What Is DPDPA? India’s Data Protection Law Explained
On May 13, 2027, India’s Digital Personal Data Protection Act (DPDPA) enters full enforcement – with no grace period and penalties up to USD 30 million per violation. Yet just 6% of India’s top 50 websites currently have any form of consent banner in place.
For publishers and ad-tech companies serving India’s 950 million internet users, the DPDPA changes the game. It is the country’s first comprehensive data protection law, enacted in August 2023 with implementing rules notified in November 2025. Unlike the GDPR, it offers no legitimate interests basis – meaning all advertising data processing requires explicit consent. No exceptions.
This guide covers everything publishers need to know: what the DPDPA requires, how consent works (and why it is the only option for advertising), the enforcement timeline, how the law differs from GDPR in practice, and what you should be doing right now.
What Is the DPDPA?
The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), commonly referred to as DPDPA or DPDP Act, is India’s comprehensive data protection statute. It regulates the processing of all digital personal data – data collected in digital form, or collected in non-digital form and subsequently digitized.
The DPDPA introduces several key roles:
- Data Principal – the individual whose data is processed (equivalent to a “data subject” under GDPR)
- Data Fiduciary – the entity that determines the purpose and means of processing (equivalent to a “data controller”). For publishers, this is typically the site or app operator.
- Significant Data Fiduciary (SDF) – designated by the government based on the volume and sensitivity of data processed. SDFs face enhanced obligations including appointing an India-based Data Protection Officer, conducting annual impact assessments, and independent audits. No entities have been designated as SDFs yet – designations are expected before full enforcement in May 2027.
- Data Processor – an entity that processes personal data on behalf of a Data Fiduciary (equivalent to a “data processor” under GDPR). Ad-tech vendors, analytics providers, and hosting services typically fall into this category.
- Consent Manager – a registered intermediary acting on behalf of Data Principals. This is a unique DPDPA concept with no GDPR equivalent – and it is not the same as a Consent Management Platform (CMP). More on this critical distinction below.
The DPDPA has extraterritorial reach. It applies to any organization processing personal data in connection with offering goods or services to individuals in India – regardless of where the company is headquartered. If your website or app serves Indian traffic, you are within scope.
Enforcement Timeline
The DPDPA is being rolled out in three phases:
| Phase | Date | What Takes Effect |
|---|---|---|
| Phase 1 | November 13, 2025 | Data Protection Board of India (DPBI) established, complaint handling operational |
| Phase 2 | November 13, 2026 | Consent Manager registration and oversight framework opens |
| Phase 3 | May 13, 2027 | All substantive obligations enforceable – consent, notice, security, penalties |
Phase 1 is already in effect – the Data Protection Board can receive complaints today. But the critical date is May 13, 2027, when all consent requirements, notice obligations, and security safeguards become enforceable with full penalties from day one. There is no soft enforcement period, no transitional grace window. Publishers who are not compliant on that date face immediate liability.
Legal Bases: Why Consent Is the Only Option for Ad-Tech
This is the single most important difference between the DPDPA and the GDPR for publishers and ad-tech companies.
The DPDPA provides only two lawful bases for processing personal data:
- Consent – the primary basis for virtually all processing
- Certain legitimate uses (Section 7) – a narrow set of statutory exceptions
Section 7 enumerates nine specific grounds that qualify as “certain legitimate uses,” including:
- Data voluntarily provided by the individual without objection (e.g., giving a business card)
- State functions, including delivery of benefits and services, sovereignty, and security
- Legal or judicial obligations
- Medical emergencies and public health threats (epidemics, disease outbreaks)
- Disaster management and breakdown of public order
- Employment-related processing
Notice what is absent: there is no “legitimate interests” basis. Under the GDPR, legitimate interests (Article 6(1)(f)) is the primary legal basis used across the ad-tech ecosystem for programmatic advertising, retargeting, behavioral analytics, and audience profiling. The entire infrastructure of real-time bidding and interest-based advertising relies on it.
