India's Digital Personal Data Protection Act is now enforceable. Penalties go up to ₹250 crore. If your website collects names, emails, or phone numbers — and it does — this applies to you.
This is not a theoretical compliance exercise. The Data Protection Board of India is operational, and the rules are clear. Every business with a website, app, or digital form that touches personal data of Indian residents must comply.
Here is exactly what you need to do.
What the DPDP Act Actually Means for Your Business
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy law. Think of it as India's answer to GDPR — but built for Indian business realities.
The core principle is straightforward: if you collect someone's personal data, you need their explicit consent, you must use it only for the stated purpose, and you must protect it.
Personal data under the DPDP Act means any data that identifies or can identify a living person. Names, email addresses, phone numbers, IP addresses, location data, payment details — all of it.
Three terms you need to know:
- Data Principal — The person whose data you collect (your customer, user, visitor)
- Data Fiduciary — You, the business collecting and processing that data
- Data Processor — Any third party processing data on your behalf (your hosting provider, analytics tool, payment gateway)
As a Data Fiduciary, the compliance burden falls squarely on you.
Who Must Comply
Short answer: almost every business with a digital presence.
You must comply if you:
- Have a website with a contact form
- Collect email addresses for newsletters
- Run an e-commerce store
- Use analytics tools (Google Analytics, Mixpanel, etc.)
- Have a mobile app that accesses contacts, location, or camera
- Store customer data in a CRM
- Process payments online
- Use cookies for tracking or personalization
The DPDP Act applies to processing of digital personal data within India, and also to processing outside India if it involves offering goods or services to people in India.
If your business has Indian customers, you are covered. No exemptions based on company size.
Key Requirements: What You Must Implement
1. Consent Mechanisms
Consent under the DPDP Act must be:
- Free — No pre-ticked boxes, no bundled consent
- Specific — Each purpose needs separate consent
- Informed — Users must know exactly what data you collect and why
- Unconditional — Cannot deny service for refusing optional data collection
- Withdrawable — Users must be able to revoke consent as easily as they gave it
Every form on your website needs a clear consent statement. Not buried in terms and conditions — visible, readable, and specific.
Example of compliant consent:
"We will use your email address to send you project updates and our monthly newsletter. You can unsubscribe at any time from your account settings."
Example of non-compliant consent:
"By submitting this form, you agree to our terms and conditions."
2. Data Fiduciary Obligations
As a Data Fiduciary, you must:
- Collect only data that is necessary for the stated purpose
- Use data only for the purpose for which consent was obtained
- Ensure data accuracy and keep it updated
- Delete data once the purpose is fulfilled (or consent is withdrawn)
- Implement reasonable security safeguards
- Notify the Data Protection Board and affected users in case of a data breach
- Appoint a Data Protection Officer if classified as a Significant Data Fiduciary
3. Data Principal Rights
Your users have the right to:
- Access a summary of their personal data and processing activities
- Correct and update their data
- Erase their data (right to be forgotten)
- Nominate someone to exercise their rights (in case of death or incapacity)
- File complaints with the Data Protection Board
You must build mechanisms to handle these requests. A simple "Contact us" email is not sufficient — you need a documented process with defined response timelines.
Privacy Policy Requirements
Your privacy policy is not optional boilerplate. Under the DPDP Act, it must clearly state:
- What personal data you collect
- The specific purpose for each type of data collected
- How you process and store the data
- Who you share it with (third-party processors, analytics providers, payment gateways)
- How long you retain the data
- How users can exercise their rights (access, correction, erasure)
- How users can withdraw consent
- Your grievance redressal mechanism
- Details of your Data Protection Officer (if applicable)
- Cross-border data transfer details
Write it in plain language. The Act explicitly requires that consent notices be "clear and plain" — legalese-heavy privacy policies are a compliance risk.
Cookie Consent Implementation
If your website uses cookies — and every modern website does — you need a cookie consent mechanism.
What is required:
- A cookie banner that appears on first visit
- Clear categorization of cookies (essential, analytics, marketing, functional)
- Granular consent — users must be able to accept/reject each category
- No non-essential cookies loaded before consent is given
- Easy access to change cookie preferences after initial choice
- Cookie policy that lists all cookies, their purpose, and retention period
Pre-checked "Accept All" buttons without a visible "Reject" option will not pass muster.
