Explainer 7 min read · 15 November 2025

What is the DPDP Act? A Plain English Guide for Indian Businesses

The Digital Personal Data Protection Act 2023 is India's first comprehensive data law. Here's exactly what it means for your business — in plain language, no legal jargon.

On November 13, 2025, a law came into force that every Indian business collecting customer data must know about. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) — commonly called the DPDP Act — is India's first comprehensive data protection legislation. Miss it, and you face penalties up to ₹250 Crore.

The One-Line Summary

If you collect personal data from customers in India — name, phone, email, address, payment info — you now have legal obligations about how you collect it, use it, store it, and delete it.

That's it. It doesn't matter if you're a ₹10 crore company or a one-person Instagram seller. If you collect data, the law applies to you.

Where Did It Come From?

India has needed a data protection law for decades. The Supreme Court declared privacy a fundamental right in 2017 (Justice K.S. Puttaswamy case). After that, a series of draft bills — the Personal Data Protection Bill 2018, 2019, 2021 — went through committees and were withdrawn.

The DPDP Act 2023 was finally passed by Parliament in August 2023, received Presidential assent on August 11, 2023, and came into force on November 13, 2025 via notification G.S.R. 843(E).

The accompanying DPDP Rules 2025 were notified on November 13, 2025 (G.S.R. 846(E)), with most enforcement provisions taking effect on May 13, 2027.

Who Must Comply? (Section 3)

The Act applies to:

  • Section 3(a)(i): Any business that collects personal data of individuals in India in digital form — websites, apps, WhatsApp, Instagram DMs, online checkouts.
  • Section 3(a)(ii): Any business that collects data in non-digital form (paper forms, POS) and then digitises it — entering numbers into Excel, a phone, billing software, or any computer.
  • Section 3(b): Businesses outside India that offer goods or services to individuals in India — a UK or US company with Indian customers must also comply.

The only businesses NOT covered are those that collect purely paper-based data that is never digitised. The moment you photograph a form, enter a number into a phone, or type anything into any software — you're covered.

Key Terms You Need to Know

  • Data Principal: The individual whose data is being collected. Your customer.
  • Data Fiduciary: The business that decides what data to collect and why. You.
  • Data Processor: A third party that processes data on your behalf — Razorpay, Shiprocket, your email tool. You're still responsible for their compliance as the Data Fiduciary.
  • Consent Manager: An entity registered with the government through which individuals can manage their consent across multiple fiduciaries.
  • Data Protection Board (DPB): The government body that will hear complaints, investigate breaches, and impose penalties.

What Are Your Main Obligations?

As a Data Fiduciary, you must:

  • Get consent before collecting data — free, informed, specific, and unconditional (Section 6). The customer must know exactly what you're collecting and why.
  • Publish a privacy notice (Section 5) — in clear language, listing what data, what purpose, how long, and how they can exercise rights.
  • Respond to Data Subject Requests (DSRs) — customers can ask to see, correct, or delete their data. You must respond.
  • Notify breaches within 72 hours — to the Data Protection Board and affected individuals (Section 8(6)).
  • Delete data when the purpose is fulfilled — you cannot keep customer data indefinitely (Section 8(7)).

When Do You Need to Be Compliant?

The Act is already in force (November 13, 2025). However, the enforcement rules (Rules 5–23) take effect on May 13, 2027. This gives businesses an 18-month window to build compliant systems.

Don't treat this as "I have 18 months to do nothing." Building consent management, DSR workflows, and breach notification systems takes time. The businesses that start now will be the ones that aren't scrambling in April 2027.

What Happens If You Don't Comply?

The Data Protection Board can impose penalties of up to:

  • ₹250 Crore for failure to implement adequate data security / data breach
  • ₹200 Crore for failure to notify a data breach
  • ₹200 Crore for violations involving children's data
  • ₹50 Crore for other violations (consent, privacy notice, DSR)

These penalties are cumulative per violation, not a single cap. A business that both fails to get consent AND fails to notify a breach could theoretically face ₹450 Crore in total penalties.

Bottom Line

The DPDP Act is not a bureaucratic formality. It represents a fundamental shift in how Indian businesses must treat customer data — as something that belongs to the customer, not the company. The 2027 deadline is real. Start building compliant systems now.

DPDP ActIndiaData ProtectionBasics

Check Your DPDP Compliance

Free 2-minute checker — get your specific obligations and penalty exposure.

Take the Free DPDP Checker → Get EasyDP Early Access

Related Articles

Explainer

What is a Data Fiduciary? (And Are You One?)

5 min read

 Explainer

DPDP vs GDPR: Key Differences Every Indian Business Must Know

8 min read

 Explainer

Customer Rights Under DPDP: What Your Customers Can Demand

6 min read
All Blog Posts