When does the DPDP Act actually take effect?

The DPDP Act received Presidential assent on 11 August 2023 but remained dormant until 13 November 2025, when the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025 and brought the Act into force in phases. Foundational provisions establishing the Data Protection Board took effect immediately, Consent Manager provisions take effect from 13 November 2026, and the core substantive obligations (notice, consent, rights, security safeguards, breach reporting and cross-border transfer) take effect from 13 May 2027, eighteen months from notification.

What is a Consent Manager under the DPDP Act?

A Consent Manager is a person registered with the Data Protection Board of India that provides Data Principals with an accessible, transparent and interoperable platform through which they may give, manage, review and withdraw consent. The First Schedule to the DPDP Rules, 2025 sets out registration conditions and obligations, including a duty to act in a fiduciary capacity towards the Data Principal and to maintain consent records for seven years. The design draws on the architecture of the Reserve Bank of India's Account Aggregator framework. These provisions take effect from 13 November 2026.

What are the rights of Data Principals under the DPDP Act?

The DPDP Act gives Data Principals the right to information about the processing of their personal data (Section 11), the right to correction and erasure (Section 12), the right of grievance redressal (Section 13), and the right to nominate another person to exercise their rights in the event of death or incapacity (Section 14). Rule 14 of the DPDP Rules, 2025 requires Data Fiduciaries and Consent Managers to address grievances within ninety days. Notably, the Act does not provide a right to data portability.

DPDP Act India: A Practitioner's Guide to the Digital Personal Data Protection Act, 2023 & Rules, 2025

Q: Does the DPDP Act apply to companies based outside India?

Yes. The DPDP Act has extraterritorial reach under Section 3(b). It applies to the processing of digital personal data outside India where such processing is in connection with any activity relating to the offering of goods or services to Data Principals within India. A foreign company offering services to Indian users falls within scope, even with no local establishment, no Indian server and no Indian employee.

Q: How quickly must a personal data breach be reported under the DPDP Rules, 2025?

Rule 7 of the DPDP Rules, 2025 sets out a two-stage notification process. On becoming aware of any personal data breach, the Data Fiduciary must intimate the Data Protection Board of India without delay with a description of the breach, its nature, extent, timing, location and likely impact, and must also intimate each affected Data Principal without delay through her user account or registered mode of communication. Within seventy-two hours of becoming aware of the breach (or such longer period as the Board may allow on written request), the Data Fiduciary must submit a detailed report to the Board with updated information, root cause, mitigation measures, findings on the cause and a report on intimations sent to Data Principals.

Status & phased rollout

The DPDP Act received Presidential assent on 11 August 2023 and was published in the Gazette as Act No. 22 of 2023. It remained dormant for over two years. On 13 November 2025, the Ministry of Electronics and Information Technology issued notification G.S.R. 843(E), bringing the Act into force in three phases, and issued G.S.R. 846(E) notifying the Digital Personal Data Protection Rules, 2025.

The three phases are:

Immediate effect (13 November 2025): foundational definitions and the provisions establishing the Data Protection Board of India under Sections 18 to 26, together with Rules 1, 2 and 17 to 21 governing the constitution, qualifications and digital-by-design functioning of the Board.
One year from notification (13 November 2026): Section 6(9) and Section 27(1)(d), which together operationalise the Consent Manager framework set out in the First Schedule to the Rules.
Eighteen months from notification (13 May 2027): the substantive compliance core, including Sections 3 to 5, the remainder of Section 6, and Sections 7 to 17. This covers the application of the Act, grounds for processing, notice, consent, additional obligations relating to children, the obligations of Data Fiduciaries, the rights and duties of Data Principals, the Significant Data Fiduciary regime and cross-border transfer.

Until 13 May 2027, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules") continue to govern the digital privacy framework. Most clients with India-facing operations should therefore work to a real-world deadline of mid-May 2027, while building enough headroom to absorb earlier obligations under the SPDI Rules and the various sectoral overlays that already apply.

Practical note

The Data Protection Board is already constituted. Compliance under the substantive DPDP obligations is not enforceable until May 2027, but breach response, consent architecture, processor contracting and data mapping all take many months to design and roll out properly. The window between now and May 2027 is short, not long.

Scope & extraterritorial reach

Section 3 of the DPDP Act sets out the scope of the legislation. It regulates the processing of digital personal data, that is, personal data in digital form, whether originally collected digitally or digitised after collection. Section 3(a) brings within scope processing within the territory of India where the personal data is collected in digital form, or in non-digital form and digitised subsequently. Section 3(b) provides for extraterritorial reach, extending the Act to processing outside India that is in connection with any activity relating to the offering of goods or services to Data Principals within India.

