Big Tech2 min read

India's Digital Personal Data Protection Act Takes Effect: Companies Face ₹250 Crore Fines for Violations

India's DPDP Act 2023 comes into full effect with strict enforcement starting July 2026. Companies face fines up to ₹250 crore per violation for data breaches and consent violations.

AR

Aditya Raj

July 17, 2026

Fact CheckedUpdated
India's Digital Personal Data Protection Act Takes Effect: Companies Face ₹250 Crore Fines for Violations
AI Summary

India's DPDP Act takes full effect July 2026 with fines up to ₹250 crore per violation. Data Protection Board of India established. Explicit consent required for data collection. 72-hour breach reporting. 50 companies issued compliance notices. First major penalty: ₹100 crore on fintech company for 20M user breach.

India's Digital Personal Data Protection (DPDP) Act has taken full effect, with the government announcing strict enforcement beginning July 2026. Companies found violating data protection rules face penalties of up to ₹250 crore per incident.
Data privacy lock symbol over a digital India flag
India's DPDP Act enforces strict data protection with fines up to ₹250 crore
The Data Protection Board of India (DPBI) has been established with the authority to investigate complaints, impose penalties, and block platforms that repeatedly violate the Act. The first 50 companies have already been issued compliance notices. The DPDP Act differs significantly from GDPR in that it applies to all digital personal data processed within India, regardless of company size. Even startups must comply. The Act also introduces the concept of 'Consent Managers' — licensed intermediaries that manage user consent across platforms.

"The DPDP Act is India's digital constitution for data rights. It balances citizen privacy with innovation, and the enforcement framework ensures that data fiduciaries take their obligations seriously."

— Rajeev Chandrasekhar, Former Minister of State for Electronics & IT
Major tech companies including Meta, Google, and Amazon have established dedicated India data protection teams and appointed Data Protection Officers. Indian startups have been given a 12-month transition period for compliance. The Act has significant implications for India's digital advertising industry, which is valued at ₹50,000 crore. Companies can no longer process personal data for targeted advertising without explicit user consent. The DPBI has published detailed consent notice guidelines that must be followed. Non-compliance penalties have already begun with the DPBI issuing a ₹100 crore penalty to a major fintech company for a data breach affecting 20 million users — the first major enforcement action under the Act.

Advertisement

Key Takeaways

  1. 1DPDP Act full enforcement begins July 2026 — fines up to ₹250 crore per violation
  2. 2Data Protection Board of India (DPBI) established with investigation and penalty powers
  3. 3Mandatory requirements: explicit consent, 72-hour breach reporting, Data Protection Officer
  4. 4Cross-border data transfer restricted to notified countries only
  5. 5First enforcement action: ₹100 crore fine on fintech company for 20M user data breach

Frequently Asked Questions

What are the penalties under the DPDP Act?

Companies can be fined up to ₹250 crore per violation for data breaches and consent violations.

What is the Data Protection Board of India?

The DPBI is the regulatory authority that investigates complaints, imposes penalties, and can block non-compliant platforms.

How is the DPDP Act different from GDPR?

The DPDP Act applies to all digital personal data processed in India regardless of company size, and introduces 'Consent Managers' — licensed intermediaries for user consent.

Topics

Loading comments...