The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Legal Comparison

DPDPA 2023 vs CCPA/CPRA

A detailed comparative analysis of India's Digital Personal Data Protection Act and California's Consumer Privacy Act for organisations operating across US-India markets.

Executive Summary

DPDPA and CCPA represent fundamentally different privacy philosophies. DPDPA follows the opt-in consent model prevalent in European-style legislation, requiring affirmative consent before data processing. CCPA adopts the American notice-and-choice model, permitting processing by default with consumer opt-out rights.

The most significant operational difference lies in the "sale of data" concept. CCPA creates specific obligations around data sale with its "Do Not Sell" mechanism, while DPDPA requires consent for all commercial use of personal data, rendering the sale distinction less relevant. Organisations must implement distinct compliance architectures for each jurisdiction.

DPDPA: Opt-In Model

Processing requires affirmative consent before collection. No processing without explicit permission. "Legitimate Uses" provide limited exceptions for employment, legal obligations, and public interest.

CCPA: Opt-Out Model

Processing permitted by default with notice. Consumers must actively opt-out of sale/sharing. Businesses bear burden of providing opt-out mechanisms and honouring preferences.

Legislative Framework

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Full Name	Digital Personal Data Protection Act, 2023	California Consumer Privacy Act (as amended by CPRA)
Jurisdiction	India (Federal law applicable nationwide)	California, USA (State law with extraterritorial effect)
Effective Date	Full enforcement: 13th May 2027	CCPA: 1st January 2020; CPRA amendments: 1st January 2023
Regulatory Authority	Data Protection Board of India	California Privacy Protection Agency (CPPA)
Legal Model	Consent-centric (opt-in model)	Notice and opt-out model

Scope & Applicability

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Covered Entities	All Data Fiduciaries processing digital personal data	Businesses meeting revenue/data volume thresholds
Revenue Threshold	None; applies to all entities processing personal data	Annual gross revenue exceeding $25 million
Data Volume Threshold	None specified	Buy/sell/share data of 100,000+ consumers/households
Covered Data	Digital personal data (excludes non-digital)	Personal information (broader; includes inferences)
Employee Data	Covered under employment Legitimate Use	Covered; specific provisions for B2B and employee data

Consumer/Principal Rights

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Right to Know/Access	Section 11: Summary of personal data and processing activities	Right to know categories and specific pieces of PI collected
Right to Delete	Section 13: Erasure upon consent withdrawal or purpose completion	Right to delete PI with specified exceptions
Right to Correct	Section 12: Correction of inaccurate or incomplete data	Right to correct inaccurate PI (added by CPRA)
Right to Portability	Not explicitly provided	Right to receive PI in portable, machine-readable format
Right to Opt-Out of Sale	Not applicable (consent required for all processing)	Core right: "Do Not Sell or Share My Personal Information"
Right to Limit Sensitive Data Use	Stricter consent requirements for sensitive data	Right to limit use/disclosure of sensitive PI
Non-Discrimination	Not explicitly stated	Cannot discriminate against consumers exercising rights

Consent & Legal Basis

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Default Model	Opt-in: Affirmative consent required before processing	Opt-out: Processing permitted unless consumer objects
Sale of Data	Requires explicit consent; no concept of "sale" exemption	Permitted with opt-out right; "sale" broadly defined
Sharing for Advertising	Requires specific consent for targeted advertising	Cross-context behavioural advertising requires opt-out
Sensitive Data	Explicit consent with additional safeguards	Opt-in consent or right to limit use
Children's Data	Verifiable parental consent for all under 18	Opt-in for under 16; parental consent for under 13

Business Obligations

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Privacy Notice	Itemised notice with 8 mandatory elements before collection	Notice at collection; privacy policy with 10+ disclosures
Data Processing Agreements	Required with Data Processors under Section 8(2)	Service provider/contractor agreements required
Data Protection Impact Assessment	Required for Significant Data Fiduciaries	Risk assessments required under CPRA for high-risk processing
Opt-Out Mechanisms	Not applicable (opt-in model)	"Do Not Sell/Share" link required on homepage
Global Privacy Control	Not addressed	Must honour browser-based opt-out signals

Penalties & Enforcement

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Maximum Administrative Penalty	₹250 crore (~$30 million) per contravention	$7,500 per intentional violation
Per-Violation Penalty	Fixed maximum amounts in Schedule	$2,500 (unintentional) to $7,500 (intentional) per violation
Penalty Scaling	Aggregate caps regardless of organisation size	Per-violation model can accumulate to massive amounts
Private Right of Action	No private right of action	Limited to data breaches; statutory damages $100-$750 per consumer
Cure Period	Board may provide opportunity to remedy	No cure period under CPRA (removed from original CCPA)

Cross-Border Transfers

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Default Position	Permitted except to blacklisted countries	No specific cross-border transfer restrictions
Transfer Mechanism	Government notification of restricted countries	Contractual provisions; standard requirements for service providers
Data Localisation	May be prescribed for certain categories	No data localisation requirements

Data Brokers & Sale

Aspect	DPDPA 2023 (India)	CCPA/CPRA (California)
Data Broker Definition	No specific data broker provisions	Business that collects PI of consumers with whom it has no direct relationship
Registration Requirement	Consent Manager registration for intermediaries	Data brokers must register with California AG
Sale Definition	No "sale" concept; all sharing requires consent	Sale = disclosure for monetary or valuable consideration
Delete Signals	Not applicable	Data brokers must honour delete signals (proposed)

Compliance Implications for US-India Operations

1. Consent Architecture: Organisations processing Indian residents' data must implement opt-in consent mechanisms regardless of their CCPA opt-out infrastructure. A unified consent management platform should support both models.

2. Website Requirements: The CCPA "Do Not Sell/Share" link is not required under DPDPA, but the DPDPA itemised privacy notice must be provided before or at the point of data collection.

3. Children's Data: DPDPA applies parental consent requirements to all individuals under 18, significantly broader than CCPA's under-16 threshold. Age verification mechanisms must account for this difference.

4. Data Subject Requests: Response procedures differ; organisations should establish jurisdiction-specific workflows while maintaining unified request intake systems.

DPDPA vs GDPR →

Compare with EU privacy law

DPDPA vs IT Act →

Evolution from IT Act 2000

Resource

Implementation Playbook →

12-step DPDPA compliance roadmap

Legal Disclaimer: This comparison is provided for educational purposes and does not constitute legal advice. CCPA analysis incorporates CPRA amendments effective 1st January 2023. DPDPA analysis reflects DPDP Rules, 2025 notified 13th November 2025. Organisations should obtain jurisdiction-specific legal counsel.