Technical implementation:
- Block all third-party scripts (Google Analytics, Facebook Pixel, HubSpot, etc.) until consent is recorded
- Store consent records with timestamps
- Re-prompt consent if your cookie usage changes
- Ensure consent works across subdomains
Data Storage and Security Requirements
The DPDP Act mandates "reasonable security safeguards." While it does not prescribe specific technologies, the expectation is clear:
- Encryption — Data at rest and in transit (TLS/SSL is mandatory, database encryption recommended)
- Access controls — Role-based access, principle of least privilege
- Regular backups — With tested recovery procedures
- Audit logging — Track who accessed what data and when
- Vulnerability management — Regular security patches, penetration testing
- Breach detection — Systems to identify unauthorized access
- Data minimization — Do not store data you do not need
- Retention policies — Automated deletion of data past its retention period
If you are using shared hosting with no SSL certificate and storing passwords in plain text, you have a serious problem.
Cross-Border Data Transfer Rules
The DPDP Act takes a "blacklist" approach to cross-border transfers. Data can flow to any country except those specifically restricted by the Central Government.
As of now, no countries have been blacklisted. But you still need to:
- Document where your data is stored and processed
- Ensure your processors (AWS, Google Cloud, Shopify, etc.) maintain adequate security
- Include cross-border transfer details in your privacy policy
- Be prepared to relocate data if a country gets restricted
If you use international SaaS tools — Mailchimp, HubSpot, Stripe — your data is already crossing borders. Document it.
Children's Data Protection
The DPDP Act has strict rules for processing children's data (under 18):
- Verifiable parental consent is required before processing any child's data
- No behavioral tracking or targeted advertising directed at children
- No data processing that could be detrimental to a child's well-being
If your product or service could be used by minors, you need age verification and parental consent mechanisms. E-commerce stores selling children's products, educational platforms, and gaming apps — pay attention.
DPDP Act vs GDPR: Key Differences
If you already comply with GDPR, you are ahead — but not fully compliant with DPDP. Here are the critical differences:
| Aspect | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Scope | Digital personal data only | All personal data (digital and physical) |
| Legal basis for processing | Consent or "legitimate uses" (limited) | Six legal bases including legitimate interest |
| Consent standard | Must be free, specific, informed, clear | Must be freely given, specific, informed, unambiguous |
| Data Protection Officer | Required only for Significant Data Fiduciaries | Required for large-scale processing, public bodies |
| Breach notification | To Data Protection Board and affected persons | To supervisory authority within 72 hours |
| Cross-border transfers | Allowed except to blacklisted countries | Allowed only to adequate countries or with safeguards |
| Right to portability | Not explicitly included | Yes, in structured machine-readable format |
| Children's age threshold | Under 18 | Under 16 (member states can lower to 13) |
| Maximum penalty | ₹250 crore (~$30M) | €20M or 4% of global turnover |
| Legitimate interest | Not a standalone legal basis | Recognized legal basis for processing |
Key takeaway: DPDP is narrower in scope but stricter on consent and children's data. If you serve both Indian and EU users, you need to comply with both.
