The Digital Personal Data Protection Act, 2023 governs how organisations (Data Fiduciaries) handle the personal data of individuals in India (Data Principals). It requires an itemised notice and valid consent for each purpose, easy withdrawal, a verifiable age-gate and parental consent for children under 18 (Section 9), and the ability to honour access, correction, erasure and grievance requests.
The DPDP Rules were notified on 13 November 2025 with a phased runway of roughly 18 months, pointing to meaningful enforcement around mid-2027. Penalties can reach ₹250 crore per instance, decided by the Data Protection Board of India.
Related terms
Under India's DPDPA, a Data Fiduciary is the entity that decides why and how personal data is processed, equivalent to a 'controller' under the GDPR.
Under India's DPDPA, a Data Principal is the individual whose personal data is being processed, equivalent to a 'data subject' under the GDPR.
Under India's DPDPA, a Consent Manager is a registered, interoperable platform through which a Data Principal can give, manage, review and withdraw consent across Data Fiduciaries.
The Data Protection Board of India is the body that enforces the DPDPA, investigates breaches and consent complaints, and imposes penalties of up to ₹250 crore per instance.