
India's digital economy is growing fast. With over 900 million internet users and a thriving startup ecosystem, the country has become a global hub for tech innovation. But with that growth comes responsibility and now, regulation.
On November 13, 2025, India's Ministry of Electronics and Information Technology (MeitY) formally notified the Digital Personal Data Protection Rules, 2025, bringing the Digital Personal Data Protection Act, 2023 (DPDPA) into force. This marks a watershed moment for every entrepreneur, developer, and business leader operating in India's tech space.
If your business collects, processes, or stores personal data, and almost every tech business does — this law applies to you. Here's what you need to understand.
The DPDPA is India's first comprehensive, standalone data protection law. It replaces the fragmented framework under the Information Technology Act, 2000, and establishes a modern, consent-driven data protection regime. Think of it as India's answer to Europe's GDPR — though with some important differences.
The law introduces a new regulatory body, the Data Protection Board of India (DPBI), which has the authority to investigate violations and impose penalties. It grants individuals (called Data Principals) meaningful rights over their data. And it holds organizations (called Data Fiduciaries) accountable for how that data is collected and used.
The implementation is phased:
That gives businesses roughly 18 months to prepare. The clock is ticking.
India's AI sector is projected to grow at a rapid pace, but the DPDPA will reshape how AI companies collect and use data. Here's the core tension: training AI models typically requires large volumes of personal data, and the DPDPA is strongly consent-centric.
Under the DPDPA, processing personal data requires free, specific, informed, and unambiguous consent from users. For AI companies, this means datasets not explicitly consented to for model training — such as scraped proprietary user data — may be off-limits. If you're building a consumer AI product that trains on user behavior, you'll need to redesign your data collection pipelines so consent is gathered at the point of data generation.
There is a silver lining. The DPDPA exempts personal data that has been made publicly available by individuals or by entities legally required to publish it. This means raw web content, public social media profiles, or open directories can generally be harvested for AI training without DPDPA consent obligations. This could significantly benefit open-data AI research in India. That said, AI companies should still remain cautious about copyright laws and platform terms of service when scraping public data.
The DPDPA also provides exemptions for data processing done for research, archiving, or statistical purposes, provided appropriate safeguards are in place. If implemented broadly, this could allow universities and private research institutions to process sensitive data for model training without individual consent — similar to the research exemption in GDPR. However, detailed guidance from the government is still pending, so businesses should not rely on this exemption without legal review.
Large AI platforms that process high volumes of personal data — think cloud AI providers, social networks, or major consumer apps — risk being designated as Significant Data Fiduciaries (SDFs). This classification triggers enhanced obligations, including:
For AI companies, that last point is particularly consequential. Data localization could mean you are unable to process certain Indian user data on offshore servers — a significant operational challenge for businesses relying on global cloud infrastructure.
If you're building a consumer-facing app in India, the DPDPA fundamentally changes how you approach privacy from the ground up. Privacy by design is no longer a best practice — it's a legal requirement.
The DPDPA requires Data Fiduciaries to provide clear, independent privacy notices to users. Crucially, these notices cannot be bundled into your Terms & Conditions or End User License Agreements. Your privacy notice must:
For most apps currently in market, this means a meaningful update to your onboarding flows and consent mechanisms.
Apps targeting minors (users under 18) face some of the strictest requirements. Before processing any personal data of a child, you must obtain verifiable parental consent and confirm that the consenting individual is actually an adult. The Rules outline three acceptable pathways for this verification — using existing user records, self-declaration by the parent, or a government-issued credential.
This has major implications for social media platforms, gaming apps, and edtech products. If you haven't built age-verification flows into your product, you need to start now.
Users now have a clear right to withdraw consent and request deletion of their data. Once consent is withdrawn, you must delete the user's personal data unless you have a legal obligation to retain it. For large platforms (e-commerce, social media, and gaming), data retention is capped at three years from the last user interaction. All other data fiduciaries must retain personal data and associated logs for at least one year before erasure.
Practically, this means your app needs a working data deletion pipeline — not just a deletion request button, but a backend system that actually purges user data.
Even early-stage startups are not exempt from the DPDPA. The law applies to any entity that processes digital personal data in India, or that processes such data in connection with offering goods or services to individuals in India.