The practical effect of Section 3(b) is that a SaaS company based in San Francisco that lets Indian users sign up is within scope, even with no Indian office, no Indian server and no Indian employee. So is a global ad-tech intermediary serving impressions to Indian devices.

Section 3 carves out four categories of processing from the Act. The Act does not apply to personal data processed by an individual for any personal or domestic purpose, or to personal data that is made or caused to be made publicly available by the Data Principal to whom it relates, or by any other person under a legal obligation to make it public. Anonymised data, by definition, falls outside the Act because it is not personal data.

Who is who: Fiduciary, Processor, Principal

The DPDP Act uses three core terms that determine where each compliance obligation lands.

Data Principal, the individual to whom the personal data relates. Includes minors (acting through their lawful guardian) and persons with disabilities.
Data Fiduciary, any person who, alone or in conjunction with others, determines the purpose and means of processing. The closest analogue to a Controller under the GDPR.
Data Processor, any person who processes personal data on behalf of a Data Fiduciary.

The Data Fiduciary carries the bulk of the statutory burden. A Processor that strays outside the documented instructions of the Fiduciary risks being treated as a Fiduciary in its own right for that excursion.

The default lawful basis under the DPDP Act is consent, governed by Section 6. To be valid, consent must be free, specific, informed, unconditional and unambiguous, expressed through clear affirmative action, and limited to the personal data necessary for the specified purpose.

Before or at the time of seeking consent, the Data Fiduciary must give the Data Principal a notice under Section 5 setting out the personal data being collected and the purpose of processing, the manner of exercising rights under the Act, and the manner of complaining to the Data Protection Board. Rule 3 of the DPDP Rules, 2025 prescribes the content of the notice in more detail: it must be presented in clear and plain language, must stand on its own without cross-references to other documents, and must be made available in English or any language listed in the Eighth Schedule to the Constitution.

Bundled consents, pre-checked boxes, and consent buried in a thirty-page click-through are all on shaky ground. So is asking for consent to "all features" of a product when only one is being used. Consent must also be capable of being withdrawn as easily as it was given, and the Data Fiduciary must cease processing within a reasonable time of withdrawal unless retention is permitted on another lawful basis.

Legitimate uses

Section 7 of the DPDP Act recognises a closed list of "certain legitimate uses" for which personal data may be processed without consent. These include:

The specified purpose for which the Data Principal has voluntarily provided personal data and has not indicated that she does not consent to its use;
Performance of a function by the State or its instrumentality under any law, or in the interest of sovereignty and integrity of India or security of the State;
Compliance with any judgment, decree or order issued under any law for the time being in force;
Responding to a medical emergency involving a threat to life or immediate threat to health of the Data Principal or any other individual, and providing medical treatment or health services during an epidemic, outbreak of disease or any other threat to public health;
Ensuring safety of, or providing assistance or services to, any individual during a disaster or breakdown of public order;
Purposes related to employment, including for safeguarding the employer from loss or liability, and for the State and its instrumentalities to provide subsidies, benefits, services, certificates, licences or permits.

This list is exhaustive. The DPDP Act does not include the broad "legitimate interests" basis familiar from the GDPR; reliance on a "soft legitimate interest" argument is therefore unsafe.

Significant Data Fiduciaries

The Central Government may, by notification under Section 10, classify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary. The criteria laid down in the statute are:

volume and sensitivity of personal data processed;
risk to the rights of Data Principals;
potential impact on the sovereignty and integrity of India;
risk to electoral democracy;
security of the State;
public order.

Section 10 and Rule 13 of the DPDP Rules, 2025 together impose four core additional obligations on a Significant Data Fiduciary. First, the SDF must appoint a Data Protection Officer based in India who is an individual responsible to the Board of Directors or equivalent governing body, and who is the point of contact for grievance redressal. Second, the SDF must appoint an independent data auditor to carry out periodic audits to evaluate compliance with the Act and Rules. Third, the SDF must conduct a Data Protection Impact Assessment and a data audit at least once every twelve months, and the person conducting them must submit a report of significant observations to the Data Protection Board. Fourth, the SDF must verify that algorithmic software used for the hosting, display, uploading, modification, transmission, storage or sharing of personal data is not likely to pose a risk to the rights of Data Principals.

Rule 13(4) additionally empowers the Central Government, on the recommendations of a designated committee, to specify categories of personal data that an SDF must process subject to the restriction that the data and the traffic data pertaining to its flow are not transferred outside India. This is a targeted localisation power that sits within the otherwise permissive cross-border transfer framework.

Banks, large consumer-internet platforms, healthcare aggregators, credit information companies and certain telecom and e-commerce players are obvious candidates for designation, though no class has yet been formally notified.

Rights of Data Principals

Sections 11 to 14 of the DPDP Act give Data Principals four substantive rights:

Right to information (Section 11), a summary of the personal data being processed, the processing activities, the identities of any Data Fiduciaries with whom the data has been shared, and any other prescribed information.
Right to correction and erasure (Section 12), correction of inaccurate or misleading data, completion of incomplete data, updating of out-of-date data, and erasure of data no longer required for the purpose for which it was processed.
Right of grievance redressal (Section 13), exercisable first against the Data Fiduciary (or the Consent Manager), and only thereafter against the Data Protection Board. Rule 14 of the DPDP Rules, 2025 requires the Data Fiduciary or Consent Manager to address the grievance within ninety days.
Right to nominate (Section 14), any individual to exercise the Data Principal's rights in the event of death or incapacity.

The DPDP Act does not include a right to data portability, which is one of the more visible departures from the GDPR.

The Third Schedule to the Rules also sets default retention periods for specific large user-facing sectors. E-commerce entities with two crore or more registered users, online gaming entities with fifty lakh or more registered users, and social media intermediaries with two crore or more registered users must, in general, erase a Data Principal's personal data three years after her last interaction with the service, on prior notice.

The Consent Manager is one of the more genuinely novel features of the DPDP Act. Under Section 6(7), a Consent Manager is a person registered with the Data Protection Board that gives Data Principals an accessible, transparent and interoperable platform to give, manage, review and withdraw consent across multiple Data Fiduciaries. The First Schedule to the DPDP Rules, 2025 sets out the registration conditions in Part A and the operating obligations in Part B, including a fiduciary duty owed to the Data Principal, conflict-of-interest constraints in dealings with Data Fiduciaries, technical interoperability standards and a seven-year record-retention requirement for consent activity.

The Consent Manager provisions take effect from 13 November 2026, one year after the Rules were notified. The design draws on the Reserve Bank of India's Account Aggregator framework, which solved an analogous problem in the financial services sector.

I have written about this in detail for the International Bar Association, see Consent Managers: An Indian Solution for Managing Consent.

Breach notification

Section 8(6) of the DPDP Act requires a Data Fiduciary to give intimation of a personal data breach to the Data Protection Board and to each affected Data Principal in the prescribed form and manner. Rule 7 of the DPDP Rules, 2025 prescribes a two-stage notification process.

On becoming aware of any personal data breach, the Data Fiduciary must intimate each affected Data Principal without delay, through her user account or registered mode of communication, in a concise, clear and plain manner. The notice must describe the breach (its nature, extent and timing), the likely consequences for the Data Principal, the mitigation measures being taken, the safety measures she may take, and a business contact who can respond to her queries.

The Board must be intimated in two stages. The Data Fiduciary must give the Board an initial intimation without delay, describing the nature, extent, timing, location and likely impact of the breach. Then, within seventy-two hours of becoming aware of the breach (or within such longer period as the Board may allow on a written request), the Data Fiduciary must submit a detailed report containing updated information on the breach, the broad facts, circumstances and reasons leading to the breach, mitigation measures implemented or proposed, findings on the person who caused the breach, remedial measures to prevent recurrence, and a report on the intimations sent to affected Data Principals.

Dual-clock reality

The CERT-In Directions of April 2022 continue to apply alongside the DPDP framework. A notifiable cyber incident triggers a six-hour reporting deadline to CERT-In under Section 70B of the Information Technology Act, 2000. A personal data breach that is also a notifiable cyber incident therefore engages two parallel clocks: six hours to CERT-In, and an immediate plus seventy-two-hour two-stage filing to the Data Protection Board. The substantive obligations under Section 8 and Rule 7 take effect from 13 May 2027, but the CERT-In Directions are already in force, and most operational incident response plans should be built to satisfy both.

Cross-border transfer

Section 16 of the DPDP Act adopts a "negative list" approach. Personal data may be transferred outside India to any country except those that the Central Government specifically restricts by notification. This is a meaningful departure from the GDPR's "adequacy plus safeguards" architecture: by default, cross-border transfer is permitted, and a restriction must be affirmatively imposed. No country has yet been notified as restricted.

Rule 15 of the DPDP Rules, 2025 adds a separate layer. Any transfer of personal data outside India is subject to such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State. This is a foreign-state-access overlay that applies regardless of the country list under Section 16. As of May 2026, no such order has been issued.

