Is the DPDP Act in force yet?

The Act was enacted in 2023 and its implementing Rules were notified in November 2025, but most substantive compliance obligations apply in phases, so organizations should prepare during the transition.

Who enforces the DPDP Act?

The Data Protection Board of India investigates breaches, hears complaints and imposes penalties, while individuals can file and track complaints through a dedicated portal.

Does the DPDP Act apply to companies outside India?

Yes. It applies to processing of digital personal data outside India when that processing is connected to offering goods or services to individuals within India.

🇮🇳 India · Data privacy

DPDP Act

Digital Personal Data Protection Act, 2023

The DPDP Act is India's first comprehensive law governing the processing of digital personal data, enacted on 11 August 2023. The implementing rules were notified in November 2025, with substantive obligations rolling out in phases. It establishes consent as the primary basis for processing and creates the Data Protection Board of India as enforcer.

Jurisdiction:🇮🇳 India

Type:Data privacy

In effect:2023

Authority:Data Protection Board of India

Who it applies to

Data Fiduciaries handling digital personal data within India, and processing outside India that is connected to offering goods or services to individuals in India.

Identity requirements

Obtain free, specific, informed and unambiguous consent before processing personal data, supported by a clear itemized notice
Provide consent withdrawal that is as easy as giving consent, and honor rights to access, correction and erasure
Use Consent Managers (a registered intermediary role under the Rules) to record and manage consent where applicable
Verify parental consent before processing the personal data of children under 18, and avoid targeted advertising directed at children
Apply enhanced obligations for Significant Data Fiduciaries, including a Data Protection Officer and periodic Data Protection Impact Assessments
Implement reasonable security safeguards and notify the Board and affected individuals of breaches

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Consent is the core lawful basis, requiring granular notice, easy withdrawal and Consent Manager integration in user-facing identity flows.
Identity verification (KYC/proofing)	Verifiable parental consent for users under 18 forces age assurance and identity proofing in onboarding.
Breach notification	Data Fiduciaries must notify the Data Protection Board and affected data principals of personal data breaches.
Data residency & cross-border transfer	Cross-border transfers are permitted except to countries the central government may restrict, so transfer destinations must be governed.
Audit, logging & accountability	Significant Data Fiduciaries must appoint a DPO, run impact assessments and maintain accountability records.

Penalties

Financial penalties of up to 2.5 billion rupees per instance for failure to take reasonable security safeguards, imposed by the Data Protection Board after inquiry.

Official source

https://egazette.gov.in/WriteReadData/2023/248045.pdf

DPDP Act: frequently asked questions

Is the DPDP Act in force yet?: The Act was enacted in 2023 and its implementing Rules were notified in November 2025, but most substantive compliance obligations apply in phases, so organizations should prepare during the transition.
Who enforces the DPDP Act?: The Data Protection Board of India investigates breaches, hears complaints and imposes penalties, while individuals can file and track complaints through a dedicated portal.
Does the DPDP Act apply to companies outside India?: Yes. It applies to processing of digital personal data outside India when that processing is connected to offering goods or services to individuals within India.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all India regulations or the full country index.