Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — INStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.IN
DPDPA Data Protection Board of India

REGULATION · NATIONAL · IN FORCE SINCE 2023

Digital Personal Data Protection Act

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

India’s Digital Personal Data Protection Act 2023 (DPDPA) is the country’s first comprehensive privacy law. It applies to any “Data Fiduciary” processing digital personal data of Indian residents — including non-Indian businesses targeting India. As of 2026, the Act is enacted but the implementing Rules are still being finalised by the Ministry of Electronics and Information Technology (MeitY).

DPDPA replaces the patchwork of IT Act §43A and the SPDI Rules 2011 — though sectoral regulations (RBI for finance, IRDAI for insurance) continue to operate alongside.

DPDPA §6 requires “free, specific, informed, unconditional, and unambiguous” consent. Each purpose must be itemised — the data subject must be able to opt in or out of each purpose separately. Pre-ticked boxes and bundled consent are invalid.

For cookies and analytics, the Data Fiduciary must provide notice + obtain consent before processing. The implementing Rules are expected to clarify whether ePrivacy-style banner-pre-loading rules apply — current draft Rules suggest they will.

Carve-outs: “legitimate uses” (§7)

DPDPA introduces “legitimate uses” — limited categories where consent is not required:

  • The data subject voluntarily provided the data for a stated purpose
  • State functions, including subsidies and benefits
  • Compliance with court judgments or law
  • Medical emergencies, employment-context purposes

This is narrower than GDPR’s six-bases model but broader than CCPA’s opt-out model.

Data subject rights

  • Access to personal information being processed (§11)
  • Correction and erasure (§12)
  • Right of grievance redressal (§13)
  • Right of nomination — designate a representative for post-mortem privacy (§14, unique to DPDPA)

Response timeline is “reasonable” — the implementing Rules are expected to fix specific days (likely 30-60).

Significant Data Fiduciaries (SDFs)

DPDPA §10 lets the government designate large processors as SDFs based on volume, sensitivity, risk to rights, sovereignty, public order. SDFs face additional obligations: appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, and undergo independent audits.

Cross-border transfers (§16)

The default position under DPDPA is permissive: cross-border transfers are allowed except to countries the government places on a “restricted list”. As of 2026 no list has been notified — meaning India is one of the few major markets with effectively unrestricted outbound data flows under the privacy law itself (sectoral regulations may still apply).

Children’s data (§9)

“Verifiable parental consent” required for processing data of anyone under 18. Stricter than GDPR’s 16-year baseline.

Enforcement

The Data Protection Board of India enforces. Maximum penalty per default: ₹250 crore (~€28M) — among the higher caps in APAC. Penalties are issued per default, so multi-default situations can compound.

As of 2026 the Board is being staffed and the implementing Rules are pending — meaning practical enforcement is still ramping up. Data Fiduciaries should treat 2025-2026 as the implementation grace period.

Key references

  • MeitY: meity.gov.in
  • Draft DPDP Rules — public consultation released 2025
  • IAPP DPDPA tracker — implementation timeline

Where it applies — 1 jurisdictions

🇮🇳India
IN

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Lawful purpose Sec 4

    Process personal data only for a lawful purpose for which the Data Principal has given consent or for a 'legitimate use' enumerated in Section 7.

  2. 02
    Fair and reasonable processing Sec 5 / Sec 4

    Processing must be undertaken in accordance with the Act and for a lawful purpose; deceptive or coercive consent flows are prohibited.

  3. 03
    Consent baseline Sec 6

    Consent must be free, specific, informed, unconditional, unambiguous and given by clear affirmative action — and may be withdrawn at any time with equivalent ease.

  4. 04
    Notice obligation Sec 5

    Before or at the time of seeking consent, the Data Fiduciary must provide an itemised notice of personal data, purpose, rights, complaint mechanism and DPB contact — in English or any of the 22 Eighth-Schedule languages.

  5. 05
    Purpose limitation Sec 6(1) / Sec 8(7)

    Personal data may only be processed for the specified purpose for which consent was given; data must be erased once the purpose is no longer being served.

  6. 06
    Data minimisation Sec 8(3)

    Data Fiduciary must ensure completeness, accuracy and consistency of personal data — and only process what is necessary for the specified purpose.

  7. 07
    Storage limitation Sec 8(7)–(8)

    Erase personal data when consent is withdrawn or the specified purpose is no longer being served — unless retention is required by law. Cause processors to do the same.

  8. 08
    Accuracy Sec 8(3)

    Where personal data is used to make a decision affecting the Data Principal or is disclosed to another Data Fiduciary, it must be complete, accurate and consistent.

  9. 09
    Reasonable security safeguards Sec 8(5)

    Implement appropriate technical and organisational measures to prevent personal data breaches; obligation extends to processors via contract.

