Growth Marketing Glossary

DPDPA (Digital Personal Data Protection Act)

D·P·D·P·Anoun (law)

A billion-user consent regime — India's privacy law, enacted 2023, armed with rules in 2025, and phasing into enforcement.

India's lawconsent - free, specific, informednotice in 22 scheduled languagesData Protection Board enforcesAct 2023 - rules notified Nov 2025, phaseda billion-user consent regime, now operational
Schematic — India's consent-first regime
Term
DPDPA (Digital Personal Data Protection Act)
Is
India's Digital Personal Data Protection Act
Enacted
August 11, 2023
Rules notified
November 2025, phased application

Forms & parts of speech

DPDPA · noun
India's privacy law.
"The DPDPA made the India list a consent question - free, specific, informed, and withdrawable."

Definition in plain terms

The DPDPA — India's Digital Personal Data Protection Act — is the national privacy law governing digital personal data, enacted on August 11, 2023 and operationalized when the DPDP Rules were notified in November 2025, with obligations phasing in over the following 18 months. Its center of gravity is consent: processing personal data generally requires consent that is free, specific, informed, unconditional, and given by clear affirmative action — withdrawable at any time, as easily as it was given.

The mechanics

The regime's architecture will feel familiar to GDPR-literate teams with Indian characteristics. Data fiduciaries (controllers, in GDPR speak) owe notice and consent in plain language — with notice available in English and India's 22 scheduled languages; consent managers, a registered intermediary class the rules create, let users manage permissions across services; data principals hold rights to access, correction, erasure, and grievance redressal; significant data fiduciaries (designated by scale and risk) carry extra duties including impact assessments and audits; and children's data carries verifiable-parental-consent and no-tracking-or-targeted-advertising rules for under-18s — a stricter line than COPPA's under-13. Enforcement runs through the new Data Protection Board, with penalties scaling to ₹250 crore (about $30 million) per breach class. For marketers the operational surface is the familiar checklist with new specifics: consent provenance for every Indian address on the list (the CASL discipline, subcontinental edition), notice-and-language coverage, working withdrawal wired to actual processing stops, children's-data rails for any under-18 audience, and vendor diligence as the processor chain inherits obligations. The phasing matters tactically — consent-manager and remaining provisions stagger over 12-18 months from the rules' notification — so compliance programs are racing dated deadlines, not hypotheticals.

When it matters

The DPDPA matters to anyone with Indian users, customers, or lists — one of the world's largest digital populations now sits under a consent-first regime with real penalties. It matters most for global programs built on GDPR rails: the architecture transfers, but the language requirements, consent-manager ecosystem, under-18 rules, and Board procedures are India-specific work. The discipline is the standing one — privacy as engineered data flow — plus a dated phasing calendar, because the rules' staggered deadlines are now the project plan. (General information, not legal advice.)

Worked example. A global SaaS company with a large Indian user base treats the DPDPA as 'GDPR, basically' until the rules' notification turns phases into deadlines. The gap analysis says otherwise: consent records exist but withdrawal doesn't actually stop downstream processing for days (the law says comparable ease - that means wiring, not policy); notices exist in English only, against a 22-language requirement for Indian users; the under-18 product tier runs engagement features that look like tracking the children's rules prohibit; and nobody has assessed whether the company's scale triggers significant-fiduciary duties. The program rebuilds against the phased calendar: withdrawal wired end-to-end first, notice localization next, the minors' tier reworked to a no-targeting architecture, and Board-procedure readiness documented before the enforcement phase lands. The CASL-and-GDPR muscle memory helped - but the company stopped saying 'basically' once the language files and the ₹250-crore penalty schedule were in the same spreadsheet.
Failure modes to watch. Treating the DPDPA as GDPR re-badged while language, consent-manager, and minors' rules differ; consent withdrawal as policy text instead of wired processing stops; under-18 audiences running tracking the law prohibits outright; phased deadlines unmapped until they arrive; and India lists with no consent provenance in a regime built on it.

Synonyms & antonyms

Synonyms

DPDPADPDP ActIndia data protection law

Antonyms

GDPR (EU regime)unregulated processing

Origin & history

India's DPDPA passed Parliament on August 11, 2023 after a half-decade of drafts, and became operational when MeitY notified the DPDP Rules in November 2025 — phasing consent managers and remaining provisions over 12-18 months, and adding the world's most populous digital market to the consent-first map.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is the DPDPA?
India's Digital Personal Data Protection Act — enacted August 11, 2023, operationalized by rules notified in November 2025 — a consent-first privacy regime enforced by a new Data Protection Board.
What does the DPDPA require for consent?
Consent that is free, specific, informed, unconditional, and given by clear affirmative action — withdrawable as easily as given, with plain-language notice available across India's scheduled languages.
How does the DPDPA treat children's data?
Strictly — verifiable parental consent for under-18s, with tracking and targeted advertising to children prohibited; a higher age line than COPPA's under-13.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where dpdpa is a core concern:

Sources

  1. trendsGoogle Trends — "dpdp act"