This is an essential move in an age where every click, swipe, or service request leaves behind a trail of personal data. For years, individuals have been handing over personal details – sometimes knowingly, often unknowingly to access everything from telecom connections to hospital care. Organisations, meanwhile, have collected vast amounts of data. The DPDP Act aims to bring order, accountability and guardrails to this sprawling digital ecosystem. While stiff penalties form the backbone of enforcement, the government has opted for a staggered rollout, giving businesses time to adapt, with full implementation expected by July 2027.
At its core, the act lays down broad principles covering rules for consent, rights and duties of data principals, obligations of data fiduciaries and processors, redress mechanisms, exemptions and penalties. Some parts such as definitions and the creation of a Data Protection Board are already in force. Others, including the processes for taking consent and classifying companies, will come into effect over the next few years.
What the law covers?
The DPDP Act applies to any digital personal data processed in India and even to data processed abroad if it relates to goods or services offered within the country. Personal data casts a wide net – everything from phone numbers and email IDs to biometrics, financial information, health records, cookies, caste details and more. In short, if it can identify a person, it’s protected. The law applies equally to start-ups, multinational giants, professionals and government departments. There are no exemptions based on size or turnover, meaning a neighbourhood clinic and a global tech platform are held to the same basic standard. By applying uniformly to all entities, the law establishes a consistent and non-discriminatory standard of data protection.
Where the Act Steps Back
A major shift is the heightened bar for consent. No more vague terms and pre-ticked boxes. Consent must now be clear, informed, specific and unambiguous. Companies must present a notice in English and every Eighth Schedule language and clearly list what data they want, why they want it, and how people can withdraw consent or raise a grievance.
The law excludes personal or domestic data processing by individuals, publicly available data, or data processed under legal obligations. It also offers exemptions for research and statistical work, provided approved standards are followed. The most powerful carve-outs, however, lie with the government, which can exempt certain state instrumentalities on grounds such as national security, public order, or foreign relations. The rules do specify processing standards for such cases. These provisions are likely to be tested against the Supreme Court’s privacy judgment in the years ahead.
Responsibilities and Risks
Companies (now formally known as Data Fiduciaries) must adopt reasonable security measures such as encryption, obfuscation, masking, or tokenisation to prevent personal data breach. Some will be classified as Significant Data Fiduciaries based on the scale and sensitivity of the data they handle, facing stricter compliance requirements.
Children and persons with disabilities receive added protections. Their data can be processed only with verifiable parental or guardian consent, and companies are barred from targeted advertising or behaviour-tracking aimed at children. Non-compliance attracts severe financial deterrence, with penalties for violations up to Rs 250 crore.
The other challenge is that the universal application will have different consequences depending on scale and size. Smaller businesses may struggle more with compliance, especially the three-year data retention requirement, which could add operational strain.
The DPDP Act marks a major shift in India’s digital landscape. But awareness, not just legislation, will determine its success. The coming years will test not just organisational readiness, but also how the law balances protection, innovation and constitutional rights in a country of over a billion digital citizens.