  10. 10
    Children's protection Sec 9

    Verifiable parental consent is mandatory for processing personal data of any individual under 18. Behavioural monitoring and targeted advertising directed at children are prohibited.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Sec 6

Consent

Free, specific, informed, unconditional, unambiguous, and given by clear affirmative action — preceded by a Sec 5 notice. Withdrawable at any time.

Common for: Marketing, analytics cookies, newsletters, profiling, any non-mandatory processing
Sec 7(a)

Voluntary submission (legitimate use)

Data Principal voluntarily provides personal data for a specified purpose and has not indicated non-consent to its use.

Common for: Contact-form submissions, customer-service queries, reservation requests
Sec 7(b)

State function / subsidy / benefit

State (or its instrumentality) processing for the provision of a subsidy, benefit, service, certificate, licence or permit — or where the State is required by law to process.

Common for: Aadhaar-linked subsidies, government welfare schemes, public-service registrations
Sec 7(c)–(d)

Legal obligation / court order

Compliance with any judgment, decree or order under Indian law, or with any obligation under law to disclose information.

Common for: Court-ordered disclosure, statutory record-keeping, regulator information requests
Sec 7(e)

Medical emergency

Responding to a medical emergency involving a threat to the life or immediate health of any individual.

Common for: Hospital admission of unconscious patient, emergency contact processing
Sec 7(f)–(g)

Epidemic / public-health / disaster

Measures to provide medical treatment or health services during an epidemic or any threat to public health, or to ensure safety during a disaster or breakdown of public order.

Common for: Pandemic contact-tracing, disaster-relief logistics
Sec 7(i)

Employment

Purposes of employment — including safeguarding from loss/liability, prevention of corporate espionage, IP protection, confidentiality, and provision of services or benefits to employees.

