DPDP Act 2023: Full Text Explained for Founders

The Digital Personal Data Protection Act 2023 is 31 pages and 44 sections. The 2025 Rules add operational detail in roughly 50 more pages. For most founders and product leaders, reading the Act cover-to-cover is the wrong use of time — the obligations that drive compliance work are concentrated in about a dozen sections, and the remainder is institutional machinery (Data Protection Board composition, appellate procedure, rule-making authority) that rarely affects day-to-day decisions.

This is a practitioner’s walkthrough of the sections that matter, in the order they apply in a product lifecycle. It is not legal advice. For specific compliance decisions in your organization, consult qualified data-protection counsel.

§1–§3 — Scope and applicability

The Act applies to digital personal data processed inside India, and to personal data processed outside India if the processing is “in connection with offering goods or services to Data Principals within India.” The extraterritorial reach is narrower than GDPR’s, which also captures monitoring of behaviour. DPDP’s “offering goods or services” test is the operative phrase — if an Indian user can access and transact on your product, you are in scope.

Explicit exclusions from the Act’s application:

• Personal data processed for personal or domestic purposes
• Personal data made publicly available by the Data Principal or by someone under a legal obligation (with nuance — not every public disclosure removes protection)
• Data processed by governments for specified national-security, law-enforcement, and similar purposes

Notably, the Act does not have a small-business exemption. A five-person startup is subject to the same core obligations as a 50,000-employee enterprise. Enforcement proportionality will depend on the Data Protection Board’s practice, but the legal obligations are uniform.

§4 — Lawful bases for processing

Two lawful bases: consent (§6) or certain legitimate uses (§7). Every act of processing personal data must rest on one of these. You cannot invent a third basis.

For commercial operations, consent is the default. The legitimate-uses list (§7) is narrow and largely covers situations where consent is impractical or inappropriate — voluntary disclosure by the Data Principal, regulatory compliance, employment relationships, emergencies, legal proceedings, specified public-interest uses. Using §7 as a workaround for consent is non-compliant and likely to draw early enforcement attention.

§5 — Notice

The notice requirement has specific content. At or before the time of collecting personal data, the Data Fiduciary must inform the Data Principal of:

• The personal data being processed
• The purpose of processing
• The manner in which the Data Principal may exercise their rights
• How to withdraw consent
• How to complain to the Data Protection Board

The notice must be made available in English or any of the 22 languages specified in the Eighth Schedule, at the Principal’s choice. This means a production-grade Indian privacy notice needs to be translated and maintained in 22 languages — or needs a clear mechanism for the Principal to request a language version.

The notice must be presented separately from other terms. A bundled “By clicking Sign Up you agree to our Terms, Privacy Policy, and Marketing Communications” does not satisfy §5. Consent is specific; notice is specific; bundling fails both requirements.

§6 — Consent

Consent must be free, specific, informed, unconditional, and unambiguous, expressed through a clear affirmative action. The last phrase is the test for UX patterns:

• Pre-ticked checkboxes — non-compliant (not affirmative)
• Continued use of service as implied consent — non-compliant
• Cookie banners with an “Accept All” button only — non-compliant (no equivalent reject option)
• Opt-out rather than opt-in for non-essential processing — non-compliant

Consent can be given through a Consent Manager — a registered intermediary that lets Data Principals manage consents across multiple Data Fiduciaries. The Consent Manager framework is a distinguishing feature of DPDP relative to GDPR and is the direction Indian identity-tech firms are building toward. For most Data Fiduciaries in 2026, direct-to-Principal consent collection is the default and Consent Managers are opt-in infrastructure.

Withdrawal of consent must be as easy as giving it. If the Principal gave consent by clicking a checkbox at signup, withdrawal cannot require sending a physical letter. Withdrawal triggers obligations downstream — you must cease processing the affected data (with narrow exceptions for legally required retention) and propagate the withdrawal to data processors you have shared the data with.

§8 — Obligations of Data Fiduciaries

Section 8 is where most operational DPDP compliance lives. It contains 10 sub-sections covering:

• §8(1) — comply with the Act; not just the consent rules, the entire Act
• §8(2) — process only for the lawful purpose, for which consent is given or under legitimate use
• §8(3) — ensure completeness and accuracy of personal data used for decisions or disclosures
• §8(4) — retain personal data only as long as necessary for the specified purpose; erase when consent is withdrawn or purpose is accomplished
• §8(5) — implement reasonable security safeguards
• §8(6) — notify the Board and affected Data Principals of a personal-data breach
• §8(7) — erase personal data when consent is withdrawn or upon Data Principal request, unless required by law
• §8(8) — publish contact details of the Data Protection Officer or the person responsible for answering queries
• §8(9) — establish a grievance redressal mechanism
• §8(10) — not process personal data for profiling or targeted advertising to children without verifiable parental consent (see §9)

The practical compliance artefacts: data-retention policy, breach-response playbook, security-testing cadence, DPO or responsible-person published on the website, documented grievance process, children’s-data handling documentation.

§9 — Children’s data

Processing personal data of children (defined as individuals under 18) requires verifiable parental consent. “Verifiable” is the operative word — self-declaration of age is not sufficient; the Data Fiduciary must have a mechanism to confirm the parent/guardian has in fact consented.

Compliant mechanisms in current practice:

• OTP verification to a parent-provided phone number, with parent identity verified via a separate path
• Aadhaar-verified parent flow (for Data Fiduciaries integrated with UIDAI frameworks)
• Payment-based verification (small-value transaction from a parent’s account)
• Government-issued-ID verification of the parent

The Act also prohibits tracking, behavioural monitoring, and targeted advertising directed at children, with limited exceptions for services where such processing is necessary and appropriate.

§10 — Significant Data Fiduciary obligations

SDFs — designated by the government based on volume, sensitivity, risk of harm, and other factors — have additional obligations:

• Appoint a Data Protection Officer based in India, reporting to the Board of Directors or equivalent governing body
• Appoint an independent data auditor to assess compliance
• Conduct periodic Data Protection Impact Assessments and audits
• Implement other measures the government may prescribe in rules

The SDF designation is not automatic — it is notified by the government. Organizations likely to be designated (large social platforms, major fintechs, significant healthcare data platforms, major aggregators) should plan for SDF readiness rather than wait for the notification.

§11–§14 — Data Principal rights

Four substantive rights:

• §11 — Right to access. A summary of personal data being processed, the processing activities, identities of Fiduciaries and Processors with whom the data has been shared.
• §12 — Right to correction and erasure. Correct inaccurate or misleading data, complete incomplete data, update outdated data, erase when no longer needed.
• §13 — Right to grievance redressal. Raise grievances through the Fiduciary’s mechanism; if unresolved, escalate to the Data Protection Board.
• §14 — Right to nominate. Nominate another individual to exercise rights in the event of death or incapacity.

Conspicuously absent compared to GDPR: no general right to data portability, and no general right to object to processing (beyond consent withdrawal). Profiling and automated decision-making are not separately regulated.

Time limits for response are set in the Rules — broadly, 90 days for access requests, shorter timelines for grievance redressal (the exact periods are in the 2025 Rules and depend on request type).

§15 — Duties of Data Principals

A DPDP novelty: Data Principals also have duties. They must not: impersonate another person, suppress material information, file false complaints, or furnish false particulars. Non-compliance by the Principal can result in penalties of up to ₹10,000.

This section is rarely cited in compliance programmes because it affects the Principal more than the Fiduciary, but it is worth knowing: a Fiduciary dealing with a frivolous or malicious DSAR flood has some recourse.

§16 — Cross-border transfer

Cross-border transfer of personal data is permitted to any country except those notified as restricted by the Central Government. The list of restricted countries is published by MeitY and updated periodically.

Sectoral regulators (RBI, IRDAI, SEBI, ABDM-related frameworks) can impose stricter requirements on transfers of specific categories of data. DPDP does not override these.

§17 — Exemptions

Certain processing activities are exempted from specified obligations:

• Enforcement of legal rights and claims
• Judicial or quasi-judicial functions
• Criminal offence prevention, detection, investigation, or prosecution
• Research, archiving, or statistical purposes (subject to safeguards)
• Court orders
• Activities by the Central Government for specified purposes
• Personal data required under any other law

Exemptions are purpose-limited; you cannot rely on an exemption for processing beyond its specified scope.

§27–§36 — Data Protection Board

Institutional machinery. The Data Protection Board of India is the enforcement body — appointed by the Central Government, with powers to inquire into complaints, issue notices, impose penalties, and make orders. Appeals go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

For compliance purposes, the key operational points: the Board can conduct inquiries suo motu (on its own initiative, without a complaint), can require information and documents, and can summon witnesses. Organizations should plan for Board interactions as they would for any regulatory inquiry — with a response playbook, designated spokesperson, and legal counsel engaged.

§33 — Penalties (Schedule)

Detailed in the Schedule to the Act. Headline caps:

• Failure to take reasonable security safeguards — up to ₹250 crore
• Failure to notify the Board or affected Data Principals of a breach — up to ₹200 crore
• Non-fulfilment of obligations related to children — up to ₹200 crore
• Non-fulfilment of SDF obligations — up to ₹150 crore
• Non-fulfilment of other obligations — up to ₹50 crore
• Other contraventions — up to ₹50 crore

Penalties are to be determined based on the nature, gravity, and duration of contravention; the type and nature of personal data affected; repetitive nature of default; impact on Data Principals; effect of mitigating action taken; and other specified factors.

What to read next

• DPDP Compliance: The Complete Guide for Indian Businesses
• DPDP Penalty Structure: What ₹250 Cr Really Means
• DPDP Act 2023: What Indian Businesses Need to Know and Do Now

For a gap analysis of your organization’s current DPDP posture, book a readiness assessment.