DPDP Act India Data Protection — Hoston Tech

DPDP Act Explained: What India’s Data Protection Law Means for You

Every time you sign up for a food delivery app, upload your Aadhaar to a lending platform, or let a shopping site remember your card, you are handing over personal data that used to have no real legal protection in India. That changed with the DPDP Act India — the Digital Personal Data Protection Act, 2023 — the country’s first dedicated data privacy law. It sets out how companies can collect and use your information, what rights you have over it, and what happens when they get it wrong.

This guide breaks down the DPDP Act India in plain language: who it covers, what rights it gives you as an ordinary user, what companies now have to do differently, and where the rollout actually stands as of 2026.

What Is the DPDP Act India?

The Digital Personal Data Protection Act was passed by Parliament in August 2023, after several earlier drafts and years of debate following the Supreme Court’s 2017 ruling that privacy is a fundamental right. The DPDP Act India applies to any digital personal data processed within India, and also to processing done outside India if it involves offering goods or services to people here. In short, if an app or website deals with Indian users’ data, this law is meant to apply to it.

The law uses two core terms worth knowing. A Data Principal is you — the individual the data belongs to. A Data Fiduciary is the company or entity deciding how and why that data is processed, such as a bank, an e-commerce app, or a hospital chain. A third term, Consent Manager, refers to a registered platform that lets you view and manage consent given to multiple fiduciaries from one place, similar in spirit to how account aggregators work in banking.

Your Rights Under the DPDP Act India

The Act gives Data Principals a set of enforceable rights, though several depend on rules and grievance mechanisms that are still being operationalised. As a user, you are entitled to:

  • Right to information: a Data Fiduciary must tell you what data it collects and why, in clear language, before or at the time of collection.
  • Right to access: you can ask for a summary of the personal data a company holds about you and how it has been processed.
  • Right to correction and erasure: you can request that inaccurate data be corrected or that data no longer needed for its original purpose be deleted.
  • Right to grievance redressal: companies must provide an accessible way to raise complaints, and unresolved issues can escalate to the Data Protection Board of India.
  • Right to nominate: you can nominate another person to exercise these rights on your behalf in case of death or incapacity.

One structural change worth noting: consent under the DPDP Act India has to be specific, informed, and revocable. A company cannot bundle a dozen unrelated permissions into one tick box, and withdrawing consent should be roughly as easy as giving it. If you have ever tried to link government IDs online, you already know how much friction badly designed consent flows can cause; our guide on how to link Aadhaar with PAN online walks through one of the more common ones.

What Companies Must Do Differently

For Data Fiduciaries, this law is a genuine compliance shift, not a paperwork formality. Obligations include implementing reasonable security safeguards, reporting personal data breaches to both affected users and the Data Protection Board, and deleting data once its stated purpose is served or consent is withdrawn, subject to legal retention requirements.

Significant Data Fiduciaries

Large platforms handling high volumes of sensitive data can be classified as Significant Data Fiduciaries and face extra obligations: appointing a Data Protection Officer based in India, conducting periodic data protection impact assessments, and undergoing independent audits. The idea is to apply tighter scrutiny where a breach or misuse would affect the most people.

Children’s Data

The law treats anyone under 18 as a child for data protection purposes and requires verifiable parental consent before processing a minor’s data, along with a ban on tracking, behavioural monitoring, and targeted advertising directed at children. This is a notably stricter stance than several other jurisdictions and will force changes to how ed-tech and gaming apps popular with Indian teenagers operate.

The Data Protection Board of India

Enforcement runs through a new body called the Data Protection Board of India, which functions as a digital-first regulator. It investigates complaints, can direct a Data Fiduciary to take remedial action, and imposes financial penalties for violations. Unlike a traditional court, proceedings are meant to be conducted largely online, which should, in theory, make it easier for an ordinary user to file a complaint without hiring a lawyer or travelling to a tribunal.

Penalties for Violations

The DPDP Act India backs its rules with real financial teeth. Penalties can run up to ₹250 crore for failing to implement reasonable security safeguards that leads to a data breach, and up to ₹200 crore for failing in obligations around children’s data. Smaller but still meaningful penalties apply to lapses like not providing a proper grievance redressal mechanism. These are ceiling figures decided case by case by the Board, not automatic fines, but they signal that data protection is no longer treated as a minor compliance line item in India.

DPDP Act India vs GDPR: How Different Is It?

Comparisons to Europe’s GDPR are inevitable, and there is real overlap: both frameworks are built around consent, purpose limitation, and breach notification. But the DPDP Act India is noticeably shorter and less prescriptive. It does not include GDPR-style concepts like a full “right to be forgotten” in the same detail, does not set out as many lawful bases for processing, and leaves a lot of implementation detail to rules notified separately by the government rather than spelling everything out in the primary legislation. It also carves out broader exemptions for government agencies processing data for purposes like national security, which has drawn criticism from privacy advocates.

Where the Rollout Stands as of 2026

The Act received presidential assent in 2023, but most of its operative provisions only take effect once the government notifies the accompanying rules and gives companies a transition window. As of 2026, the framework has been moving from draft rules toward phased implementation, with the Data Protection Board being set up and larger platforms beginning to adjust consent flows, privacy notices, and breach-reporting processes. Expect this to keep evolving in stages rather than switching on overnight, so it is worth checking the official portal periodically for the current phase.

Because so much of this connects back to how apps handle your identity and accounts, a good companion habit is knowing what to do when something goes wrong. If your accounts are ever compromised, our guide on how to recover a hacked WhatsApp account covers the practical recovery steps, and our explainer on deepfake scams and how to protect yourself is a useful read given how much personal data now feeds these scams.

What This Means for You, Practically

You do not need to memorise every clause of the law to benefit from it. A few habits make it work harder for you:

  • Read consent prompts before tapping “Allow”, especially permissions asking for contacts, location, or storage access that seem unrelated to the app’s purpose.
  • Use the privacy settings most apps now offer to review and revoke old permissions periodically.
  • Keep an eye out for a formal grievance or “data rights” section appearing in apps and websites over the coming months — that is the compliance work becoming visible.
  • If a company ignores a legitimate data deletion or correction request, note the date and keep evidence; that record matters if you eventually escalate to the Data Protection Board.

FAQs

Does the DPDP Act India apply to foreign companies?

Yes. The law applies to any processing of digital personal data connected to offering goods or services to people in India, regardless of where the company processing the data is based.

Can I ask a company to delete my data right now?

You can request it, and companies are expected to comply once their processes are aligned with the Act, subject to legal retention requirements such as tax or KYC records. Formal enforcement mechanisms are still being rolled out in phases, so response times currently vary.

Does this law only cover apps and websites?

No. It covers digital personal data processing broadly, which includes banks, hospitals, government portals, and offline data that has been digitised, not just consumer apps.

What should I do if I suspect a data breach affecting me?

Contact the company’s grievance officer first and ask for details in writing. If the response is unsatisfactory once the Board is fully operational in your case category, you will be able to escalate the complaint to the Data Protection Board of India.

Final Thoughts

The DPDP Act India will not fix every privacy problem overnight, and enforcement is still catching up to the text of the law. But it marks a real shift from a country with almost no dedicated data protection statute to one with clear rights, a named regulator, and penalties large enough to matter to big platforms. Pay attention to consent screens, use the rights the law gives you, and treat privacy settings as something worth five minutes of your time rather than a formality to click past.

For more explainers that turn dense Indian tech policy into plain language, hoston tech publishes new guides every week.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *