Global Privacy Laws: India DPDPA

Overview

India’s Digital Personal Data Protection Act (DPDPA) is the country’s first comprehensive privacy law, designed to regulate the collection, processing, and sharing of digital personal data and safeguard citizens’ rights. Although enacted on August 11, 2023, its key provisions only started coming into effect on November 13, 2025. Different sections of the Act will come into force at different times over the coming months and years, with the last set of provisions scheduled to become effective on May 13, 2027. The Act defines the roles of data fiduciaries (controllers), data processors, and data principals (individuals) and applies to both digital data and digitized offline data connected to India.

Key Dates

Signed into law: August 11, 2023
Effective date: November 13, 2025

Thresholds

The DPDPA pertains to the processing of digital personal data within India, encompassing situations where the personal data is either (i) collected in a digital form or (ii) collected in a non-digitized form and subsequently converted into digital form. Consequently, the DPDPA does not apply to the processing of personal data in its non-digitized state. The DPDPA defines ‘personal data’ broadly to include any data that can be used to identify an individual, whether directly or indirectly, in relation to such data. It also defines ‘digital personal data’ as personal data in digital form.

While the DPDPA applies to Indian entities that engage in the processing of personal data, it also has extraterritorial applicability, applying to foreign entities that offer goods and services to Data Principals (as defined below) located within India's territory and process personal data in connection with such activities. The DPDPA does not apply to (i) personal data utilized by an individual for personal or domestic purposes or (ii) personal data deliberately made publicly accessible by either the Data Principal to whom the personal data relates or any other individual or entity mandated by law to disclose personal data to the public.

Consumer Rights

Right to be Informed – Individuals have the right to be informed about how their data is being processed, the purpose of the processing, and the entities with whom their data is shared.
Right of Access – Individuals can request can request access to their personal data being processed by a data fiduciary (an entity processing data).
Right to Rectification – Individuals can request to have inaccurate or incomplete personal data corrected.
Right to be Erasure – Individuals can request request the erasure of their personal data.
Right to Object to and Restrict Processing – Individuals can can object to the processing of their data and request that it be restricted.
Right to Withdraw Consent – Individuals have the right to withdraw their consent for data processing, if consent is the basis for processing.
Right to Grievance Redressal – Individuals have the right to lodge a complaint with the data fiduciary about data processing practices.
Right to Nominate – Individuals can nominate someone to exercise their rights on their behalf in case of death or incapacity.
Right to Lodge a Complaint with the Regulator – Individuals can lodge a complaint with the Data Protection Board of India after exhausting the grievance redressal process with the data fiduciary.

Sensitive Data

The DPDPA does not define or use the term “sensitive data”, but it requires a higher level of protection for certain categories of personal data, such as health records, financial information, biometric data, and religious beliefs. Any personal data that can be used to identify an individual requires protection, and while not officially classified as "sensitive," data like names, addresses, and contact details are included in the broad definition of personal data covered by the act.

Penalties

The DPDPA imposes penalties for violations, including fines of up to INR 2.5 billion (approximately $31 million)

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like DPDPA in India vs. CCPA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have set up in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CCPA in California).

Based on the current laws, we recommend the following regional settings:

Consent Mode: Express
Blocking Mode: Strict
**Google Consent Mode V2:** Basic
Consent Duration: 12 months
Enable Limit Sensitive Information: Off
Enable Do Not Sell Consent: Off
Enable Global Privacy Control: Off

Current DPDPA requirements do not explicitly require Do Not Sell or Global Privacy Control, but you can enable these features if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since regulations like CCPA/CPRA do require Do Not Sell and Global Privacy Control.

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.

Global Privacy Laws: India DPDPA

On this page