India's DPDP Act, section by section
Plain-English summaries of the key sections of the Digital Personal Data Protection Act, with what each one means for your consent and data practices.
Notice
Section 5 of the DPDP Act requires a data fiduciary to give the data principal an itemized notice, before or at the time consent is sought, that states the personal data to be collected and the purpose, how the person can exercise their rights and withdraw consent, and how to complain to the Data Protection Board. The notice must be in clear and plain language, with the option to access it in English or any language listed in the Eighth Schedule of the Constitution.
ReadConsent & withdrawal
Section 6 of the DPDP Act says consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and limited to the personal data necessary for the stated purpose. The data principal can withdraw consent at any time, and withdrawing must be as easy as giving it; on withdrawal the fiduciary and its processors must stop the related processing within a reasonable time. Consent can also be given, managed and withdrawn through a registered Consent Manager.
ReadLegitimate uses
Section 7 of the DPDP Act lists certain legitimate uses where a data fiduciary may process personal data without separate consent, including data the person voluntarily provided for a purpose, the State providing benefits or services, compliance with law or court orders, responding to medical emergencies and disasters, and certain employment purposes. These are narrow exceptions; most ordinary commercial and marketing processing still relies on consent under Section 6.
ReadFiduciary duties
Section 8 of the DPDP Act sets out the core duties of a data fiduciary: ensure data is accurate and complete where it may affect the data principal or a decision, take reasonable security safeguards to prevent breaches, notify the Data Protection Board and affected persons of a breach, erase personal data once the purpose is served or consent is withdrawn, publish the contact of a person who can answer questions, and have a grievance-redressal mechanism. The fiduciary remains accountable even when a processor handles the data.
ReadChildren's data
Section 9 of the DPDP Act requires a data fiduciary to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a child (anyone under 18) or a person with a disability who has a lawful guardian. It also prohibits processing that is likely to cause a detrimental effect on a child's well-being, and bans tracking, behavioral monitoring and targeted advertising directed at children. In practice this means an age-gate and a verifiable parental-consent flow.
ReadSignificant Data Fiduciaries
Section 10 of the DPDP Act lets the Central Government classify certain data fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as the volume and sensitivity of data, risk to data principals, and impact on sovereignty, electoral democracy and public order. An SDF has additional duties: appoint a Data Protection Officer based in India and reporting to its board, appoint an independent data auditor, and carry out periodic Data Protection Impact Assessments and audits.
ReadData-principal rights
Sections 11 to 14 of the DPDP Act give data principals the right to access a summary of their personal data and the processing activities (Section 11), the right to correction, completion, updating and erasure (Section 12), the right to grievance redressal from the fiduciary or Consent Manager (Section 13), and the right to nominate another person to exercise their rights in case of death or incapacity (Section 14). You need a working request process with clear timelines to honour them.
ReadPenalties
Under Section 33 of the DPDP Act, the Data Protection Board can impose monetary penalties after an inquiry, with the amounts set out in the Schedule. The largest is up to 250 crore rupees for failing to take reasonable security safeguards to prevent a breach, and up to 200 crore rupees for breaching obligations relating to children. The Board considers the nature, gravity and duration of the breach and any mitigation when deciding the amount.
Read