India's Digital Personal Data Protection Act Takes Effect: Companies Face ₹250 Crore Fines for Violations
India's DPDP Act 2023 comes into full effect with strict enforcement starting July 2026. Companies face fines up to ₹250 crore per violation for data breaches and consent violations.
Aditya Raj
July 17, 2026

India's DPDP Act takes full effect July 2026 with fines up to ₹250 crore per violation. Data Protection Board of India established. Explicit consent required for data collection. 72-hour breach reporting. 50 companies issued compliance notices. First major penalty: ₹100 crore on fintech company for 20M user breach.

Major tech companies including Meta, Google, and Amazon have established dedicated India data protection teams and appointed Data Protection Officers. Indian startups have been given a 12-month transition period for compliance. The Act has significant implications for India's digital advertising industry, which is valued at ₹50,000 crore. Companies can no longer process personal data for targeted advertising without explicit user consent. The DPBI has published detailed consent notice guidelines that must be followed. Non-compliance penalties have already begun with the DPBI issuing a ₹100 crore penalty to a major fintech company for a data breach affecting 20 million users — the first major enforcement action under the Act."The DPDP Act is India's digital constitution for data rights. It balances citizen privacy with innovation, and the enforcement framework ensures that data fiduciaries take their obligations seriously."
— Rajeev Chandrasekhar, Former Minister of State for Electronics & IT
Advertisement
Key Takeaways
- 1DPDP Act full enforcement begins July 2026 — fines up to ₹250 crore per violation
- 2Data Protection Board of India (DPBI) established with investigation and penalty powers
- 3Mandatory requirements: explicit consent, 72-hour breach reporting, Data Protection Officer
- 4Cross-border data transfer restricted to notified countries only
- 5First enforcement action: ₹100 crore fine on fintech company for 20M user data breach
Frequently Asked Questions
What are the penalties under the DPDP Act?
Companies can be fined up to ₹250 crore per violation for data breaches and consent violations.
What is the Data Protection Board of India?
The DPBI is the regulatory authority that investigates complaints, imposes penalties, and can block non-compliant platforms.
How is the DPDP Act different from GDPR?
The DPDP Act applies to all digital personal data processed in India regardless of company size, and introduces 'Consent Managers' — licensed intermediaries for user consent.
Loading comments...