India’s Digital Personal Data Protection Act 2023 (DPDP Act) is the most significant privacy legislation in the world’s most populous country — and in 2026, it is actively being enforced. The Data Protection Board of India (DPBI) became operational this year. The first enforcement actions are expected before mid-2026. For SaaS founders, product teams, and any organisation with Indian users, this is not a future compliance consideration — it is a current operational requirement with penalties that can reach ₹10,000 crore (~$1.2 billion) for the most serious violations.
⚠️ Legal Disclaimer: This article is for informational and educational purposes only. It does not constitute legal advice and should not be relied upon as such. Laws and regulations change over time. For compliance specific to your situation, consult a qualified legal professional familiar with Indian data protection law.
Direct Answer: What is the India DPDP Act and who must comply?
The Digital Personal Data Protection Act 2023 (DPDP Act) is India’s comprehensive data privacy law, now in active enforcement. Any organisation that processes personal data of Indian residents must comply — regardless of where the organisation is based. This includes US SaaS companies with Indian users, EU businesses with Indian customers, and Indian startups of any size. There is no revenue or employee threshold. Core requirements include: explicit consent before data collection, clear privacy notice, right to erasure (7-day response), breach notification within 72 hours, and appointment of a Data Protection Officer for significant-scale processors. Penalties range from ₹50 crore ($6M) for procedural violations up to ₹250 crore ($30M) per incident, and ₹10,000 crore (~$1.2B) for repeated or severe violations.
Who the DPDP Act Applies To
The DPDP Act has broad jurisdictional reach — a deliberate design choice to prevent foreign companies from processing Indian user data without accountability.
The scope rule: The Act applies to processing of “digital personal data” where:
- The data is collected within India (any person providing data while located in India), OR
- The data is processed outside India in connection with offering goods or services to persons in India
This means a US SaaS company that has Indian users — even if it has zero employees or physical presence in India — is subject to the DPDP Act. A UK e-commerce company selling to Indian customers must comply. An Indian startup is obviously covered.
Who is exempt:
- Personal or domestic use (individual users processing their own data)
- Publicly available personal data (information voluntarily made public by the data principal)
- Data processed for research, archiving, and statistical purposes (with safeguards)
- Government entities processing data for certain national security functions
What counts as “personal data”: The Act defines personal data broadly: any data about an identifiable individual. Name, email, phone number, IP address, device ID, location data, purchase history, browsing behaviour — all of it counts. Anonymised data that cannot be re-linked to an individual is excluded.
The Five Core Obligations
1. Consent — The Foundation
The DPDP Act is consent-first. You must obtain “free, specific, informed, unconditional, and unambiguous” consent before collecting and processing personal data.
What valid consent looks like:
- The consent request explains: what data is being collected, the purpose of collection, who it will be shared with, and the user’s rights
- Consent is given through a “clear affirmative action” — a pre-checked box does not count
- The consent request is in a language the user understands (the Act requires notices to be available in languages scheduled in the Indian Constitution)
- Consent is separate from terms of service acceptance — you cannot bury data consent in a ToS
Lawful processing without consent: Unlike GDPR, the DPDP Act does not include “legitimate interests” as a basis for processing without consent. The only alternatives to consent are:
- State functions and public interest processing (government bodies)
- Medical emergencies
- Employment purposes (limited scope)
- Contractual necessity (for performing a contract with the data principal)
For most SaaS companies, consent is the only lawful basis. You cannot rely on legitimate interests to send marketing emails, run analytics, or build user profiles without consent.
Consent for children: Processing data of children (under 18) requires verified parental consent. The Act also prohibits behavioural targeting and tracking of children. This has significant product implications for any app or service used by minors.
2. Notice — Transparency Before Collection
Before or at the time of collecting personal data, you must provide a notice in “clear and plain language” that includes:
- The personal data being collected
- The purpose for which it will be used
- The manner in which the data principal can exercise their rights
- How to contact the Data Fiduciary (your company) and the Data Protection Officer
The notice must be available in English and in any of the languages listed in the Eighth Schedule to the Indian Constitution (22 languages including Hindi, Tamil, Bengali, Telugu, Marathi, etc.) for users who request it.
