DPDPA (Digital Personal Data Protection Act)
A billion-user consent regime — India's privacy law, enacted 2023, armed with rules in 2025, and phasing into enforcement.
- Term
- DPDPA (Digital Personal Data Protection Act)
- Is
- India's Digital Personal Data Protection Act
- Enacted
- August 11, 2023
- Rules notified
- November 2025, phased application
Forms & parts of speech
Definition in plain terms
The DPDPA — India's Digital Personal Data Protection Act — is the national privacy law governing digital personal data, enacted on August 11, 2023 and operationalized when the DPDP Rules were notified in November 2025, with obligations phasing in over the following 18 months. Its center of gravity is consent: processing personal data generally requires consent that is free, specific, informed, unconditional, and given by clear affirmative action — withdrawable at any time, as easily as it was given.
The mechanics
The regime's architecture will feel familiar to GDPR-literate teams with Indian characteristics. Data fiduciaries (controllers, in GDPR speak) owe notice and consent in plain language — with notice available in English and India's 22 scheduled languages; consent managers, a registered intermediary class the rules create, let users manage permissions across services; data principals hold rights to access, correction, erasure, and grievance redressal; significant data fiduciaries (designated by scale and risk) carry extra duties including impact assessments and audits; and children's data carries verifiable-parental-consent and no-tracking-or-targeted-advertising rules for under-18s — a stricter line than COPPA's under-13. Enforcement runs through the new Data Protection Board, with penalties scaling to ₹250 crore (about $30 million) per breach class. For marketers the operational surface is the familiar checklist with new specifics: consent provenance for every Indian address on the list (the CASL discipline, subcontinental edition), notice-and-language coverage, working withdrawal wired to actual processing stops, children's-data rails for any under-18 audience, and vendor diligence as the processor chain inherits obligations. The phasing matters tactically — consent-manager and remaining provisions stagger over 12-18 months from the rules' notification — so compliance programs are racing dated deadlines, not hypotheticals.
When it matters
The DPDPA matters to anyone with Indian users, customers, or lists — one of the world's largest digital populations now sits under a consent-first regime with real penalties. It matters most for global programs built on GDPR rails: the architecture transfers, but the language requirements, consent-manager ecosystem, under-18 rules, and Board procedures are India-specific work. The discipline is the standing one — privacy as engineered data flow — plus a dated phasing calendar, because the rules' staggered deadlines are now the project plan. (General information, not legal advice.)
Synonyms & antonyms
Synonyms
Antonyms
Origin & history
India's DPDPA passed Parliament on August 11, 2023 after a half-decade of drafts, and became operational when MeitY notified the DPDP Rules in November 2025 — phasing consent managers and remaining provisions over 12-18 months, and adding the world's most populous digital market to the consent-first map.
Etymology: source.
Usage trends
Search interest for this term over the last five years:
Common questions
- What is the DPDPA?
- India's Digital Personal Data Protection Act — enacted August 11, 2023, operationalized by rules notified in November 2025 — a consent-first privacy regime enforced by a new Data Protection Board.
- What does the DPDPA require for consent?
- Consent that is free, specific, informed, unconditional, and given by clear affirmative action — withdrawable as easily as given, with plain-language notice available across India's scheduled languages.
- How does the DPDPA treat children's data?
- Strictly — verifiable parental consent for under-18s, with tracking and targeted advertising to children prohibited; a higher age line than COPPA's under-13.
Related tools & calculators
- toolCAC calculator
- toolLTV:CAC calculator
Resources & people to follow
- referenceGovernment of India — DPDP Rules 2025 notified
- referenceIAPP — India's DPDPA takes force
- referenceRGM analysis — the phased deadlines are the project plan; withdrawal is wiring, not policy text
Curated, non-competitor resources verified per term.
Related training
- modulePerformance marketing
Disciplines
Areas of marketing where dpdpa is a core concern: