Digital Personal Data Protection Act 2023

Applies to

Any 'Data Fiduciary' processing 'digital personal data' of individuals in India, plus extra-territorial reach where processing relates to offering goods/services to data principals in India. Significant Data Fiduciaries (notified separately) face heightened obligations including DPIA, audit and a Data Protection Officer.

Key points

• Consent must be free, specific, informed and unambiguous; consent-manager intermediaries permitted.
• Breach notification: 72 hours to the Board; 'without delay' to affected data principals.
• Children: under-18 default; verifiable parental consent required; behavioural-tracking + targeted-advertising restrictions.
• Penalties up to ₹250 cr per breach (graded); appeals to TDSAT.
• Significant Data Fiduciary obligations: DPIA, periodic audit, DPO based in India.

Applicability triggers

• Processing of digital personal data of natural persons in India
• Offering goods or services to individuals in India from outside India
• Notified Significant Data Fiduciary (volume + sensitivity criteria)

Practitioner questions

• Is our online lead-capture form compliant with DPDP consent + notice rules?
• Are we likely to be classified as a Significant Data Fiduciary based on the May 2025 thresholds?
• What is the breach-notification workflow under the DPDP Rules 2025 — and does it overlap with the CERT-In 6-hour direction?

Sources

• DPDP Act 2023
• DPDP Rules 2025 (Gazette)
• Data Protection Board of India