Rule 13(4) imposes a further targeted localisation power on Significant Data Fiduciaries: the Government may specify categories of personal data and traffic data pertaining to its flow that an SDF must process subject to a restriction on transfer outside India.

Sectoral regulators may, in addition, prescribe stricter localisation requirements, and several already do, including the Reserve Bank of India for payment system data and the Securities and Exchange Board of India for certain regulated entities. These sectoral overlays are not displaced by the DPDP Act.

Children's data

Section 2(f) of the DPDP Act defines a child as any individual under the age of 18. Section 9 imposes three core obligations on Data Fiduciaries processing the personal data of children: verifiable consent from the parent or lawful guardian must be obtained before processing, processing that is likely to cause any detrimental effect on the well-being of a child is prohibited, and tracking, behavioural monitoring and targeted advertising directed at children is prohibited.

Rule 10 of the DPDP Rules, 2025 specifies the approved methods for obtaining verifiable parental consent, including reliance on identity verification linked to DigiLocker or any other electronic mechanism designated by the Central Government. Rule 12 provides for limited, conditional exemptions from Section 9(1) and 9(3) where the processing is undertaken by specified classes of Data Fiduciary (Fourth Schedule, Part A) or for specified purposes (Fourth Schedule, Part B), principally for healthcare, educational and certain child-safety contexts. The Central Government may also exempt classes of Data Fiduciary from one or more obligations in respect of children of specified ages.

Penalties & the Data Protection Board

The DPDP Act creates the Data Protection Board of India under Sections 18 to 26 as a body to inquire into breaches and impose penalties. The Board is now constituted and operational. The Schedule to the Act sets out the maximum monetary penalty for each category of breach:

Up to INR 250 crore for failure of a Data Fiduciary to take reasonable security safeguards to prevent a personal data breach under Section 8(5);
Up to INR 200 crore for failure to give intimation to the Board or affected Data Principals under Section 8(6);
Up to INR 200 crore for breach of any of the additional obligations relating to children under Section 9;
Up to INR 150 crore for breach of any of the additional obligations of a Significant Data Fiduciary under Section 10;
Up to INR 10,000 for breach of the duties of a Data Principal under Section 15;
Up to INR 50 crore for breach of any other provision of the Act or the Rules.

Section 28(7) requires the Board, in deciding whether to impose a penalty and quantum, to consider the nature, gravity, duration and impact of the breach, the type and nature of the personal data affected, whether the person concerned realised a gain or avoided a loss, mitigation steps, the proportionality of the penalty and any previous contraventions. Section 32 provides for voluntary undertakings: a Data Fiduciary may accept terms to address a concern, and acceptance precludes further proceedings on the same matter, but breach of the undertaking attracts a penalty equal to that applicable for the underlying contravention. Appeals from the Board lie to the Telecom Disputes Settlement and Appellate Tribunal under Section 29.

A compliance starting point

With the substantive compliance core taking effect on 13 May 2027, most businesses have eighteen months from notification to be ready. A sensible early sequence looks like this:

Map the personal data your organisation collects, where it sits, who processes it, and on what basis.
Identify which processing activities you can defensibly anchor in a recognised legitimate use under Section 7, and which need standalone consent under Section 6.
Re-engineer the consent journey to meet Rule 3: standalone notice, plain language, available in English or any Eighth Schedule language, granular toggles, accessible withdrawal, demonstrable audit trail.
Tighten your processor contracts. Section 8(1) keeps the obligation on the Fiduciary, and Rule 6(f) requires the Data Fiduciary to ensure processors implement reasonable security safeguards.
Stand up a breach detection and response process that meets the Rule 7 two-stage timeline and the CERT-In six-hour parallel obligation.
Map sectoral data-localisation overlays that already apply to your business, including RBI, SEBI and IRDAI requirements.
If you might be classified as a Significant Data Fiduciary, plan the DPO, independent auditor and annual DPIA architecture before you are notified.

Sectors with large user bases, particularly e-commerce, online gaming and social media intermediaries above the thresholds in the Third Schedule, should also build the retention and deletion workflows the Schedule contemplates.

What I do for clients

I advise Indian and global businesses on DPDP compliance programmes, privacy notices and consent flows, processor contracting, breach response, Significant Data Fiduciary readiness, and the privacy chapters of M&A diligence. Get in touch if you need help thinking through a specific issue.

Need counsel on a specific DPDP matter?

I advise Indian and global businesses on the full DPDP compliance picture, from consent architecture to breach response and SDF readiness.

Get In Touch