DPDP Act Sections

A plain-language, section-wise summary of India's data protection law
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Act Sections, Explained Without the Legalese

The DPDP Act 2023 is organized into 9 chapters and 44 sections, plus a penalty schedule. Most business owners do not need to read all 44. They need a DPDP Act section wise summary of the dozen or so sections that actually change how they operate. That is exactly what this page gives you, in plain language.

With the DPDP Rules 2025 notified on 14 November 2025, every one of these sections is now backed by an active regulator and a live penalty framework, so understanding them is no longer optional homework.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Section-Wise Summary of the DPDP Act

Section(s)What It CoversWhat It Means for Your Business
3Where the Act appliesCovers digital personal data processed in India, and foreign processing connected to offering goods or services here. Personal or domestic use and data made publicly available by the person themselves are outside the Act.
4-5Grounds for processing and noticeYou may process personal data only with consent or under a listed legitimate use, and you must give a clear, itemized notice before or when asking for consent.
6ConsentConsent must be free, specific, informed, unconditional, unambiguous, and a clear affirmative action. No pre-ticked boxes, and withdrawal must be as easy as giving consent.
7Legitimate usesThe short list of consent-free grounds: voluntary provision, employment, government functions, medical emergencies, disasters, and legal obligations. Nothing like GDPR's "legitimate interest".
8Data Fiduciary dutiesSecurity safeguards, accuracy, breach reporting, data deletion when the purpose is served, grievance handling, and responsibility for your vendors.
9Children's dataVerifiable parental consent for under-18s; no tracking, behavioral monitoring, or targeted ads at minors. Misuse sits in the Rs 200 Cr penalty tier.
10Significant Data FiduciariesGovernment-designated high-volume or high-risk businesses get extra duties: India-based DPO, annual independent audits, and periodic DPIAs.
11-14Rights of Data PrincipalsYour customers can access, correct, and erase their data, raise grievances (the DPDP Rules 2025 set a 90-day resolution window), nominate a representative, and withdraw consent.
15Duties of Data PrincipalsIndividuals have duties too: no impersonation, no false information, and no false or frivolous complaints, which carry a Rs 10,000 penalty.
16Cross-border transfersA blacklist model: transfers are allowed except to government-restricted countries. Sector rules such as RBI payment data localisation still apply.
17ExemptionsEnforcing legal rights and claims, courts and tribunals, crime prevention and investigation, government and national security purposes, and research and statistics. (Personal use and publicly available data sit under Section 3.) See our full DPDP Act exemptions guide.
18 onwardData Protection Board of IndiaThe adjudicating body, active since November 2025: it takes complaints, investigates breaches, and imposes penalties. Appeals go to TDSAT.
33PenaltiesRead with the schedule: up to Rs 250 Cr for missing security safeguards, Rs 200 Cr for breach-reporting failures or children's data misuse, Rs 150 Cr for SDF failures, Rs 50 Cr for other violations.

How to Use This Section-Wise Summary

Think of Sections 4-8 as your day-to-day operating rules (notice, consent, duties), Section 9 as the special regime if you ever touch children's data, Sections 11-14 as the customer-facing processes you must build, and Sections 17 and 33 as the boundaries: what is exempt, and what non-compliance costs.

In practice, compliance means mapping each of these sections to a working system in your business: consent records for Section 6, a breach runbook for Section 8, a grievance workflow for Sections 11-14, and vendor contracts because Section 8 keeps you responsible for your processors. Not sure whether the Act covers you at all? Start with DPDP Act applicability or the quick 5-minute DPDP Act summary.

These Sections Are Enforceable, and the Clock Is Running

  • 13 November 2026: consent rules become mandatory and soft enforcement ends
  • 13 May 2027: full enforcement of all obligations and penalties
  • Setup takes 2-6 months, so the safe window to start is now

Want the Complete DPDP Picture?

See how all these sections come together into one practical compliance plan, deadlines, penalties, checklist, and services included.

Learn Everything About DPDP Compliance

DPDP Act Sections: Frequently Asked Questions

How many sections does the DPDP Act have?

The Act has 9 chapters and 44 sections, plus a penalty schedule. For most businesses, the sections that matter day to day are 4-6 (notice and consent), 7 (legitimate uses), 8 (duties), 9 (children), 10 (SDF), 11-14 (rights), 16-17 (transfers and exemptions), and 33 (penalties).

Turn Sections into a Checklist for Your Business

Our free audit maps every relevant section of the Act to your systems and shows you what to fix first.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.