Under the DPDPA, none of these activities qualify as “certain legitimate uses.” That means all advertising-related data processing – setting tracking cookies, passing bid requests, building audience segments, serving personalized ads – requires explicit opt-in consent from every Indian user. There is no fallback, no alternative basis, no way around it.
Consent Requirements
The DPDPA sets a high bar for valid consent. Under Section 6, consent must be:
- Free – consent cannot be a precondition for accessing a service unless the processing is strictly necessary for that service
- Specific – each distinct processing purpose requires its own consent
- Informed – the Data Principal must understand what they are consenting to
- Unconditional – consent cannot be bundled with unrelated terms or conditions
- Unambiguous – indicated through a clear affirmative action
For publishers, this means:
- Pre-ticked boxes do not constitute valid consent
- “By continuing to browse” banners are not valid – an active, affirmative action is required
- Purpose-level consent is required – analytics, personalized advertising, and cross-site tracking are separate purposes that each need their own consent. However, per-cookie granularity (as under GDPR/TCF) is not required.
- Withdrawal must be as easy as giving consent – a persistent privacy settings icon or similar mechanism must be accessible
- The burden of proof falls on the Data Fiduciary to demonstrate valid consent was obtained
Consent Notice Requirements
The DPDPA’s consent notice requirements (Section 5 + Rule 3 of the 2025 Rules) are more demanding than many publishers expect. The notice must be provided before or at the time of data collection, and it must be a standalone document – visually and contextually separate from any privacy policy, terms of service, or other agreements.
Rule 3 specifies the following mandatory elements:
| Element | Requirement |
|---|---|
| Personal data categories | Itemized description of the personal data to be processed (e.g., contact info, device identifiers, behavioral data) |
| Processing purposes | Specified purpose(s) with a description of the goods or services to be provided. Simply stating “advertising purposes” is insufficient – the notice must explain what the user concretely receives. |
| Communication link | A link to the Data Fiduciary’s website or app |
| Consent withdrawal | Description of how to withdraw consent, with ease comparable to giving consent |
| Data Principal rights | How to exercise rights under the Act (access, correction, erasure, grievance redressal, nomination) – with actionable links, not just a list |
| Complaint mechanism | How to file complaints with the Data Protection Board of India |
The “standalone document” requirement means the consent notice cannot be a paragraph buried within your terms and conditions. For web-based implementations, a dedicated overlay or modal containing all required elements would likely satisfy this requirement. The Data Protection Board may issue further implementation guidance before the May 2027 enforcement date.
Language Requirements
Section 5(3) requires that consent notices be accessible “in English or any language specified in the Eighth Schedule” of the Indian Constitution – a list of 22 official languages including Hindi, Bengali, Tamil, Telugu, Marathi, and others.
No official guidance has been issued on exactly how this applies in practice. Legal commentators are split between a strict interpretation (all 22 must be available simultaneously) and a pragmatic reading (the notice should be available in languages relevant to the user base). For most publishers, the practical approach is straightforward: if your consent dialog matches the language of your website, and that language is English or one of the 22 Eighth Schedule languages, you satisfy the requirement. Publishers with multilingual sites should ensure their CMP serves consent notices in the same language as the page content.
How DPDPA Differs from GDPR
If you already comply with the GDPR, many DPDPA concepts will be familiar. But the practical differences matter – especially for how you configure consent management.
| Aspect | DPDPA (India) | GDPR (EU) |
|---|---|---|
| Scope | Digital personal data only | All personal data (digital and non-digital) |
| Legal bases | 2 (consent + certain legitimate uses) | 6 (including legitimate interests) |
| Legitimate interests | Not available – all ad-tech processing requires consent | Available and widely used in programmatic advertising |
| Cookie consent model | Purpose-level consent (not per-cookie or per-vendor) | Per-cookie/per-vendor via TCF |
| Consent notice language | English or any of 22 Indian languages | Language of the member state |
| Children’s age threshold | 18 years | 13-16 years (varies by member state) |
| Breach notification | All breaches – no materiality threshold | Only if likely risk to rights/freedoms (default is to notify, with exception for clearly no-risk cases) |
| Cross-border transfers | Allowed unless country is specifically restricted (none currently) | Adequacy decisions, SCCs, or BCRs required |
| Right to data portability | Not included | Included |
| Penalties | Fixed amounts (up to ~USD 30M per violation) | Up to 4% of global annual turnover |
| Enforcement body | Single centralized Board (DPBI) | Network of national DPAs |
The most impactful differences for publishers are the absence of legitimate interests (which changes the entire consent architecture for Indian traffic), the stricter children’s data rules, and the simpler cross-border transfer framework.