Implementation Checklist for Indian Websites
Use this checklist to audit your current state and plan your compliance work:
Data Mapping and Inventory
- List every form, input, and data collection point on your website
- Document what data each collects and why
- Map all third-party services that receive user data
- Identify where data is stored (databases, CRMs, email tools, spreadsheets)
- Document data retention periods for each data type
- Identify if you process children's data
Consent Infrastructure
- Implement cookie consent banner with granular controls
- Add consent checkboxes to all forms (contact, signup, checkout)
- Ensure no non-essential cookies fire before consent
- Build consent withdrawal mechanism (preference center or account settings)
- Store consent records with timestamps and version tracking
- Implement double opt-in for email marketing
Privacy Policy and Legal Pages
- Write or update privacy policy covering all DPDP requirements
- Create or update cookie policy with full cookie inventory
- Add terms of service referencing data processing
- Ensure all policies are accessible from every page (footer links)
- Translate policies into relevant languages
User Rights Mechanisms
- Build or configure data access request workflow
- Enable data correction/update functionality
- Implement data deletion (right to erasure) process
- Set up request tracking with response time SLAs
- Create a nominated person mechanism for exercising rights
Security Measures
- Enable HTTPS across all pages (no mixed content)
- Encrypt sensitive data at rest
- Implement role-based access controls for admin panels
- Set up audit logging for data access
- Configure automated backups with encryption
- Schedule regular security audits or penetration testing
- Implement breach detection and notification procedures
Organizational Measures
- Appoint a Data Protection Officer (if applicable)
- Train team members on data handling procedures
- Document your data processing activities
- Review and update third-party processor agreements
- Establish a data breach response plan
Implementation Timeline
Here is a realistic timeline for a typical Indian business website:
| Phase | Tasks | Duration |
|---|---|---|
| Week 1-2: Audit | Data mapping, gap analysis, third-party inventory | 2 weeks |
| Week 3-4: Legal | Privacy policy drafting, cookie policy, consent language | 2 weeks |
| Week 5-7: Technical | Cookie consent implementation, form updates, consent storage | 3 weeks |
| Week 8-9: User Rights | Data access/deletion workflows, preference center | 2 weeks |
| Week 10: Security | Encryption audit, access controls, logging | 1 week |
| Week 11-12: Testing | End-to-end testing, team training, documentation | 2 weeks |
Total: 10-12 weeks for a standard business website. Complex e-commerce or SaaS platforms may need 16-20 weeks.
Common Compliance Mistakes
These are the errors we see most frequently:
1. Treating consent as a one-time checkbox. Consent must be purpose-specific. A single "I agree" covering your privacy policy, marketing emails, analytics, and third-party sharing is not valid consent.
2. Ignoring third-party scripts. Google Analytics, Facebook Pixel, Hotjar, live chat widgets — they all process personal data. If you have not accounted for them in your consent mechanism, you are not compliant.
3. No data deletion process. Users have the right to erasure. "We will look into it" is not a process. You need automated or semi-automated deletion across all systems where user data exists.
4. Privacy policy copy-pasted from another website. Your privacy policy must reflect your actual data practices. A generic template that mentions services you do not use is worse than having no policy — it demonstrates negligence.
5. No breach notification plan. When (not if) a breach occurs, you need to notify the Data Protection Board. Having no plan means delayed notification, which compounds penalties.
6. Assuming compliance is a one-time project. Every new form, feature, integration, or marketing campaign needs a compliance check. Build it into your development workflow.
7. Not covering employee and vendor data. DPDP applies to all personal data you process — not just customer data. Employee records, vendor contacts, and freelancer details are covered too.
Cost of Implementation
Realistic cost ranges for Indian businesses:
| Component | Small Business Website | Mid-size E-commerce | Enterprise SaaS |
|---|---|---|---|
| Privacy policy and legal docs | ₹15,000 – ₹50,000 | ₹50,000 – ₹1,50,000 | ₹2,00,000 – ₹5,00,000 |
| Cookie consent platform | ₹0 – ₹5,000/year | ₹5,000 – ₹25,000/year | ₹25,000 – ₹1,00,000/year |
| Technical implementation | ₹25,000 – ₹75,000 | ₹1,00,000 – ₹3,00,000 | ₹5,00,000 – ₹15,00,000 |
| Data mapping and audit | ₹10,000 – ₹30,000 | ₹50,000 – ₹1,50,000 | ₹2,00,000 – ₹5,00,000 |
| Ongoing maintenance | ₹5,000 – ₹15,000/year | ₹25,000 – ₹75,000/year | ₹1,00,000 – ₹3,00,000/year |
| Total first year | ₹55,000 – ₹1,75,000 | ₹2,30,000 – ₹7,00,000 | ₹10,00,000 – ₹29,00,000 |
Compare that to the maximum penalty of ₹250 crore. Compliance is not expensive — non-compliance is.