Practical implication: Your privacy policy may need to be translated and localised. Your in-app consent flows need to explain specifically what you collect, not just reference a privacy policy document.
3. Data Principal Rights — What Users Can Demand
The DPDP Act gives Indian users the following rights, and organisations have specific timeframes to respond:
Right of access: Data principals can ask what personal data you hold about them, for what purpose, and who it has been shared with. You must respond within the timeframe specified by government rules (likely 30 days, final rules pending).
Right to correction and erasure: Users can demand correction of inaccurate data and erasure of personal data when the purpose of collection is complete or when they withdraw consent. You must respond within 7 days for erasure requests where your processing has no ongoing lawful basis.
Right to grievance redressal: Users must be able to lodge a complaint with your organisation. You must have a process for receiving and responding to complaints.
Right to nominate: Users can nominate another person to exercise their rights in case of death or incapacity. (Unique to Indian law — unusual globally.)
Right to approach the DPBI: If you fail to address a user’s grievance, they can escalate to the Data Protection Board of India.
The 7-day erasure timeline is tight. Most enterprise software systems have data scattered across production databases, backups, analytics systems, data warehouses, and third-party integrations. Deleting all instances of a specific user’s data within 7 days requires a documented data map and a tested deletion process. Most organisations do not have this in place and building it takes time.
4. Breach Notification — 72 Hours
If a personal data breach occurs, you must notify the Data Protection Board of India within 72 hours of becoming aware of it. You must also notify affected data principals.
The notification must include:
- Nature of the breach
- Personal data affected
- Likely consequences
- Measures taken or proposed to address the breach
72 hours is a hard deadline. This matches GDPR’s requirement and is shorter than most US state breach notification laws (which often allow 30–90 days). You need an incident response process that can detect, classify, and escalate a breach within hours — not days.
5. Data Protection Officer (DPO)
Organisations processing personal data at “significant scale” (the exact threshold is pending government notification but expected to cover businesses processing data of more than a certain number of individuals) must appoint a Data Protection Officer. The DPO:
- Must be based in India (or have an India-based representative)
- Is the point of contact for data principals exercising their rights
- Is the point of contact for the DPBI in regulatory matters
- Is responsible for ensuring compliance with the Act
For smaller SaaS companies that fall below the “significant scale” threshold, a DPO may not be required — but you still need a privacy contact and a process for responding to data principal rights requests.
Key Differences From GDPR
If your organisation already complies with GDPR, you are partially prepared for DPDP — but there are meaningful differences.
| Dimension | GDPR | DPDP Act |
|---|---|---|
| Lawful bases | 6 bases including legitimate interests | Consent + limited state/contractual exceptions — no legitimate interests |
| Consent withdrawal | Must be as easy as giving consent | Same |
| Children’s age | 16 (can be lowered to 13 by member state) | 18 (no exception) |
| Data localisation | No general requirement | Government may notify sectors requiring local storage |
| Cross-border transfers | Adequacy decisions or SCCs | Transfers to countries on government’s “allowed” list (list pending) |
| Penalties | Up to €20M or 4% global turnover | Up to ₹250 crore per incident, ₹10,000 crore for repeated violations |
| Right to portability | Yes | Not explicitly included |
| DPO requirement threshold | Specific criteria (large-scale, sensitive data) | Government to notify “significant data fiduciary” threshold |
The most operationally significant difference: No legitimate interests basis. If your GDPR compliance relied on legitimate interests to run analytics, send product emails, or process user behaviour data, you need to rebuild your consent flows for Indian users. Consent is the only general-purpose lawful basis under DPDP.
The Compliance Action Plan for SaaS Companies
Prioritised by urgency:
Immediate (Do Now)
Data mapping. List every category of personal data you collect from Indian users, where it is stored, what it is used for, and who has access. You cannot comply with erasure requests or breach notifications without knowing where data lives.
Consent audit. Review your current onboarding flows, marketing opt-ins, and tracking implementations. Identify any data processing that lacks valid consent under DPDP’s stricter standard (no pre-checked boxes, no bundled ToS consent).
Privacy notice update. Your privacy policy must specifically address DPDP rights. Add the Indian regulatory contact, describe how users can exercise their rights, and list the languages it is available in.
