DPDP Act Applicability

Who must comply with India's data protection law, and who is genuinely excluded
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Who Does the DPDP Act Apply To? Almost Certainly, You

"Who does DPDP apply to?" is the first question every business owner asks, and the answer is broader than most expect. The DPDP Act applicability rules cover any entity that processes digital personal data in India, plus foreign entities offering goods or services to people in India. There is no turnover threshold, no headcount limit, and no small-business carve-out.

The simplest test in the Act's logic: if you collect even one customer's email digitally, you are a Data Fiduciary and the law applies to you. That covers shops, clinics, schools, startups, agencies, and enterprises alike.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The Four Pillars of DPDP Act Applicability

Territorial Scope

All digital personal data processed within India is covered, regardless of who processes it or how big they are.

Extraterritorial Scope

Foreign entities offering goods or services to people in India must comply too, even with no office or server in India.

Digital Data Only

The Act covers digital personal data, but offline data that is later digitized (scanned forms, typed-up records) counts fully.

No Size Threshold

No turnover, revenue, or employee-count exemption exists. MSMEs and startups are covered exactly like large enterprises.

What the DPDP Act Does Not Apply To

The exclusions are narrow, and they rarely help a business.

  • Personal or domestic use: an individual keeping contacts on their own phone, or sharing family photos, is not regulated
  • Most publicly available data: personal data the individual made public themselves, or that is public under a legal obligation
  • Purely offline data: paper records that are never digitized, which in a modern business is almost nothing
  • Section 17 exemptions: specific carve-outs for government, national security, research, and legal purposes, explained in our DPDP Act exemptions guide

Note what is not on this list: small businesses, B2B companies, offline-first shops with a WhatsApp customer list, or businesses that "only" hold employee data. If your data touches a computer, the Act applies. If you run an MSME, see our dedicated DPDP for small business guide.

A 30-Second Applicability Self-Test

QuestionIf Yes...
Do you store customer names, emails, or phone numbers digitally?The DPDP Act applies to you
Do you have employees whose records sit in any software or spreadsheet?The DPDP Act applies to you
Do you scan or type paper forms into a computer?That digitized data is covered
Are you a foreign company selling to customers in India?The DPDP Act applies to that data
Is your only "data" your own family contacts on your personal phone?You are excluded (personal/domestic use)

If the Act Applies to You, So Do These Deadlines

  • 13 November 2026: consent rules become mandatory and soft enforcement ends
  • 13 May 2027: full enforcement of all obligations and penalties
  • Setup takes 2-6 months, so the safe window to start is now

Want the Complete DPDP Picture?

Now that you know the Act applies, see everything it requires: consent, security, breach reporting, penalties, and how to get compliant.

Learn Everything About DPDP Compliance

DPDP Act Applicability: Frequently Asked Questions

Who does the DPDP Act apply to?

Any entity processing digital personal data in India, plus foreign entities offering goods or services to people in India. There is no turnover or size threshold: collecting even one customer's email digitally makes you a Data Fiduciary.

The Act Applies to You. Do You Know Your Gaps?

Our free audit shows exactly which obligations apply to your business and where you fall short today.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.