India DPDP Act

Digital Personal Data Protection Act

India Act No. 22 of 2023Active — Rules notified November 2025

India’s comprehensive data protection law with extraterritorial reach affecting foreign companies processing data of Indian individuals. Consent-based regime requiring 72-hour breach notification, mandatory encryption and masking, verifiable parental consent for children’s data, and a registered Consent Manager framework. Penalties up to INR 250 crore (~EUR 28M).

₹250Cr

Max Penalty

72h

Breach Notice

Age of Consent

Extra-

Territorial Reach

Implementation Timeline

11 August 2023

DPDP Act receives Presidential assent

November 2025

DPDP Rules notified; Data Protection Board instituted

November 2026

Consent Manager registration deadline

May 2027

All provisions fully in force

Who's In Scope

Data Fiduciaries

Indian companies processing personal data
Foreign companies processing data of Indian individuals
Significant Data Fiduciaries (designated by government)

Data Principals

Indian individuals whose data is processed
Children under 18 (enhanced protections)
Persons with disabilities (guardian consent required)

Intermediaries

Consent Managers (must be registered, INR 20 crore net worth)
Data processors acting on behalf of fiduciaries

Key Requirements

Sec. 6

Consent-Based Processing

Lawful processing requires free, specific, informed, and unambiguous consent. Consent must be as easy to withdraw as to give. A limited ‘legitimate uses’ basis is available for certain processing activities.

Sec. 8

Breach Notification

Mandatory notification to the Data Protection Board and affected data principals within 72 hours of becoming aware of a personal data breach.

Sec. 8(3)

Encryption & Security

Mandatory encryption, masking, and de-identification of personal data. Reasonable security safeguards proportionate to data sensitivity must be implemented.

Sec. 9

Children’s Data Protection

Verifiable parental consent required for processing children’s data (under 18). Prohibition on behavioural monitoring and targeted advertising directed at children.

Sec. 10

Data Principal Rights

Right to access, correction, erasure, and nomination of a representative. Right to grievance redressal within 7 days of filing a complaint.

Sec. 18

Consent Manager Framework

Registered Consent Managers must have INR 20 crore (~EUR 2.2M) net worth. They act as intermediaries for managing consent on behalf of data principals.

Penalties & Enforcement

Security breach / failure to notify

INR 250 crore (~EUR 28M)

Maximum penalty for failure to implement adequate safeguards to protect personal data or failure to notify breaches within the required timeframe.

Children’s data violations

INR 200 crore (~EUR 22M)

Enhanced penalties for violations involving processing of children’s personal data without proper consent or safeguards.

Other non-compliance

INR 150 crore (~EUR 17M)

General penalties for failure to comply with other provisions of the Act, including data principal rights and processing obligations.

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for India DPDP Act.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your India DPDP Act compliance posture and build a practical roadmap.

Get Started