← Back to Blog
Compliance

What is India's DPDP Act 2023? Complete Guide for Businesses

Vineeth Nair · May 8, 2024 · 6 min read

India's Digital Personal Data Protection Act 2023 is the country's first comprehensive privacy law. It governs how businesses collect, use, and store personal information of Indians in digital format. Think of it as a rulebook that gives individuals control over their personal data while ensuring businesses can operate legitimately.

The Act received Presidential approval on August 11, 2023. Unlike previous scattered regulations, this single law creates a unified framework for data protection across all digital platforms in India.

What Does the DPDP Act Actually Cover?

The DPDP Act applies to any "digital personal data" — any information about a person that exists in electronic form or has been converted from physical documents to digital format. This includes everything from email addresses and phone numbers to shopping preferences and location data.

The law covers two main scenarios: data collected within India (whether originally digital or later digitised) and data processed outside India if the processing relates to offering goods or services to people in India. Global companies serving Indian customers must comply.

Personal data under the Act means "any data about an individual who is identifiable by or in relation to such data." This definition is deliberately broad to ensure comprehensive protection without creating complex subcategories.

Key Players in the DPDP Framework

Data Principals are the individuals whose personal information is being processed — any Indian citizen or resident whose data is collected. Data Principals have specific rights, including access to their data, correction of inaccuracies, and erasure when consent is withdrawn.

Data Fiduciaries are any person or organisation that decides why and how personal data will be processed. Most businesses that collect customer information will be classified as Data Fiduciaries, carrying the primary responsibility for compliance.

Data Processors are entities that process personal data on behalf of Data Fiduciaries under a valid contract. For example, if a business hires a cloud storage company to store customer data, the cloud provider becomes a Data Processor.

Consent Managers are a unique feature of the DPDP Act — registered entities that act as single points of contact for individuals to give, manage, and withdraw consent across multiple platforms.

Core Requirements Explained Simply

Consent Must Be Clear and Specific

The Act requires consent to be "free, specific, informed, unconditional, and unambiguous with a clear affirmative action." This means no pre-checked boxes, plain language explanations, specific purposes mentioned, easy withdrawal mechanisms, and separate consent for different purposes.

Purpose Limitation

Businesses can only use personal data for the specific purpose they mentioned when collecting it. If a company collects your email for order updates, they cannot use it for marketing without separate consent.

Data Minimisation

Organisations must collect only the minimum personal data necessary for their specified purpose. The principle of "collect only what you need" becomes legally mandatory.

Storage Limitation

Personal data must be deleted once the purpose is fulfilled or consent is withdrawn, unless retention is required by law. Companies cannot indefinitely store customer information "just in case."

Special Protections for Children

The DPDP Act sets the age of consent at 18 years, requiring verifiable parental consent for processing any child's data. Businesses cannot engage in behavioural tracking or targeted advertising directed at children. This creates stricter child protection standards compared to many global frameworks.

The Data Protection Board

The Act establishes the Data Protection Board of India as the enforcement authority. It has the power to impose penalties up to Rs. 250 crore. The Board will function as a "digital office" where complaints can be filed and resolved online without requiring physical presence.

What This Means for Marketing Teams

The most immediate impact areas for marketing are:

  • Lead forms. Every form collecting personal data needs a clear, standalone consent checkbox — not buried in terms and conditions.
  • Email marketing. Purchased or scraped email lists are non-compliant. You need a clear opt-in trail for every contact in your database.
  • Retargeting. Pixel-based tracking and retargeting campaigns require explicit user consent.
  • CRM data. Customer databases need to be audited for data collected without explicit consent and cleaned accordingly.
  • Third-party tools. Any marketing tool processing Indian user data — Google Analytics, HubSpot, Meta Pixel — needs to be reviewed for compliance.

What to Do Now

The rules are still being finalised, but the direction is clear. Start with these steps:

  • Audit all your lead capture forms and remove any implicit or bundled consent
  • Review your email database for consent provenance
  • Add a consent management layer to your website
  • Create a process for handling data deletion requests
  • Brief your marketing team on what types of data use require explicit consent

The DPDP Act is not a one-time compliance exercise. It is a shift in how Indian businesses must think about customer data — from an asset they own to a responsibility they hold in trust. The brands that build trust-first data practices now will be better positioned as enforcement ramps up.

V

Vineeth Nair

Growth Marketing Consultant

15 years in digital marketing. VP-level operator across telco, FMCG, fintech, and e-commerce. I write about what is actually working in performance marketing, SEO, and AI-driven growth.

LinkedIn Newsletter

Want practical marketing insights every week?

No theory. No padding. What is actually working in performance marketing, SEO, and AI-driven growth.

Subscribe on Substack