The Digital Personal Data Protection Act, 2023 is India's first comprehensive law on digital personal data protection. It aims to strengthen individual privacy while enabling responsible use of data for innovation and economic growth.
The DPDP Act replaces limited privacy provisions under the older IT Act and establishes a clear legal framework for how personal data must be processed in the digital age. It brings India closer to global privacy standards — while balancing privacy rights with business needs.
Who Is Covered
The Act applies to any digital personal data processing within India, as well as to data processed outside India where it involves offering goods or services to individuals located in India.
The legislation covers three principal categories of actors: individuals, referred to as data principals; organisations that determine how data is used, referred to as data fiduciaries; and service partners engaged to process data on behalf of fiduciaries, referred to as data processors.
This broad territorial and structural scope ensures that no entity handling the personal data of individuals in India can avoid its obligations under the Act — regardless of where they are headquartered.
Consent Is Central
Under the DPDP Act, personal data may only be collected when informed, specific, and unambiguous consent has been obtained from the individual concerned. Consent must be freely given and clearly recorded.
Individuals retain the right to withdraw consent at any time, and organisations are legally obligated to honour such withdrawals promptly. This places the individual firmly in control of their personal data from the outset of any data relationship.
New Rights for Individuals
The Act confers a set of statutory rights upon every individual whose personal data is processed. These include the right to access their digital personal data, the right to correct inaccurate information, and the right to request erasure of data that is no longer necessary or lawfully held.
Individuals may also revoke consent previously granted and nominate another person to exercise their data rights on their behalf — providing continuity of protection even in cases of incapacity.
These rights represent a significant shift in the legal relationship between individuals and the organisations that hold their data, bringing India into alignment with international frameworks such as the GDPR.
Children's Data Gets Extra Protection
The DPDP Act introduces heightened safeguards for the personal data of minors. Organisations are restricted from engaging in profiling, targeted advertising, or behavioural monitoring of children.
In many circumstances involving children's data, verifiable parental or guardian consent is required before any processing may take place. These provisions reflect a considered approach to protecting younger individuals in an increasingly digital environment.
Organisations Get Clear Obligations
Businesses and digital platforms subject to the Act must meet a defined set of obligations. These include storing and processing data securely, being transparent about the purpose and use of data collected, reporting breaches promptly to the Data Protection Board and affected individuals, and collecting only the minimum data necessary for the stated purpose.
Adherence to these obligations is expected to improve trust and accountability in data handling across industries, creating a more reliable environment for both consumers and enterprises.
Data Protection Board of India
The Act establishes the Data Protection Board of India as the primary statutory body responsible for overseeing compliance with the legislation. The Board has authority to adjudicate disputes between data principals and fiduciaries, and to impose financial penalties for breaches or violations.
The creation of a dedicated enforcement body provides clarity for organisations on where accountability sits, and gives individuals a formal mechanism through which to pursue redress when their data rights have been infringed.
Phased Implementation & Balancing Innovation with Privacy
The Act was enacted on 11 August 2023, with key provisions being rolled out progressively between 2025 and 2027. This phased approach provides organisations with the time needed to adapt systems, processes, and governance structures to meet their new obligations.
Critically, the DPDP Act is designed not to inhibit India's digital economy but to enable it on a sound and trusted footing. It supports the responsible use of data across sectors including artificial intelligence, analytics, fintech, health technology, and digital services — ensuring that innovation proceeds in a manner that respects and upholds individual privacy rights.
In Summary: The DPDP Act protects people's digital privacy while giving companies a clear and fair framework for using data to drive digital growth. Organisations that prepare early — by auditing data flows, updating consent mechanisms, strengthening security practices, and training teams — will be best positioned to turn compliance into competitive advantage. It is a legislative milestone that serves both citizens and enterprise: privacy empowerment and responsible innovation, in equal measure.