The DPDP Act Explained: What Every Indian Company Must Know

The DPDP Act Explained: What Every Indian Company Must Know

India’s new data privacy law changes how businesses collect and handle customer information. Get the DPDP Act explained, from consent rules to penalties.

Priyanka Choudhury

Written by

Priyanka Choudhury

Date

Read time

8 min

The DPDP Act Explained: What Every Indian Company Must Know

For years, collecting customer data in India was a reflex.

Apps asked for phone numbers just to show you a menu. Websites hoarded emails. Businesses stockpiled IDs, addresses, and location data simply because storage was cheap and rules were optional.

Most companies had privacy policies. Almost nobody read them. There was no single, comprehensive law governing how personal data should actually be handled.

That era ended with the Digital Personal Data Protection Act (DPDP Act), 2023.

For many organizations, the first question is usually a hopeful one: Does this law actually apply to us? In most cases, the answer is yes. If your company collects or uses the personal data of people in India, the DPDP Act directly affects you.

Why India Introduced the DPDP Act

Why India Introduced the DPDP Act

India’s digital economy didn’t just grow over the past decade, it became infrastructure.

People now use digital services for almost everything: ordering food, making payments, booking healthcare appointments, shopping online, or accessing government services. Every single one of these interactions collects personal data.

Until now, there was no unified framework defining how companies should collect, use, and protect that data. India’s data privacy landscape was fragmented.

The DPDP Act aims to change that by giving individuals actual control over their personal information and by setting clear, legally binding responsibilities for companies.

In simple terms, the law forces organizations to answer two questions:

  • What can companies do with personal data?
  • What rights do individuals have over their data?

What Counts as Personal Data

Under the Act, personal data means any information that can identify a person.

Some obvious examples include:

  • Name
  • Phone number
  • Email address
  • Aadhaar or PAN details
  • Home address

But the net is cast much wider. It also includes things like:

  • Device IDs
  • Location data
  • Purchase history tied to a user
  • Account activity

For example, if a food delivery app stores your phone number and order history, that is personal data. If an HR system stores employee records, that is personal data too.

Even something as simple as storing customer emails for newsletters falls within the scope of the law. You cannot protect what you do not recognize.

Who the Law Applies To

The DPDP Act applies to any organization that processes the digital personal data of individuals in India.

That includes startups collecting customer information, e-commerce companies storing order details, banks and fintech apps managing financial data, SaaS companies with Indian users, and global companies offering services to Indian users.

Who the Law Applies To

The law introduces two important roles:

A Data Fiduciary is the organization that decides why and how personal data is processed. For example, an online shopping platform collecting customer details.

A Data Processor is an entity that processes data on behalf of another organization. For example, a cloud provider storing that platform’s customer database.

Most companies interacting with customer or employee data will fall under the Data Fiduciary category. The responsibility stops with you.

Key Roles in Detail: Data Fiduciary and Data Processor

The DPDP Act defines a Data Fiduciary in Section 2(i) as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data. In other words, it is the entity that decides why personal data is collected, how it will be used, and how it will be processed or stored. The organization making these decisions owns the compliance.

A Data Processor, defined in Section 2(l), is an entity that processes personal data on behalf of a Data Fiduciary. Consider an e-commerce company that stores its customer database on a cloud platform such as AWS or Azure: the e-commerce company is the Data Fiduciary, and the cloud provider is the Data Processor. This distinction matters because most legal obligations under the DPDP Act fall primarily on the Data Fiduciary.

The term “person” in the Act is a wide net. It includes companies, firms, government bodies, and individuals. Some common examples of who qualifies as a Data Fiduciary:

  • A startup collecting email addresses for a product waitlist
  • A hospital storing patient records digitally
  • A bank or fintech app managing customer financial information
  • A SaaS company storing account details of its users

Even a small website collecting phone numbers for customer enquiries can become a Data Fiduciary. The size of the organization does not change the role.

Responsibilities of a Data Fiduciary

Once an organization is identified as a Data Fiduciary, the Act assigns several non-negotiable responsibilities:

  • Section 5: Give notice to the Data Principal about what personal data is collected, the purpose of processing, and how rights may be exercised.
  • Section 6: Obtain valid consent before processing, provide an easy mechanism for withdrawing it, and cease processing upon withdrawal, ensuring Data Processors also cease, unless another lawful basis applies.
  • Section 8: Implement reasonable security safeguards to protect personal data and notify affected Data Principals and the Data Protection Board in the event of a breach.
  • Section 11: Be prepared to respond to Data Principals’ requests to access their personal data.

While processing activities may be outsourced to Data Processors, primary compliance responsibility remains with the Data Fiduciary.