Breach response procedure. Document who is notified when a breach is detected, what information is collected, and who is responsible for DPBI notification. Test this with a tabletop exercise.
Near-Term (Within 90 Days)
Consent management platform. Implement a CMP that tracks consent per user, per purpose, and per data category. You need to be able to prove that a specific user gave valid consent for a specific processing activity on a specific date — and that you stopped processing when they withdrew it.
Erasure workflow. Build or configure a user data deletion process that can complete within 7 days across all your data stores including backups. Document the process.
DPO appointment (if required). Assess whether your scale of processing requires a DPO. If in doubt, appoint one or designate an existing role with equivalent responsibilities. Ensure the DPO has India-accessible contact details.
Vendor review. Audit your third-party processors (analytics, CRM, email, customer support, data warehouse). Do your contracts with these vendors include data processing agreements that cover DPDP obligations? If not, update them.
Ongoing
Training. Teams that handle personal data — engineering, customer support, sales, marketing — need to understand DPDP obligations specifically: what constitutes valid consent, how to handle an erasure request, when to escalate a potential breach.
Annual review. The DPDP Act’s implementing rules (under development in 2026) may change specific requirements. Review your compliance programme when rules are updated.
Tools That Help With DPDP Compliance
Consent Management:
- CookieYes, Cookiebot (Usercentrics), OneTrust — cookie and consent management platforms that support DPDP consent tracking alongside GDPR. Pricing: $10–$500/month depending on traffic and features.
- Osano — privacy management platform with consent management, data mapping, and vendor risk. Enterprise pricing.
Privacy-First Analytics (no consent needed):
- Plausible, Fathom, Matomo — cookie-free analytics that eliminate the analytics consent problem entirely. See our complete analytics comparison guide.
Data Subject Request Management:
- Transcend, Mine — automated data mapping and data subject request handling. Helps manage erasure requests across all data systems.
- Osano, OneTrust — enterprise platforms with DSR workflow management.
Privacy Policy and Notice:
- Termageddon, Iubenda — auto-generating privacy policies that include DPDP-specific provisions. Lower-cost option for smaller companies.
The Penalty Structure
The DPDP Act’s penalty framework is tiered:
| Violation | Maximum penalty |
|---|---|
| Failure to implement security safeguards | ₹250 crore (~$30M) |
| Failure to notify breach | ₹200 crore (~$24M) |
| Non-compliance with child data provisions | ₹200 crore |
| Non-compliance with Data Principal rights | ₹50 crore (~$6M) |
| Non-compliance with DPBI orders | ₹150 crore (~$18M) |
| Repeated or wilful violations | ₹10,000 crore (~$1.2B) |
| Data breach causing harm to individuals | Up to ₹500 crore (~$60M) |
Penalties are not per-user — they are per-incident. A single breach affecting millions of users could result in one penalty at the applicable tier, though the DPBI has discretion to consider scale, gravity, and harm in determining the final amount.
FAQ
Does the DPDP Act apply to my company if I’m based outside India? Yes, if you process personal data of people located in India in connection with offering goods or services to them. A US SaaS with Indian users, a UK e-commerce site selling to Indian customers, or any global app with Indian downloads — all are covered.
What is the difference between the DPDP Act and GDPR? Both are comprehensive privacy laws. Key DPDP differences: no legitimate interests basis for processing (consent is required for most processing), stricter children’s data rules (18 not 16), potential data localisation requirements pending government notification, and a different rights framework. India is not yet deemed GDPR-adequate by the EU.
When did the DPDP Act come into force? The Digital Personal Data Protection Act 2023 received Presidential assent in August 2023. Implementation has been phased — the Data Protection Board of India became operational in 2025/2026. Enforcement against non-compliant organisations is actively beginning in 2026.
What is a “significant data fiduciary”? The DPDP Act creates a higher-obligation category for organisations processing data at scale, handling sensitive categories, or presenting high risk. The government will notify which organisations qualify. Significant data fiduciaries face additional obligations including mandatory DPO appointment, data protection impact assessments, and algorithmic audits.
Do I need to store Indian user data in India? Currently, no blanket data localisation requirement is in force under the DPDP Act. The government has power to notify specific categories of data that must be stored locally — this list has not yet been published as of April 2026. Monitor government notifications for updates on this provision.
