

The DPDP Act timeline did not start in 2023. It started in 2017, when the Supreme Court's Puttaswamy ruling declared privacy a fundamental right of every Indian. That single judgment set the country on a path that ended with the Digital Personal Data Protection Act, 2023, India's first comprehensive data privacy law.
The Act was passed by Parliament on 9 August 2023 and received Presidential assent on 11 August 2023. But the law only became fully operational on 14 November 2025, when the DPDP Rules 2025 were notified. From that day, the Data Protection Board of India went live, and so did the penalty framework of up to ₹250 crore per violation.
No cost. No obligation. Get your compliance gap report.
Every milestone from origin to full enforcement, and where each one stands today.
| Milestone | Date | Status |
|---|---|---|
| Supreme Court Puttaswamy ruling: privacy declared a fundamental right | 2017 | Done |
| DPDP Act passed by Parliament (9 Aug) and Presidential assent (11 Aug) | August 2023 | Done |
| DPDP Rules 2025 notified, law fully operational | 14 November 2025 | Done |
| Data Protection Board of India active, ₹250 Cr penalty framework live | November 2025 | Live now |
| Last safe window to start compliance (setup takes 2-6 months) | July 2026 | Now |
| Consent Manager compliance mandatory, soft enforcement ends | 13 November 2026 | ~4 months away |
| Full compliance enforced, all obligations and penalties; IT Act Section 43A repealed | 13 May 2027 | ~10 months away |
The government did not switch the law on overnight. It rolled DPDP out in three phases so businesses could adjust, but each phase raises the stakes.
Rules notified on 14 November 2025, the Board goes live, and penalties become legally active. The law exists in full force, but enforcement is still soft while businesses transition.
From 13 November 2026, consent-related rules become mandatory and the soft-enforcement window ends. Consent Manager registration also becomes mandatory from this point.
From 13 May 2027, every obligation and every penalty is enforced, with no grace period. The old IT Act Section 43A regime is repealed on the same day.
Here is the part most businesses miss: the government has proposed shortening the 18-month transition to 12 months. If that happens, the comfortable gap between November 2026 and May 2027 disappears, and 13 November 2026 effectively becomes the final deadline for everything.
Even in the current timeline, there is no grace period after 13 May 2027, and old customer data needs valid consent too, so the backlog grows every month you wait. Compliance setup takes 2-6 months, which means the safe window to start is now, not next quarter. Read more about what each date means on our DPDP compliance deadline page, or check whether the law applies to you at all on the DPDP Act applicability page.
Consent rules mandatory 13 November 2026. Full enforcement 13 May 2027. Compliance setup takes 2-6 months, so counting backwards, your start date is today.
The timeline is just the map. Our main guide covers the full Act: obligations, roles, rights, penalties, and how to get compliant step by step.
Learn Everything About DPDP ComplianceParliament passed it on 9 August 2023 and Presidential assent came on 11 August 2023. The journey started with the 2017 Supreme Court Puttaswamy ruling, which made privacy a fundamental right.
On 14 November 2025, when the DPDP Rules 2025 were notified. The Data Protection Board of India went live at the same time, along with the ₹250 crore per violation penalty framework.
Two: 13 November 2026, when consent rules become mandatory and soft enforcement ends, and 13 May 2027, when full compliance is enforced and IT Act Section 43A is repealed.
Yes. The government has proposed cutting the 18-month transition to 12 months, which could make November 2026 effectively the final deadline. There is no grace period after 13 May 2027 either way.
One free audit maps your current gaps against every upcoming DPDP date, so you know exactly how much runway you really have.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.