Common for: Payroll, attendance, employee monitoring within statutory limits, on-boarding KYC
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to information Sec 5 At collection At collection — itemised notice of personal data collected, purpose, rights, grievance mechanism and DPB contact, in any of the 22 Eighth-Schedule languages.
Right of access / summary of processing Sec 11 Obtain a summary of personal data processed, processing activities, identities of other Data Fiduciaries with whom data was shared, and any other prescribed information. Reasonable timeframe; specific period to be set by Rules.
Right to correction, completion, updation and erasure Sec 12 Correct inaccurate or misleading personal data; complete incomplete data; update outdated data; erase data no longer needed for the specified purpose. Reasonable timeframe; rules pending.
Right of grievance redressal Sec 13 Approach the Data Fiduciary or Consent Manager first using a published grievance mechanism — only after that may the Data Principal escalate to the DPB. Specific response window to be prescribed by Rules.
Right of nomination Sec 14 At collection Nominate another individual who, in the event of the Data Principal's death or incapacity, may exercise the Data Principal's rights under the Act. Unique to DPDPA — no GDPR equivalent.
Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇮🇳 India IN Digital Personal Data Protection Act 2023 Stricter Primary jurisdiction. Act enacted 11 Aug 2023; Draft Rules published 3 Jan 2025; full operationalisation awaiting final Rules notification under Sec 1(2). Until then, IT Act §43A and the SPDI Rules 2011 continue to govern sensitive personal data.
🇧🇩 Bangladesh BD Personal Data Protection Act (draft, 2023) Aligned No comprehensive privacy law in force. Draft PDPA tabled multiple times since 2022; latest version criticised by civil society for broad State exemptions. ICT Act 2006 and Digital Security Act 2018 cover narrow data offences.
🇱🇰 Sri Lanka LK Personal Data Protection Act No. 9 of 2022 Aligned PDPA enacted Mar 2022 — South Asia's first comprehensive privacy law. Phased commencement; main controller obligations effective Mar 2025 under the Data Protection Authority of Sri Lanka.
🇳🇵 Nepal NP Privacy Act 2018 / Right to Privacy Aligned Privacy Act 2018 covers personal information held by State entities; no comprehensive private-sector data-protection regime.
🇵🇰 Pakistan PK Personal Data Protection Bill (draft, 2023) Aligned PDPB still in draft as of 2026; PECA 2016 covers narrow cyber-offences. No general regulator.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does DPDPA apply to non-Indian businesses?
Yes — under Sec 3(b), the Act applies to processing of digital personal data outside India 'if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.' A US- or EU-based site that markets to Indian consumers, accepts INR payments, or otherwise targets the Indian market falls in scope. Unlike GDPR Art 3(2), DPDPA does not extend to mere monitoring of behaviour; the trigger is the offering of goods or services.
What's the maximum DPDPA fine?
Penalties are set in absolute INR per default — not as a percentage of turnover. The highest cap is ₹250 crore (≈ €28 million) for failure to take reasonable security safeguards under Sec 8(5). Other defaults: ₹200 crore for breach-notification failure (Sec 8(6)) or violation of children's-data rules (Sec 9); ₹150 crore for additional-obligation defaults by Significant Data Fiduciaries (Sec 10); ₹50 crore for breach of any other provision. The DPB may also impose a penalty of up to ₹10,000 on a Data Principal who files a false or frivolous complaint.
DPDPA vs GDPR — key differences?
Five major differences. (1) No general legitimate-interest basis — DPDPA Sec 7 enumerates a closed list of 'legitimate uses' (voluntary submission, State functions, court orders, medical emergency, employment, etc.). (2) Children's threshold is 18, not 16, and verifiable parental consent is mandatory — behavioural monitoring and targeted ads at children are flat-out prohibited (Sec 9). (3) Penalties are absolute INR amounts per Schedule 1, not turnover-based. (4) A unique 'right of nomination' allows post-mortem representation (Sec 14). (5) Cross-border transfer uses a negative-list approach (Sec 16) rather than adequacy/SCC architecture. Notice must also be available in any of the 22 Eighth-Schedule languages.
When does DPDPA take full effect?
The Act was enacted on 11 Aug 2023 but commences only on dates appointed by the Central Government under Sec 1(2). MeitY published Draft Rules on 3 Jan 2025 for public consultation. As of May 2026 the Rules are in advanced finalisation but have not yet been notified — meaning the DPB is not yet operational and Schedule 1 penalties cannot yet be levied. Different provisions may be notified on different dates. Most observers expect a phased commencement with a transition window for businesses to align.
What are 'Significant Data Fiduciaries'?
A Significant Data Fiduciary (SDF) is a Data Fiduciary or class of Data Fiduciaries that the Central Government may notify under Sec 10(1) based on factors including volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. SDFs must (a) appoint a Data Protection Officer based in India who reports to the Board, (b) appoint an independent data auditor, and (c) undertake periodic Data Protection Impact Assessments and audits. As of May 2026, no entities have been formally designated as SDFs — the criteria and process are expected to be finalised in the Rules.
Children's data — under 18 vs GDPR's 16?
DPDPA Sec 9 sets the children's threshold at under-18 — significantly higher than GDPR Art 8 (which leaves the digital-consent age between 13 and 16 to Member States). For any user under 18, a Data Fiduciary must obtain verifiable parental consent (the verification mechanism will be prescribed by Rules) and is prohibited from undertaking tracking, behavioural monitoring, or targeted advertising directed at the child. The Central Government may exempt classes of Data Fiduciaries from some of these obligations for specified processing.
Cross-border transfers — what's restricted?
DPDPA Sec 16 takes a 'negative list' approach. Personal data may be transferred outside India to any country except those that the Central Government may notify as restricted. This is the inverse of GDPR's adequacy/SCC model. Sectoral laws (RBI's data-localisation directive for payment-system data; SEBI; IRDAI) may impose stricter localisation in addition to Sec 16. The negative list itself has not been published as of May 2026; until it is, cross-border transfers should be governed by sectoral rules and the security-safeguards obligation under Sec 8(5).
Right of nomination — what is it?
Sec 14 lets a Data Principal nominate any other individual who, in the event of the Data Principal's death or incapacity, may exercise that Data Principal's rights under the Act. This is unique to DPDPA — there is no direct GDPR analogue (post-mortem rights under GDPR are left to Member-State law; for example, France's Loi Informatique et Libertés Art 85). Operationally, Data Fiduciaries must build a workflow that (a) records the nomination at consent time or later, (b) authenticates the nominee on request, and (c) lets the nominee exercise access, correction, erasure and grievance rights as if they were the Data Principal.
Implementation Rules — current status?
MeitY published the Draft Digital Personal Data Protection Rules, 2025 on 3 January 2025 (initial consultation closed in February 2025; subsequent stakeholder rounds extended into 2025). The Draft covers: Sec 5 notice format and content, Sec 6 consent-manager registration regime, Sec 9 verifiable parental consent mechanisms, Sec 10 SDF criteria and DPIA/audit cadence, Sec 16 cross-border transfers, Schedule 2 exemptions for research and start-ups, and DPB procedure. As of May 2026 the final Rules have not been notified in the Gazette of India. Until notification, the DPB is not constituted and penalties under Schedule 1 cannot be levied.
Sectoral laws — RBI/IRDAI interaction?
DPDPA is a horizontal, cross-sector statute that does not displace existing sectoral regulators. Sec 38 of the Act preserves any other law in force; where a sectoral law provides higher protection or stricter localisation, that sectoral law continues to apply. Key examples: the RBI Master Direction on Storage of Payment System Data (2018) requires payment-system data to be stored only in India; SEBI imposes record-keeping and localisation rules on intermediaries; IRDAI's Information and Cyber Security Guidelines impose 24-hour breach reporting on insurers; CERT-In's 2022 Directions impose 6-hour cyber-incident reporting. Compliance programmes must therefore be layered: DPDPA as the privacy baseline plus the relevant sectoral overlay.