Significant Data Fiduciaries

For organizations operating at massive scale, Section 10 introduces a heavier weight class: the Significant Data Fiduciary designation. The Central Government may designate certain organizations based on factors such as:

  • Volume of personal data processed
  • Sensitivity of data
  • Risk to the rights of individuals

These organizations face additional obligations, such as appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and implementing stronger compliance mechanisms.

A Practical Starting Point

If your organization is beginning its DPDP compliance journey, a useful starting point is a simple internal question: Where do we decide why personal data is collected and how it is used?

Wherever that decision exists, the organization is acting as a Data Fiduciary and that means the responsibilities set out in the Act now apply.

One of the biggest operational shifts introduced by the DPDP Act is the requirement for clear consent. Consent requirements are primarily addressed in Section 6 of the Act.

Consent must be:

  • Free
  • Specific
  • Informed
  • Unconditional
  • Unambiguous
  • Given through a clear affirmative action

This means silence is not agreement. A pre-ticked box is not a choice. Vague statements buried in a 40-page privacy policy do not qualify as valid consent.

Before asking for consent, companies must first give clear notice under Section 5, telling the user what personal data is being collected, the purpose of collecting it, and how it will be processed. For example, a food delivery app asking for location access must explain the operational reason clearly. A vague legacy statement like “We may collect data to improve services” no longer meets the spirit of the law.

The user must actively pull the lever. Examples of valid consent actions include:

  • Clicking a clearly labeled “I agree” button after reading the notice
  • Selecting specific options in a privacy preference panel
  • Providing explicit confirmation during account registration

Consent obtained through passive acceptance or pre-checked boxes is a compliance failure. The Act expects companies to make the decision explicit. You cannot trick a user into compliance.

The DPDP Act also recognizes a fundamental truth: consent is not permanent.

Under Section 6, individuals have the right to withdraw their consent at any time. Crucially, withdrawing consent must be as easy as giving it.

If a user signs up for marketing emails through an app, the company must provide a simple, frictionless way to opt out. Once that consent is withdrawn, the organization must stop processing personal data for that purpose unless another lawful basis applies. If it takes one click to subscribe, it cannot take a phone call and three business days to leave.

Fundamental truth of DPDP Act

Consider a fitness app that collects health information and activity data. A compliant approach looks like this:

  • Before collecting a single metric, the app displays a notice explaining that activity and health data will be used specifically to track workouts and provide personalized insights.
  • The user is asked to actively agree before the data is collected.
  • The app provides accessible privacy settings where users can later revoke permission to collect certain data.

In this scenario, the user understands the purpose, gives explicit consent, and retains control. That is the exact model the DPDP Act aims to enforce.

For companies, this means privacy cannot remain hidden in legal fine print. It must become a core component of product design, user experience, and data governance. A checkbox that tricks a user isn’t consent, it’s just a well-written lie.

Rights Given to Individuals

The DPDP Act places individuals referred to as Data Principals at the center of the data ecosystem. Consent is the mechanism through which they exercise control over their personal information.

People can ask companies:

  • What data do you have about me?
  • Is it correct?
  • Can you delete it?

For example, if a customer closes an account with an online platform, they may request the deletion of their personal data.

Having a policy that says you will delete data is easy. Having the internal systems and processes to actually find and purge that data across all your databases is hard. Companies will need those systems in place to respond to these requests.

What Happens If Companies Ignore the Law

The DPDP Act introduces significant financial penalties designed to make ignoring the law more expensive than complying with it.

If a company fails to protect personal data and a breach occurs, regulators can impose heavy fines. Penalties can reach up to ₹250 crore, depending on the severity of the violation.

That means data protection is no longer just an IT responsibility. It becomes a business and leadership responsibility.

What Companies Should Be Doing Now

Many organizations are still trying to understand what this data privacy law means in practice. But preparation usually starts with a few basic steps.

  1. Identify what personal data the company collects.
  2. Understand where that data is stored and who has access to it.
  3. Review how consent is obtained and documented.

For example, if a company collects phone numbers through a website form, it should clearly explain right there why the number is needed and how it will be used.

These small steps help organizations move toward compliance while also building actual trust with customers.

A Bigger Shift in How Companies Think About Data

The DPDP Act signals a broader change in India’s digital ecosystem.

Data is no longer something companies can collect freely and figure out later. It now carries clear, legally binding responsibilities toward the individuals it belongs to.

Organizations that treat privacy seriously will likely build stronger trust with customers and regulators. Those that ignore it may face financial penalties and reputational damage.

But this is just the beginning.

The DPDP Act introduces several concepts that deserve deeper discussion. Consent managers, significant data fiduciaries, cross-border transfers, breach reporting, and operational compliance all bring their own challenges.

Compliance starts with one step. Regodit can help you take it.

Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.

Keep reading

All blogs →