DPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalisedDPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalised
[01]Resource · 01

The DPDP Act 2023, in 7 minutes.

A plain-English summary of every clause that matters to a product team — who is in scope, what consent looks like, what rights a Data Principal can exercise, and how the Data Protection Board enforces it.

Act enacted
Aug 2023
Sections
44
Max penalty
₹250 Cr
Applies to
All Indian residents' data
[02]What it is

One Act, two principles: lawful processing and meaningful rights.

[01]
Scope (§3)

Applies to digital personal data processed inside India, and to any Data Fiduciary outside India that offers goods or services to Indian Data Principals.

[02]
Consent (§6)

Must be free, specific, informed, unconditional, unambiguous, and revocable with the same ease as it was given.

[03]
Notice (§5)

Itemised, in English plus any of the 22 scheduled languages, served before or at the time consent is requested.

[04]
Rights (§11–§14)

Access, Correction, Erasure, Grievance redressal and Nomination. The right to withdraw consent sits separately in §6(4). Grievance redressal carries a statutory response SLA under the DPDP Rules 2025.

[05]
Breach (§8(6) + Rule 7)

Notify the Data Protection Board and affected Data Principals; under Rule 7(2) of the DPDP Rules 2025, a detailed report must reach the Board within 72 hours of becoming aware.

[06]
Children (§9)

Verifiable parental consent for users under 18; no behavioural tracking, no targeted ads.

Failure to safeguard data
₹250 Cr
§8(5), Schedule
Failure to notify breach
₹200 Cr
§8(6), Schedule
Children's data violation
₹200 Cr
§9, Schedule
SDF obligations breach
₹150 Cr
§10, Schedule
[03]Why it matters

DPDP changes how India ships product.

[01]
Consent is now the default

'Implied' or 'bundled' consent no longer satisfies §6. Every purpose needs its own toggle, every toggle a receipt.

[02]
Rights have an SLA

Ignoring a Data Principal request is no longer a customer-support failure — it's a regulatory breach.

[03]
Significant Data Fiduciaries get extra duties

Designated SDFs must appoint a DPO based in India, conduct DPIAs, and undergo independent audits.

[04]
Localisation is conditional

Cross-border transfers are allowed except to countries notified by the Central Government.

Skip the 88-page Act. Get a 30-minute walkthrough mapped to your product.

Our compliance engineers will benchmark your current consent and DSR posture against the Act in one call.