The Digital Personal Data Protection Act expands user rights and imposes new compliance obligations on companies that handle personal data.
India has begun enforcing key provisions of its Digital Personal Data Protection Act, a framework that regulates how organisations collect and process personal information. The move marks a shift from advisory guidance to mandatory compliance for companies operating in the country’s fast-growing digital economy.
The Act covers all digital personal data and applies to organisations processing information within India as well as businesses abroad that offer services to Indian users. Companies must now obtain consent for data collection, disclose how information will be used, and offer mechanisms for correcting or deleting data.
A dedicated Data Protection Board has also been set up to monitor violations, address complaints, and impose penalties for non-compliance. Unlike previous rules, the Act places greater responsibility on companies designated as data fiduciaries to justify their need for data and to ensure that data is processed securely.
Impact On Businesses
Technology firms, online platforms, financial institutions, retailers, and any enterprise holding user information will need to reassess data flows, storage systems, and consent processes. Cross-border transfers remain permitted but are expected to face tighter scrutiny in light of future government notifications.
The law applies to global businesses as well. Any international company processing Indian consumer data for sales, marketing, or analytics must comply with Indian standards, regardless of where the data is stored.
Impact On Users
Individuals gain the right to request access, correction, and deletion of their personal information. Children’s data is given special protection, and platforms must obtain parental consent before processing their information.
The Act recognises gig and digital platform users as data principals, giving them the same protections as traditional consumers. It also promises faster dispute resolution, with penalties targeted more at corporates than at individuals.
Compliance Ahead
While implementation has begun, several detailed rules and sector-specific guidelines are expected over the next few months. Legal experts note that companies will need to prepare for audits, data minimisation practices, and transparent consent systems. Questions remain about how the law will apply to anonymised data, data used for artificial intelligence training, and emerging business models built on large datasets.
The government has signalled that the law is intended to create a predictable digital environment that protects users and supports innovation, positioning India closer to global data protection regimes such as the European Union’s GDPR.
