiable parental consent for processing the personal data of anyone under 18. The Act also prohibits tracking, behavioural monitoring, and targeted advertising directed at children. This is significantly stricter than GDPR Art 8 (which sets the age between 13 and 16 depending on member state) and forces material redesign for any India-targeted product with under-18 audiences.

What is a Significant Data Fiduciary (SDF)?

A data fiduciary designated by the Central Government under DPDPA § 10 based on volume of data, sensitivity, sovereignty/state-security risk, electoral-democracy risk, etc. SDFs face additional obligations: appoint an India-based DPO, conduct independent annual audits, run DPIAs, and submit to enhanced cross-border transfer review. The general DPO threshold (employee count) does not apply — only SDFs are required to appoint a DPO under DPDPA. The first SDF list is expected after the Rules are notified.

How do cross-border transfers work under DPDPA?

DPDPA § 16 uses a 'negative list' (blacklist) model: transfers are lawful by default, except to jurisdictions the Central Government explicitly notifies as restricted. This is structurally inverse to the EU GDPR adequacy/whitelist approach. As of May 2026 no negative-list notification has been issued. SDFs may face additional transfer review, and sectoral data-localisation rules (RBI 2018 Payment Data circular, MeitY Health Data drafts) overlay independently.

Are DPDPA fines capped by global revenue like GDPR?

No. DPDPA penalties are fixed-cap up to ₹250 crore (~€27.5M) per breach instance under § 33. There is no global-revenue ceiling equivalent to GDPR Art 83's 4%. This makes large multinationals structurally less exposed in India than in the EU on a single-incident basis, but multiple breach instances (each user, each event) can stack up.

What language must my privacy notice be in?

DPDPA § 5 requires notices in English and in any of the 22 Eighth-Schedule scheduled languages the data principal selects. At minimum, India-targeted sites should ship English plus Hindi. SDFs are expected to support all 22 scheduled languages on request. English-only notices are non-compliant for India-targeted services even if the audience is overwhelmingly English-speaking.

Do I need an India representative for DPDPA?

Yes if you are a foreign data fiduciary processing personal data of data principals in India. DPDPA § 5(7) requires designation of an India-based representative who can be contacted by data principals and the Data Protection Board. The representative does not need to be a legal entity — a designated contracted individual or local subsidiary qualifies.

Does India have a Right to Be Forgotten?

Not as an explicit standalone right. DPDPA does not codify a GDPR-Art-17-style erasure right, but data principals can withdraw consent under § 6(4) — and once consent is withdrawn, the data fiduciary must cease processing and erase the data unless a § 7 'legitimate use' applies. Effectively this functions as a consent-withdrawal proxy for erasure. The Puttaswamy 2017 judgment recognised informational privacy as a fundamental right, which underpins emerging RTBF jurisprudence in Indian courts independently of DPDPA.

Is GA4 legal in India in 2026?

Yes, conditionally. GA4 is usable on India-targeted sites with explicit DPDPA § 4–6 consent (or a documented 'legitimate use' — which analytics rarely qualifies for) plus bilingual notice (English + Hindi minimum, more if SDF). Cross-border transfer to Google's US servers is currently lawful under the § 16 negative-list model (no notified restriction on the US as of May 2026). If your organisation is later designated an SDF, expect additional transfer review and audit obligations.

// EDITORIAL · NOT LEGAL ADVICE This page summarises India's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.