India DPDPA

Digital Personal Data Protection Act, 2023

Flag of IN
IndiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 13, 2025
Enacted
August 11, 2023
Enforcing Authority
Data Protection Board of India (DPBI), established November 13, 2025
Consent Model
Opt-in
Applies To
Any person processing digital personal data within India or outside India relating to offering goods/services or profiling in India

Overview

India's DPDPA is the country's first comprehensive data protection law, governing all digital personal data processing. Consent must be freely given, unconditional, informed, and unambiguous — requiring affirmative action. A distinctive feature is consent managers: certified entities that help individuals manage consent across platforms. Full compliance is required by May 2027 with no grace period.

What This Means for Your Website

  • Explicit opt-in consent is required before processing digital personal data of Indian visitors
  • A clear, itemized privacy notice must be provided at or before data collection
  • Consent cannot be tied to service access (unconditional requirement)
  • Special protections apply for children's data — verifiable parental consent required
  • Consent managers will be registered from November 2026
  • The law does NOT include data portability or right to object (unlike GDPR)
  • Full compliance required by May 13, 2027 with no grace period

Key Requirements

The DPBI enforces the DPDPA with penalties up to INR 250 crore (~USD 30 million) per violation. No criminal penalties. The phased implementation: DPBI established November 2025, consent manager registration from November 2026, all other provisions from May 2027. Significant Data Fiduciaries face additional obligations.

How ConsentStack Handles This

ConsentStack applies explicit, unconditional consent for Indian visitors with clear itemized privacy notices, meeting DPDPA requirements ahead of the May 2027 full compliance deadline.

Penalties

Up to INR 250 crore (~USD 30 million) per violation for the most serious offenses. No criminal penalties.

Maximum Fine
INR2,500,000,000 per violation

Key Requirements

  • Explicit opt-in consent before processing digital personal data
  • Clear itemized privacy notice at or before collection
  • Consent must be freely given, unconditional, informed, and unambiguous
  • Consent managers registered with DPBI from November 2026
  • Right to erasure, correction, and grievance redressal
  • Special protections for children — verifiable parental consent required

Notable Provisions

  • Phased enforcement through May 2027 with no grace period after
  • No right to data portability or right to object (unlike GDPR)
  • Consent managers are a distinctive feature
  • Applies to government entities — unlike some jurisdictions
  • INR 250 crore (~USD 30M) maximum penalty

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

When must websites comply with India's DPDPA?

Full compliance is required by May 13, 2027, with no grace period. The DPBI was established November 13, 2025, and consent manager registration opens November 2026.

What are India's DPDPA penalties?

Up to INR 250 crore (~USD 30 million) per violation for the most serious offenses. No criminal penalties apply.

What are consent managers?

A distinctive DPDPA feature — certified entities that help individuals manage consent preferences across multiple platforms. Registration begins November 2026.

Does India's law include data portability?

No. Unlike the GDPR, the DPDPA does not include a right to data portability or a right to object to processing.

Stay compliant with India DPDPA

ConsentStack helps you implement Opt-in consent for India automatically.

Get started free