The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Procedural Guide

Implementing DPDPA Compliant Consent Management

A technical and procedural framework for Data Fiduciaries to implement consent collection, management, and withdrawal mechanisms compliant with Section 6 of DPDPA 2023.

Statutory Foundation

Section 6 of DPDPA 2023 establishes consent as a primary ground for lawful processing. Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action.

Rule 4 of DPDP Rules 2025 prescribes the technical standards and operational requirements for consent collection, storage, and withdrawal mechanisms.

Elements of Valid Consent

Free

Consent must not be obtained through coercion, undue influence, or as a condition for provision of goods or services unless processing is necessary for performance.

Invalid: Bundled consent, take it or leave it approaches

Specific

Consent must relate to specific, clearly defined purposes. Blanket or general consent covering unspecified future processing is invalid.

Invalid: Generic consent for "all purposes"

Informed

The Data Principal must receive clear notice of processing purposes, categories of data, and rights before giving consent.

Invalid: Consent without prior notice

Unconditional

Consent must not be subject to conditions beyond what is necessary for the specified purpose.

Invalid: Hidden conditions or qualifications

Unambiguous

Consent must be clearly signified through an affirmative action. Silence, inactivity, or pre ticked boxes do not constitute valid consent.

Invalid: Pre checked boxes, implied consent

Clear Affirmative Action

The Data Principal must actively indicate agreement through a positive action such as ticking an unchecked box, clicking an "I agree" button, or signing a consent form.

Invalid: Opt out mechanisms as primary consent

Implementation Procedure

Processing Activity Inventory

Document all processing activities requiring consent. For each activity, identify the specific purpose, categories of data, retention period, and third party disclosures.

Notice Design

Draft privacy notices meeting Section 5 requirements. Ensure notices are in clear, plain language and available in relevant languages. Link consent requests to specific notice provisions.

Consent Form Design

Design consent collection interfaces with unchecked boxes for each purpose. Ensure granularity allowing separate consent for distinct purposes. Include clear description of each processing activity.

Technical Implementation

Implement consent collection mechanism across all data collection points including websites, mobile applications, physical forms, and call centres. Ensure consistent user experience.

Consent Record System

Implement system to capture and store consent records including timestamp, version of notice shown, specific purposes consented, method of consent, and identity verification.

Withdrawal Mechanism

Implement withdrawal mechanism that is as easy as giving consent. Ensure withdrawal is effective without undue delay. Process withdrawal across all systems and third parties.

Integration with Processing

Integrate consent system with processing operations to ensure data is only processed for purposes with valid consent. Implement automated checks before processing.

Testing and Validation

Test consent flows for usability and compliance. Verify that consent records accurately capture all required information. Test withdrawal process end to end.

Training and Documentation

Train staff on consent collection procedures. Document standard operating procedures. Establish quality assurance process for consent collection.

Consent Record Requirements

Each consent record must capture:

Unique identifier of the Data Principal

Date and time of consent

Version of privacy notice presented

Specific purposes consented to

Method of obtaining consent

Evidence of affirmative action

Duration or validity period

History of modifications or withdrawals

Consent for Children

Verifiable Parental Consent

Processing personal data of children (persons below 18 years) requires verifiable consent from the parent or lawful guardian. The consent mechanism must:

• Implement age verification at point of data collection
• Obtain consent from parent or guardian where child is identified
• Implement reasonable verification of parental relationship
• Not permit processing for behavioural monitoring or targeted advertising
• Ensure processing is not detrimental to well being of the child

Consent Withdrawal Requirements

Ease of Withdrawal

Withdrawal must be as easy as giving consent. If consent was given through a single click, withdrawal must not require multiple steps.

Clear Mechanism

The withdrawal mechanism must be clearly communicated to the Data Principal and easily accessible.

Prompt Effect

Withdrawal must take effect without undue delay. Processing must cease once withdrawal is received.

No Penalty

The Data Principal must not be penalised for withdrawing consent, except that services requiring the processing may no longer be available.

Third Party Notification

Where data has been shared with third parties, they must be notified of the withdrawal.

Compliance Timeline

Implementation Deadline

All consent mechanisms must be compliant with DPDPA requirements by 13th May 2027. This includes updating existing consent collection processes and obtaining fresh consent where existing consent does not meet the statutory standard.

Processing based on consent obtained prior to the compliance deadline must be reviewed to ensure it meets the DPDPA standard. Where it does not, fresh consent must be obtained or processing must cease.

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. Technical implementation should be reviewed by qualified legal and technical professionals. The statutory provisions prevail in case of any inconsistency with this guidance.