

The Digital Personal Data Protection Act, 2023 (often written as DPDP Act or DPDPA) is India's first comprehensive data privacy law. Passed by Parliament on 9 August 2023 with Presidential assent on 11 August 2023, it grew out of the 2017 Supreme Court Puttaswamy ruling that made privacy a fundamental right.
The Act is compact by global standards: 9 chapters and 44 sections, plus a penalty schedule. Those 44 sections cover everything from definitions and consent rules to the duties of Data Fiduciaries, the rights of Data Principals, the Data Protection Board of India, and penalties of up to ₹250 crore per violation.
With the DPDP Rules 2025 notified on 14 November 2025, the DPDP Act 2023 is now fully operational. This page walks through the law's structure, principles, lawful bases, scope, and exemptions.
Every obligation in the Act flows from these seven principles. If your data practices follow them, you are most of the way to compliance.
Process personal data only on a valid legal basis and be open with people about what you're doing with their data.
Use data only for the specific purpose it was collected for, no quiet repurposing of customer lists later.
Collect only what you actually need. If a delivery needs a phone number, don't also ask for a date of birth.
Keep the personal data you hold correct and up to date, and fix it when the individual asks for a correction.
Delete data once its purpose is served or consent is withdrawn. "Keep everything forever" is no longer legal.
Protect data with encryption, access controls, and logging, and be able to prove it. Security failures carry the top ₹250 Cr penalty tier.
Unlike GDPR's six legal bases, the DPDP Act 2023 gives businesses exactly two grounds to process personal data.
Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. No pre-ticked boxes, no consent buried in terms and conditions, and withdrawing consent must be as easy as giving it.
Notably absent: GDPR-style "legitimate interest" and "contract necessity". If your processing doesn't fit a Section 7 legitimate use, you need valid consent, which is why consent systems sit at the heart of DPDP compliance.
| Covered by the DPDP Act 2023 | Excluded |
|---|---|
| Digital personal data processed in India | Purely personal or domestic use of data |
| Foreign entities offering goods or services to people in India | Most publicly available data |
| Offline data that is later digitized | There is NO small-business, startup, or turnover-based exemption |
| Businesses of every size and sector, from a solo shop to an enterprise |
Practically, if you collect even one customer's email digitally, the Act treats you as a Data Fiduciary. Also worth knowing: the Act applies only to digital personal data (paper records stay outside until digitized), and it treats all personal data uniformly, with no separate "sensitive data" category like GDPR.
Consent rules become mandatory on 13 November 2026, and full enforcement begins on 13 May 2027. Setup takes 2-6 months, so start now.
Book Your Free DPDP AuditSee deadlines, penalties, the compliance checklist, and our services in one place.
Learn Everything About DPDP ComplianceThe Act has 9 chapters and 44 sections plus a penalty schedule, covering definitions, consent and notice, fiduciary duties, Data Principal rights, the Data Protection Board of India, and penalties of up to ₹250 crore per violation.
Only two: valid consent (free, specific, informed, unconditional, unambiguous, given by clear affirmative action) and Section 7 legitimate uses like employment, medical emergencies, disasters, and legal obligations. There is no GDPR-style legitimate interest basis.
Very few cases: purely personal or domestic use of data and most publicly available data. There is no exemption for small businesses, startups, or MSMEs, every business handling digital personal data is covered.
Yes. With the DPDP Rules 2025 notified on 14 November 2025, the law is fully operational and the ₹250 Cr penalty framework is live. Consent rules become mandatory on 13 November 2026, and full enforcement starts on 13 May 2027.
One free audit tells you which of the Act's 44 sections actually create work for your business, and how to close the gaps.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.