India's Digital Personal Data Protection Act took effect in August 2023. It replaced earlier drafts that have been discussed since the landmark Supreme Court ruling in 2017 that recognized privacy as a fundamental right.
With over 800 million internet users and one of the world’s fastest-growing digital economies, the law will have a significant effect on many people and organizations.
The act is expected to impact many sectors, including legal, IT, human resources, sales and marketing, finance, and information security because of the volume of personal data that is collected, stored, and processed in India.
What Is India's Digital Personal Data Protection Act?
India's Digital personal data Protection Act (PDDPA) is a data privacy law that regulates the collection and management of Indian residents’ personal data and sets responsibilities for businesses and organizations. The DPDPA aims to strike a balance between individuals’ right to privacy and the need for innovation, growth, and national security.
Effective date of the DPDPA: 11 August 2023.
The Act introduces the following aspects:
- Defines personal data.
- Establishes the roles and responsibilities of Data Fiduciaries (those who process data) and Data Principals (individuals whose data is being processed).
- Creates the Data Protection Board of India, an independent body responsible for enforcement.
- Appoints an independent data auditor.
In January 2025, India's Ministry of Electronics and Information Technology released the draft Digital personal data Protection (Act) Rules to facilitate the implementation of the Act. The rules complement the DPDPA and explain how to implement its provisions.
What Is Personal Data under the DPDPA?
DPDPA recognizes the right of Indian individuals, referred to as data principals, to protect their personal data.
The Act defines Personal data as "any data that relates to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier."
The personal data includes but is not limit to:
- Name, address, and contact information
- Location data
- Date of birth
- Gender
- Online browsing history and search queries
- Social media posts and messages.
The definition of a person includes an individual, an undivided family, a company, a firm, an association, the state, and every "artificial juristic person."
The DPDPA protects:
- Personal data that is processed in India, regardless of whether the data was originally collected in India or elsewhere.
- Processing of personal data of Indian individuals, even if the data is processed outside of India.
The DPDPA does not apply to personal data that is:
- Paper data unless it's digitized.
- Processed for law enforcement or national security purposes.
- Processed for the purpose of journalism or artistic expression.
- Processed for personal or family purposes.
Key Principles of the DPDPA
Data holders are called Data Fiduciaries, and they are responsible for the collection and management of personal data in a way that complies with the DPDPA.
The DPDPA sets the following six key principles for Data Fiduciaries:
- Lawfulness: Personal data must be processed lawfully, fairly, and transparently.
- Purpose limitation: Data Fiduciaries should collect personal data only for specified, explicit, and legitimate purposes and not further process personal data for purposes that are incompatible with those purposes.
- Data minimization: Data Fiduciaries should limit the collection of Personal Information to what is directly relevant and necessary to accomplish a specified purpose.
- Storage limitation: Data Fiduciaries should not keep personal data longer than is necessary for the purposes for which the personal data are processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date.
- Integrity and confidentiality: Data Fiduciaries should process personal data using appropriate security measures. They must also use appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Responsibilities of Significant Data Fiduciaries
The Indian government will identify Significant Data Fiduciaries based on the volume and sensitivity of personal data processed and the risk involved.
Significant Data Fiduciaries have the following responsibilities:
- They must appoint a data protection officer (DPO) based in India.
- They must appoint an independent data auditor.
- They must conduct a data protection impact assessment (DPIA).
Consent Requirements
Data Fiduciaries must obtain clear and informed consent from individuals (data principals) before collecting or processing their personal data. The consent must be freely given, specific, and easy to withdraw.
Processing children’s data (under 18) requires parental consent. Children-targeted advertising or tracking is not allowed.
Data processors are third-party businesses that process data on behalf of data fiduciaries. When obtaining user consent, data fiduciaries are required to inform individuals if their data is planning to be processed by data processors.
Scan your website for free to see the cookies, local storage, and session storage your website uses:
Rights of Data Principals
The DPDPA grants individuals the following rights concerning their personal data:
- The right to access their personal data
- The right to rectify inaccurate personal data
- The right to erase their personal data
- The right to restrict the processing of their personal data
- The right to data portability
- The right to object to the processing of their personal data
- The right to nominate someone in case of death or incapacity.
Enforcement of the DPDPA
The DPDPA is enforced by the Data Protection Authority of India (DPA), which is an independent body responsible for overseeing the implementation of the Act.
The DPA has the power to investigate complaints, issue fines, and order organizations to comply with the Act.
Penalties for Non-Compliance
Non-compliance with the DPDPA can lead to heavy fines up to IRN250 crore (~USD 30 million) for data breaches.
Failure to protect personal data could lead to these fines:
- Breach in observance of duty of data principal: up to INR10,000 (~USD 120).
- Failure to notify the data protection board and affected data principals in the event of a personal data breach: up to INR200 crore (~USD 24 million).
- Breach in observance of additional obligation in relation to children: up to INR200 crore (~USD 24 million).
Note that the maximum limit of INR500 crore crore (~USD 60 million) for penalties has been removed.