There is a notable exemption relevant to India's IT services and BPO sectors. If an Indian company processes the personal data of non-Indian residents under a contract with a foreign entity, the DPDPA's core obligations do not apply to that processing. This is designed to prevent duplicative compliance burdens for Indian companies serving global clients — and it's a significant operational advantage over GDPR-aligned regimes.
The DPDPA does not offer a startup-friendly exemption based on company size or revenue. The same penalties that apply to large corporations apply to a five-person startup. For a seed-stage company, even a reduced penalty could be existential. The takeaway: building DPDPA compliance into your product architecture early is far cheaper than retrofitting it after a breach or investigation.
If your company already complies with GDPR, you have a head start — but gaps remain. The DPDPA does not recognize legitimate interest as a lawful basis for processing, which GDPR allows. This means many processes that GDPR-compliant companies handle without explicit consent will require rethinking under the DPDPA.
Here is a practical compliance checklist for India's tech business leaders:
1. Conduct a Data Audit Map every data flow in your organization. Know what data you collect, where it's stored, who has access, and how long you retain it.
2. Update Your Privacy Notices Ensure your privacy notices are standalone documents — not buried in your Terms & Conditions. Write them in plain language, covering all legally required disclosures.
3. Build a Consent Management System Implement a mechanism that allows users to give, manage, and withdraw consent as easily as they gave it. This is a core requirement, not an optional feature.
4. Prepare a 72-Hour Breach Response Plan Under the DPDPA, you must notify the Data Protection Board without delay upon discovering a breach, and submit a detailed report within 72 hours. Every business should have an incident response plan in place before enforcement begins.
5. Implement Data Retention and Deletion Workflows Review your data retention policies. For large platforms, apply the three-year cap. For all others, ensure a minimum one-year log retention and have a clear deletion process ready for user requests.
6. Build Age-Verification for Children If your product is accessible to minors, implement robust age-verification and parental consent mechanisms before May 2027.
7. Assess Your SDF Risk If you process large volumes of personal data, evaluate whether you're likely to be designated as a Significant Data Fiduciary. If so, begin planning for DPO appointment, DPIAs, and algorithmic audits.
8. Update Vendor Contracts Your contracts with data processors must reflect the DPDPA's requirements. Fiduciaries are responsible for ensuring their processors also comply.
The DPDPA's penalty structure is designed to be a deterrent — and it is. Fines range from ₹50 crore to ₹250 crore (approximately USD $6M to $30M), depending on the nature and severity of the violation.
| Violation | Penalty Range |
|---|---|
| Failure to obtain consent before processing | Up to ₹50 Crore |
| Processing data without lawful basis | ₹50–100 Crore |
| Unauthorized disclosure to third parties | ₹75–150 Crore |
| Failure to implement security safeguards | ₹100–200 Crore |
| Non-compliance with DPB directives | ₹150–250 Crore |
Penalties are not applied uniformly. The Data Protection Board will consider factors such as the number of affected individuals, the duration of the violation, whether the breach was self-reported, and whether the company had robust data protection governance in place. A startup that proactively self-reports, notifies users, and remedies the violation swiftly can expect significantly reduced penalties compared to an organization that is discovered during a regulatory audit with no compliance documentation.
Enforcement is expected to begin in May 2027, which is when the full weight of the Act's provisions becomes effective.
The DPDPA is not just another compliance checkbox. It represents a fundamental shift in how Indian businesses must think about personal data — as something belonging to users, not organizations. For entrepreneurs building AI products, consumer apps, or digital platforms, this shift creates both constraints and opportunities. Businesses that embed data protection into their products early will build stronger user trust, avoid regulatory exposure, and be better positioned for global market expansion.
The compliance deadline of May 2027 sounds distant, but building robust data governance takes time — especially for startups managing lean engineering teams alongside product development. Starting now is not just prudent. It's strategic.
At Xorblin, we work with tech businesses across India to navigate complex regulatory landscapes and build compliant, scalable technology products. If you're unsure where your business stands on DPDPA readiness, reach out to our team for a compliance consultation. Let's build something that's not only innovative, but built to last.