India's first comprehensive data privacy legislation — empowering citizens, governing data fiduciaries, and building a trusted digital economy.
Enforcement Timeline
The DPDP Act rolls out in 3 phases. Track exactly how many days remain until each deadline.
Rules 1, 2 & 17–21 are live. The Data Protection Board of India (DPBI) has been formally constituted in the NCR with 4 members. Administrative and procedural provisions are now operative.
Rule 4 activates — Consent Managers can register with the DPBI. Organizations must prepare their consent architecture and Consent Manager integrations ahead of this deadline.
Rules 3, 5–16, 22 & 23 come into force — covering consent notices, security safeguards, breach reporting, data erasure, children's data, cross-border transfers, and penalties up to ₹250 Crore.
About the Act
The Digital Personal Data Protection Act, 2023 was passed by India's Parliament and received Presidential assent on 11 August 2023. It establishes a legal framework for the processing of digital personal data, balancing the right to privacy of individuals with the need to process data for lawful purposes.
It applies to the processing of digital personal data within India as well as outside India if it involves offering goods or services to individuals in India.
Core Pillars
Personal data must be processed only for a lawful purpose, with free, specific, informed, unconditional, and unambiguous consent of the Data Principal.
Data can only be collected for a specific, clear, and lawful purpose and cannot be used for any other purpose without re-consent.
Only the data that is necessary for the specified purpose should be collected — no excess or superfluous data collection is allowed.
Personal data may be transferred to notified countries/territories. The government may restrict transfers to certain jurisdictions as needed.
Entities processing large volumes of data will be designated as "Significant Data Fiduciaries" and face heightened obligations including DPO appointments and audits.
Processing of children's (under 18) personal data requires verifiable parental consent. Tracking or behavioural monitoring of children is prohibited.
Data Principal Rights
Every Indian citizen whose data is processed has the following statutory rights guaranteed under the DPDP Act 2023.
Right to obtain a summary of personal data being processed and activities undertaken with it by the Data Fiduciary.
Right to correct inaccurate or misleading personal data, complete incomplete data, update outdated data, or request erasure.
The Data Principal may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing done prior to withdrawal.
Right to readily available means of grievance redressal before the Data Fiduciary or Consent Manager within a defined timeframe.
Right to nominate another individual who shall, in the event of death or incapacity, exercise the rights of the Data Principal.
If a grievance is not resolved by the Data Fiduciary, the Data Principal may file a complaint with the Data Protection Board of India.
Right to request a copy of personal data held by the Data Fiduciary in a structured, readable format as per the rules specified.
Compliance
Organisations that collect and process personal data must meet these mandatory obligations.
Implement appropriate technical and organisational measures to ensure security of personal data and prevent data breaches.
In the event of a personal data breach, promptly notify the Data Protection Board and each affected Data Principal.
Erase personal data when the purpose for which it was collected is no longer being served or when consent is withdrawn.
Ensure the personal data processed is complete, accurate, and consistent — especially for data used to make decisions affecting the Data Principal.
Significant Data Fiduciaries must appoint a Data Protection Officer (DPO) based in India, responsible for compliance and grievance redressal.
Significant Data Fiduciaries must conduct periodic Data Protection Impact Assessments (DPIA) and independent data audits.
Before collecting data, provide a clear and plain-language notice describing what data is collected, the purpose, and the rights available.
Data Fiduciaries remain responsible for data processed by Data Processors on their behalf and must ensure contractual compliance.
Enforcement
The Act prescribes significant financial penalties to ensure compliance and deter violations.
Failure to protect children's personal data or track/monitor children's online behaviour without consent.
Non-notification of a personal data breach to the Data Protection Board and affected individuals in a timely manner.
Violations of obligations by Significant Data Fiduciaries, including inadequate security safeguards or improper data processing.
Penalties for Data Principals who impersonate others, suppress information, or file frivolous complaints with the Board.
Regulator
The DPDP Act establishes the Data Protection Board of India (DPB) as the independent adjudicatory body to enforce the law.
Data Protection Board
An independent statutory authority under the Ministry of Electronics & Information Technology (MeitY), tasked with enforcement and adjudication under the DPDP Act 2023.
Legislative Journey
The Supreme Court of India unanimously ruled that privacy is a fundamental right under the Indian Constitution — setting the stage for data protection legislation.
Justice B.N. Srikrishna's committee released a white paper followed by a draft Personal Data Protection Bill outlining a framework for India.
The Personal Data Protection Bill 2019 was introduced in Parliament and referred to a Joint Parliamentary Committee. After extensive deliberations, the original bill was withdrawn in 2022.
A revised, leaner Digital Personal Data Protection Bill 2023 was introduced in the Lok Sabha. It passed both houses of Parliament swiftly.
The Digital Personal Data Protection Act 2023 received Presidential assent and was published in the Official Gazette — becoming the law of the land.
MeitY officially notified the DPDP Rules, 2025 and the Data Protection Board of India (DPBI) was constituted. Rules 1, 2 & 17–21 came into immediate effect.
Rule 4 activates — Consent Managers can register with the DPBI. Organizations must have consent architectures ready.
All substantive provisions come into force — consent notices, security safeguards, breach reporting, data erasure, children's data protections, and cross-border transfer rules. Full penalties (up to ₹250 Cr) apply.
Scope
Certain entities and purposes are exempt from all or some provisions of the Act.