DPDPA vs. GDPR
India’s DPDPA and the EU's General Data Protection Regulation (GDPR) protect individuals’ personal data and set the responsibilities of data collectors and processors. Both laws are generally similar in some areas, but there are notable differences.
- Definition: Under the DPDPA, companies that collect and process data are called data fiduciaries, while individuals who share the data are called data principals. Under the GDPR, they are called data controllers and data subjects, accordingly.
- Protection of data: The DPDPA sets a stricter rule on data protection, applying the law to all personal data, not just sensitive data. On the other hand, the GDPR protects more types of sensitive data, such as race, ethnicity, religion, and health information.
- Children protection: Both laws require parental consent for processing children's data. The DPDPA sets an 18-year census for children, while the GDPR requires parental consent for children under 16. The DPDPA also limits the tracking and targeted advertising of children.
- Right to be forgotten: The DPDPA and GDPR allow individuals to request an erasure or amendment of their data. The DPDPA applies only to data collected by a business after obtaining user consent and no other data, while the GDPR allows an individual to request the erasure of all types of data managed by a company, including data from social media or search engines.
- Data breaches: The DPDPA requires companies to notify individuals and India's Data Protection Board of all data breaches, while the GDPR only requires notification if the breach could pose a high risk to affected individuals.
- Algorithmic decision-making: The GDPR provides the right to request human intervention for important decisions, while the DPDPA contains no specific requests related to algorithmic decision-making.
- International processing: The DPDPA is less stringent about international processing than the GDPR, setting strict rules for cross-border transfers.
- Guiding: Unlike the GDPR, which aims to consult companies by providing instructions on personal data management, the DPDPA lacks a summary of guiding principles.
How to Comply with India's Digital Personal Data Protection Act?
To comply with India's Digital Personal Data Protection Act, Data Fiduciaries must:
- Obtain user consent before collecting or processing personal data. The consent must be informed, freely given, specific, and easy to withdraw.
- Implement reasonable security safeguards.
- Limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.
- Limit the storage of Personal Information and delete the data that is no longer necessary.
- Respect the Purpose limitation principle: Collect and process personal data only for specified, explicit, and legitimate purposes.
- Notify and gain consent for international data transfers. However, detailed rules on cross-border data transfers are still to be set by the law.
- Update privacy policies regularly.
- Establish data protection officers.
- Prepare for audits and breach responses.
- Inform individuals and the Data Protection Authority of India in case of data breaches.
How Can CookieScript Help to Comply with the DPDPA?
CookieScript is a professional Consent Management Platform (CMP) that allows businesses to comply with the DPDPA and other privacy laws.
With CookieScript CMP businesses can:
- Set up transparent consent mechanisms to obtain user consent.
- Automatically create a Privacy Policy for your business or website.
- Customize the Cookie Banner.
- Using the geo-targeting feature, deliver different banners based on user location.
- Integrate the Cookie Banner with most CMS systems like WordPress, Joomla, Shopify, etc.
- Scan your website for cookies, local storage, and session storage, and add them automatically to the cookie declaration.
- Block third-party cookies automatically.
In Spring 2025, CookieScript received the fourth badge in a row as the leader on G2, a peer review site, and became the best Consent Management Platform (CMP) on the market for a whole year! It also has a GOLD Tier in the New Google Tiering System.
Frequently Asked Questions
What Is India's Digital Personal Data Protection Act?
India's Digital Personal Data Protection Act (PDDPA) is a data privacy law that regulates the collection and management of Indian residents’ personal data and sets responsibilities for businesses and organizations. The Act became effective on 11 August 2023. Use CookieScript CMP to comply with the DPDPA.
How to comply with the India's Digital Personal Data Protection Act?
To comply with the DPDPA, Data Fiduciaries must obtain user consent, implement reasonable security safeguards, limit the collection and storage of Personal Information, gain consent for international data transfers, establish data protection officers, update privacy policies regularly, and inform individuals and the DPA in case of data breaches. CookieScript CMP can help you comply with DPDPA.
What are the penalties for non-compliance with India’s DPDPA?
Non-compliance with the DPDPA can lead to fines from INR10,000 (~USD 120) up to IRN250 crore (~USD 30 million) for data breaches. Use CookieScript CMP to comply with the DPDPA and avoid penalties.
What are the consent requirements under India’s DPDPA?
Data Fiduciaries must obtain clear and informed consent from individuals before collecting or processing their personal data. The consent must be freely given, specific, and easy to withdraw. Processing children’s data (under 18) requires parental consent. Use CookieScript CMP to create a cookie banner and obtain user consent to comply with the DPDPA.
What are the rights of Data Principals under India’s DPDPA?
The DPDPA grants individuals the following rights: the right to access their personal data, the right to rectify inaccurate personal data, the right to erase their personal data, the right to restrict the processing of their personal data, the right to data portability, the right to object to the processing of their personal data, and the right to nominate someone in case of death or incapacity. Use CookieScript CMP to comply with the DPDPA.
