DPDP Act Timeline

From the 2017 privacy ruling to full enforcement in May 2027: every date that matters, in one place
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

The DPDP Timeline: How India's Data Law Went From Idea to Enforcement

The DPDP Act timeline did not start in 2023. It started in 2017, when the Supreme Court's Puttaswamy ruling declared privacy a fundamental right of every Indian. That single judgment set the country on a path that ended with the Digital Personal Data Protection Act, 2023, India's first comprehensive data privacy law.

The Act was passed by Parliament on 9 August 2023 and received Presidential assent on 11 August 2023. But the law only became fully operational on 14 November 2025, when the DPDP Rules 2025 were notified. From that day, the Data Protection Board of India went live, and so did the penalty framework of up to ₹250 crore per violation.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The Complete DPDP Timeline, Date by Date

Every milestone from origin to full enforcement, and where each one stands today.

MilestoneDateStatus
Supreme Court Puttaswamy ruling: privacy declared a fundamental right2017Done
DPDP Act passed by Parliament (9 Aug) and Presidential assent (11 Aug)August 2023Done
DPDP Rules 2025 notified, law fully operational14 November 2025Done
Data Protection Board of India active, ₹250 Cr penalty framework liveNovember 2025Live now
Last safe window to start compliance (setup takes 2-6 months)July 2026Now
Consent Manager compliance mandatory, soft enforcement ends13 November 2026~4 months away
Full compliance enforced, all obligations and penalties; IT Act Section 43A repealed13 May 2027~10 months away

The 3-Phase Rollout, Explained Simply

The government did not switch the law on overnight. It rolled DPDP out in three phases so businesses could adjust, but each phase raises the stakes.

Phase 1: Foundation (Nov 2025)

Rules notified on 14 November 2025, the Board goes live, and penalties become legally active. The law exists in full force, but enforcement is still soft while businesses transition.

Phase 2: Consent Era (Nov 2026)

From 13 November 2026, consent-related rules become mandatory and the soft-enforcement window ends. Consent Manager registration also becomes mandatory from this point.

Phase 3: Full Enforcement (May 2027)

From 13 May 2027, every obligation and every penalty is enforced, with no grace period. The old IT Act Section 43A regime is repealed on the same day.

Why November 2026 May Effectively Become the Final Deadline

Here is the part most businesses miss: the government has proposed shortening the 18-month transition to 12 months. If that happens, the comfortable gap between November 2026 and May 2027 disappears, and 13 November 2026 effectively becomes the final deadline for everything.

Even in the current timeline, there is no grace period after 13 May 2027, and old customer data needs valid consent too, so the backlog grows every month you wait. Compliance setup takes 2-6 months, which means the safe window to start is now, not next quarter. Read more about what each date means on our DPDP compliance deadline page, or check whether the law applies to you at all on the DPDP Act applicability page.

The Timeline Is Not Waiting for Anyone

Consent rules mandatory 13 November 2026. Full enforcement 13 May 2027. Compliance setup takes 2-6 months, so counting backwards, your start date is today.

Want the Complete DPDP Picture?

The timeline is just the map. Our main guide covers the full Act: obligations, roles, rights, penalties, and how to get compliant step by step.

Learn Everything About DPDP Compliance

DPDP Timeline: Frequently Asked Questions

When was the DPDP Act passed?

Parliament passed it on 9 August 2023 and Presidential assent came on 11 August 2023. The journey started with the 2017 Supreme Court Puttaswamy ruling, which made privacy a fundamental right.

Where Does Your Business Stand on This Timeline?

One free audit maps your current gaps against every upcoming DPDP date, so you know exactly how much runway you really have.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.