Tools and Plugins for Compliance
WordPress Sites
- CookieYes — Cookie consent banner with auto-scanning (free tier available)
- Complianz — GDPR/DPDP cookie consent with geo-targeting
- WP GDPR Compliance — Data access and deletion request handling
- Really Simple SSL — Force HTTPS across your site
- UpdraftPlus — Encrypted backups
Shopify Stores
- Consentmo — GDPR and DPDP compliant cookie bar
- Pandectes — Cookie consent with full compliance dashboard
- GDPR/CCPA Cookie Banner — Free Shopify app for basic consent
- Shopify's built-in Customer Privacy API for managing consent signals
Custom-Built Sites (React, Next.js, etc.)
- Osano — Consent management platform with JavaScript SDK
- Cookiebot — Auto-scanning and consent management API
- OneTrust — Enterprise-grade privacy management (API-driven)
- Custom implementation — Build consent storage with your database, integrate script blocking via Google Tag Manager consent mode
Cross-Platform Tools
- OneTrust or TrustArc — End-to-end privacy management for larger organizations
- DataGrail — Automated data subject request fulfillment
- Vanta or Sprinto — Compliance automation with evidence collection
Penalties for Non-Compliance
The DPDP Act prescribes penalties in a schedule. These are not theoretical maximums — they are the amounts the Data Protection Board can impose:
- Failure to take security safeguards leading to a breach — up to ₹250 crore
- Failure to notify the Board and affected persons of a breach — up to ₹200 crore
- Non-compliance with obligations regarding children's data — up to ₹200 crore
- Non-compliance with Data Fiduciary obligations — up to ₹150 crore
- Failure to comply with Board directions — up to ₹50 crore
These penalties apply per instance. Multiple violations compound.
Beyond penalties, non-compliance carries business risk: loss of customer trust, negative press, and potential lawsuits. For businesses serving international clients, non-compliance with Indian law also raises red flags for GDPR and other international frameworks.
Frequently Asked Questions
Q: Does the DPDP Act apply to small businesses and startups? Yes. There is no exemption based on company size or revenue. If you process digital personal data of individuals in India, you must comply. The scope of your obligations scales with the volume and sensitivity of data you handle, but the core requirements apply universally.
Q: I already comply with GDPR. Am I automatically DPDP compliant? Not automatically, but you are in a strong position. The DPDP Act has different requirements around children's data (under 18 vs under 16), does not recognize legitimate interest as a standalone legal basis, and has India-specific notification obligations. You will need to close these gaps.
Q: Do I need a Data Protection Officer? Only if the government classifies you as a "Significant Data Fiduciary" — typically large-scale processors handling sensitive data. However, having a designated person responsible for data protection is good practice regardless of the mandate.
Q: What counts as "verifiable parental consent" for children's data? The Act does not prescribe a specific method, but the consent must be verifiable. Options include parent email verification, credit card micro-transactions, government ID verification, or video call confirmation. The key is that you can demonstrate the consent came from a parent or guardian.
Q: Can I still use Google Analytics? Yes, but you must obtain consent before loading the tracking script, disclose its use in your privacy policy, and offer users the ability to opt out. Google Analytics 4 has a consent mode that supports this — use it.
Q: What happens if I have a data breach? You must notify the Data Protection Board of India and every affected Data Principal (user) "as soon as possible" after becoming aware. There is no explicit 72-hour window like GDPR, but delays will be viewed unfavorably. Have a breach response plan ready before you need it.
Q: How long can I retain user data? Only as long as necessary for the purpose it was collected. Once the purpose is fulfilled or consent is withdrawn, you must delete the data. Define retention periods for each data type and automate deletion where possible.
Q: Does this apply to data collected before the Act came into effect? Yes. The Act applies to personal data collected before its enactment if it is still being processed in digital form. You must obtain fresh consent for continued processing or delete the data.
Data privacy compliance is not a checkbox — it is an ongoing operational commitment. The businesses that treat it seriously will earn customer trust and avoid regulatory trouble. The ones that ignore it are betting against a ₹250 crore penalty.
Start with the checklist above. Map your data, fix your consent flows, update your privacy policy, and lock down your security.
Need help making your website DPDP Act compliant? We provide compliance audits and implementation for Indian businesses — from consent mechanisms to security hardening. Talk to us.