Consent with proof
A per-purpose consent ledger written to an append-only audit store, ready for accountability.
India · DPDP Act 2023
India's data protection law has arrived. Here's what it asks of you.
The Digital Personal Data Protection Act, 2023 is India's first comprehensive personal-data law. This page explains, in plain terms, what the Act is, the dates that bind businesses, the penalty regime, and who must comply — so you can plan rather than panic.
Educational overview only — not legal advice. Refer to the official Act and the notified Rules, and consult qualified counsel for your specific obligations.
What it is
The Digital Personal Data Protection Act, 2023.
The DPDP Act, 2023 governs how organisations handle the digital personal data of individuals in India. It introduces a consent-first model: in most cases you may process someone's personal data only for a clearly stated, lawful purpose to which they have given free, specific, informed and unambiguous consent — with the right to withdraw it just as easily as it was given.
The Act uses its own vocabulary. The individual whose data is processed is the Data Principal. The organisation that decides why and how the data is processed is the Data Fiduciary. Anyone processing data on a fiduciary's behalf is a Data Processor. Oversight and enforcement sit with the Data Protection Board of India.
Data Principal
The individual the personal data is about — the person whose consent and rights the Act protects.
Data Fiduciary
The organisation that determines the purpose and means of processing — and carries the obligations.
Data Protection Board
The adjudicating body that handles complaints and imposes penalties for non-compliance.
The deadlines
Two dates that turn the Act into your timeline.
The Act is being brought into force in stages through notified Rules. Two milestones in particular shape what businesses need to do, and when. These are statutory dates, not promotions — and the work of mapping data, capturing consent with proof, and honouring rights takes lead time.
Consent Manager integration
13 November 2026
—days
—hrs
—min
—sec
All substantive obligations
13 May 2027
—days
—hrs
—min
—sec
Dates reflect the staged commencement timeline under the notified DPDP Rules. Always confirm against the latest official notifications.
August 2023 — The Act is passed
Parliament enacts the Digital Personal Data Protection Act, 2023, establishing the consent-first framework and the Data Protection Board.
Rules notified — the machinery
The DPDP Rules set out operational detail — including the role of Consent Managers — and trigger the staged commencement of obligations.
13 November 2026 — Consent Manager integration
Integration with the Consent Manager framework becomes mandatory, shaping how consent is collected, recorded and managed.
13 May 2027 — Full obligations land
The substantive obligations apply in full: lawful consent, data-principal rights, breach handling and security safeguards.
The penalty regime
Non-compliance carries significant financial penalties.
The Act empowers the Data Protection Board of India to inquire into breaches and impose significant monetary penalties on data fiduciaries that fail to meet their obligations. Penalties are set against categories of failure — for example, not taking reasonable security safeguards to prevent a personal-data breach, or failing to notify the Board and affected principals of a breach.
The Act's schedule provides for substantial maximum penalties per category of breach, with the most serious categories — such as a failure to take reasonable security safeguards — attracting the highest amounts. The Board determines the actual penalty in each case based on the nature, gravity and duration of the breach. Beyond the financial exposure, non-compliance carries real reputational cost with customers who increasingly expect their data to be handled lawfully.
The exact penalty amounts and categories are set out in the Schedule to the Act. Because amounts and triggers can be refined through Rules and Board practice, confirm the current figures against the official text rather than relying on a single quoted number.
Who must comply
If you handle personal data of people in India, this is for you.
The Act applies broadly to the processing of digital personal data within India, and also to processing outside India where it relates to offering goods or services to data principals in India. In practice, that sweeps in a very large share of online businesses — including small and mid-sized operators running their storefront, bookings, forms and marketing on a website.
- Businesses that collect customer details through contact forms, signups, orders or bookings.
- Sites that run analytics or advertising trackers that process visitor data.
- Operators that send marketing email or run loyalty and review programmes.
- Anyone serving customers in India, even from outside the country.
Larger or higher-risk fiduciaries may be designated as Significant Data Fiduciaries with additional duties, but the core consent, rights and security obligations reach ordinary businesses too.
How DPDPA.support helps
Turn the obligations into one install on your Wix site.
DPDPA.support is built to carry the day-to-day weight of these obligations for a Wix site. It captures per-purpose consent with proof, gates cookies and trackers until consent is given, gives data principals a self-service My Data surface, produces access and portability reports, handles erasure as a lawful processing freeze under retention, and gives your DPO a working console. It is a consent management and compliance platform for the fiduciary — not a Board-registered Consent Manager.
Rights, self-served
My Data lets principals manage consent and download their data; access, erasure and grievances are handled in-platform.
Evidence for the Board
Tenant-isolated, secrets in OpenBao, with an audit trail you can show rather than describe.