What is the Digital Personal Data Protection Act (DPDPA)?
The Digital Personal Data Protection Act (DPDPA), enacted in August 2023, is India’s comprehensive privacy law governing the processing of digital personal data. It aims to safeguard individual privacy while enabling responsible data use for lawful purposes such as governance, innovation, and service delivery. It applies to personal data collected online or offline but subsequently digitised, and covers entities both within and outside India if they offer goods, services or monitor individuals in India.
When did the DPDPA come into force?
The Act was passed in August 2023. Its key provisions were implemented in 2024, followed by the introduction of detailed rules by MeitY in January 2025. These rules became operational through phased enforcement in 2025, bringing full legal effect to its obligations, penalties, and rights enforcement mechanisms.
Who does the DPDPA apply to?
The DPDPA has a broad scope and applies to a wide range of entities:
The Act excludes personal or household activities and data that has been fully anonymised or lawfully made public.
What qualifies as personal data under the DPDPA?
Personal data is any digital information that can directly or indirectly identify an individual. This includes:
What are the key principles of the DPDPA?
The Act outlines foundational principles to guide data processing:
What rights do individuals (Data Principals) have?
The DPDPA grants individuals several rights to help them control their data:
What is consent under the DPDPA?
Consent must be:
Notices must be in plain language and accessible formats.
Who are Data Fiduciaries and Data Processors?
Fiduciaries bear primary responsibility for compliance.
What are Significant Data Fiduciaries (SDFs)?
SDFs are high-impact entities that process large volumes of data or sensitive information. They have additional obligations:
What changed under the DPDPA Rules, 2025?
The 2025 rules provide further clarity and enforcement mechanisms:
How is children’s data treated?
Children receive special protection under the Act:
What are the security obligations?
All Data Fiduciaries must:
What are the rules on data retention and deletion?
Data must be deleted when:
High-volume entities like ecommerce or social media platforms must delete unused data after 3 years of inactivity, with 48 hours’ prior notice to the individual.
Are there exemptions?
Yes, specific exemptions apply:
What about cross-border data transfers?
What is the grievance redressal process?
What are the penalties for non-compliance?
Fines consist of:
Do SMEs and Startups need to comply?
Yes, however:
What are Consent Managers?
These are government-registered platforms that help individuals manage their consents across different services. They ensure:
Where can I find official DPDPA resources?