India's DPDP Act explained: a plain-language guide

The Digital Personal Data Protection Act, 2023, usually shortened to the DPDP Act or DPDPA, is India's first standalone law dedicated to protecting personal data. It replaces a patchwork of sectoral rules with one framework for how organizations may collect and use the digital personal data of people in India.

It matters because its reach is broad and its penalties are real. If you run a website, an app or any service that processes the personal data of people in India, the law most likely applies to you, whether or not you are based in India. Getting consent and notice right is no longer a nice-to-have, it is the core of lawful processing.

The law uses three key roles. A data principal is the individual the data is about. A data fiduciary is the entity that decides why and how personal data is processed, similar to a controller under the GDPR. A data processor handles data on a fiduciary's behalf.

The DPDP Act has extraterritorial reach. It applies to processing of digital personal data within India, and to processing outside India where it relates to offering goods or services to people in India. A foreign SaaS company with Indian users is squarely in scope.

Some larger or higher-risk organizations may be classed as Significant Data Fiduciaries, with extra duties such as appointing a Data Protection Officer based in India, commissioning independent audits and carrying out data protection impact assessments.

Unlike the GDPR, which offers several lawful bases, the DPDP Act leans heavily on consent as the route for most commercial processing, alongside a narrow set of legitimate uses. That makes the consent flow the centre of your compliance.

Consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action and limited to the data needed for the stated purpose. It must be preceded by an itemized notice that lists the personal data you collect, the specific purposes, how to withdraw and how to complain to the Data Protection Board, in clear and plain language and available in English and the scheduled Indian languages.

Critically, consent must be verifiable. You must be able to show later that a specific person consented to specific purposes after seeing the notice. A consent platform that records each event with the purposes shown, the policy version and a tamper-evident receipt turns that legal requirement into evidence you can produce on demand.

Section 9 is one of the strictest parts of the Act. For anyone under 18, a data fiduciary must obtain verifiable consent from a parent or lawful guardian before processing, and must not carry out tracking, behavioral monitoring or targeted advertising directed at children.

In practice this means an age-gate and a parental consent flow are mandatory if minors might use your service, and your advertising and analytics trackers must stay blocked for users identified as children. Designing this in from the start is far easier than retrofitting it after a complaint.

Data principals get rights to access a summary of their data and processing, to correction and erasure, to grievance redressal, and to nominate someone to exercise their rights. You need a working request intake with clear timelines, which overlaps with the DSAR processes you may already run for the GDPR or CCPA.

Withdrawing consent must be as easy as giving it. Once someone withdraws, you must stop the related processing within a reasonable time and ensure your processors do the same, so a persistent and obvious withdrawal control is essential.

The Act also introduces the Consent Manager, a registered intermediary through which people can give, manage, review and withdraw consent across services. Keeping your consent records interoperable rather than locked to a proprietary format helps you fit this model as it matures.

Penalties are significant. The Data Protection Board can impose fines up to 250 crore rupees for failing to take reasonable security safeguards that lead to a breach, with other heads of penalty for breaches of children's provisions and other duties.

The DPDP Rules were notified in November 2025, starting a phased implementation that gives most businesses roughly until mid-2027 to come into full compliance. That window is the time to put consent, notice, children's protections and rights handling in place, not to wait. Start with the practical steps in the India DPDPA compliance checklist and map them to your site.