A plain-English summary of every clause that matters to a product team — who is in scope, what consent looks like, what rights a Data Principal can exercise, and how the Data Protection Board enforces it.
Applies to digital personal data processed inside India, and to any Data Fiduciary outside India that offers goods or services to Indian Data Principals.
Must be free, specific, informed, unconditional, unambiguous, and revocable with the same ease as it was given.
Itemised, in English plus any of the 22 scheduled languages, served before or at the time consent is requested.
Access, Correction, Erasure, Grievance redressal and Nomination. The right to withdraw consent sits separately in §6(4). Grievance redressal carries a statutory response SLA under the DPDP Rules 2025.
Notify the Data Protection Board and affected Data Principals; under Rule 7(2) of the DPDP Rules 2025, a detailed report must reach the Board within 72 hours of becoming aware.
Verifiable parental consent for users under 18; no behavioural tracking, no targeted ads.
'Implied' or 'bundled' consent no longer satisfies §6. Every purpose needs its own toggle, every toggle a receipt.
Ignoring a Data Principal request is no longer a customer-support failure — it's a regulatory breach.
Designated SDFs must appoint a DPO based in India, conduct DPIAs, and undergo independent audits.
Cross-border transfers are allowed except to countries notified by the Central Government.
Our compliance engineers will benchmark your current consent and DSR posture against the Act in one call.