Consent Manager vs CMP – A Critical Distinction
The DPDPA introduces a concept that does not exist in any other data protection regime: the Consent Manager. This is a source of significant confusion, and getting it wrong could lead to costly misunderstandings.
A DPDPA Consent Manager is not a Consent Management Platform (CMP). They serve fundamentally different roles:
| DPDPA Consent Manager | CMP (e.g., Clickio Consent) | |
|---|---|---|
| What it is | A registered intermediary acting on behalf of individuals (Data Principals) | A technology tool operated by businesses for cookie and tracking consent |
| Who it serves | The individual | The publisher (Data Fiduciary) |
| Registration | Must register with the Data Protection Board (opens November 2026) | No registration required |
| Requirements | Must be incorporated in India, minimum net worth of INR 2 crore (~USD 240K), 7-year record retention | None – operates as a software vendor |
| Data access | Must be “data-blind” – never accesses the personal data flowing through it | Processes consent signals and may handle cookie data on behalf of the publisher |
| Interoperability | Must work across multiple Data Fiduciaries – gives individuals a single dashboard | Operates on a single website or app |
| Foreign entities | Cannot register – must be an Indian company | Can operate freely as a technology vendor in India |
The DPDPA Consent Manager is inspired by India’s Account Aggregator framework in the financial sector. It provides individuals with a centralized platform to manage their consent across multiple organizations – acting as a go-between for Data Principals and Data Fiduciaries.
The key takeaway for publishers: you do not need to register as a Consent Manager. Publishers deploying a CMP to collect cookie consent on their own websites are using a technology tool, not acting as a statutory Consent Manager. CMPs like Clickio Consent continue to operate exactly as they do for GDPR compliance – no registration, no Indian incorporation, no minimum net worth requirement.
Children’s Data
The DPDPA sets the strictest children’s data protections of any major data protection law in the world.
- Age threshold: 18 years – compared to 13-16 under GDPR and 13 under CCPA/COPPA. This means all teenagers aged 13-17 are classified as children under Indian law.
- Verifiable parental consent is mandatory before processing any child’s data
- Tracking, behavioural monitoring, and targeted advertising directed at children are expressly prohibited – even with parental consent, you cannot serve targeted ads or run behavioural monitoring on anyone under 18. The Fourth Schedule provides narrow exemptions for healthcare (clinical establishments, mental health services) and education (schools, day care centres) where processing is limited to health services or child safety, but these do not extend to advertising or publishing.
- Penalty: up to INR 200 crore (~USD 24M) specifically for violations of children’s data provisions
The combination of the 18-year threshold and the tracking prohibition makes India’s children’s data regime one of the strictest in the world. Publishers should be aware that the Fourth Schedule exemptions are narrow and do not cover advertising or content publishing.
The Compliance Gap
The gap between what the DPDPA requires and the current state of Indian websites is enormous.
In January 2025, the Advertising Standards Council of India (ASCI) published a study of the top 50 Indian websites by traffic – representing 30 billion visits in December 2024. The findings were stark:
- Only 3 out of 50 websites (6%) had any form of cookie consent banner
- Among those three, the banners did not meet best practices – most offered only an “Accept All” button without meaningful choice
- 94% of India’s top websites have no consent mechanism at all
Independent audits paint an even more detailed picture. When major Indian websites are accessed from an Indian IP address, the situation is markedly different from the European experience:
- Sites that show GDPR consent banners to European visitors often show nothing to Indian visitors – their CMP configurations are geo-fenced to EU/US traffic
- Approximately 75% of major Indian websites load tracking scripts (Google Analytics, Google Ads, Facebook Pixel) immediately on page load without any consent mechanism
- Zero websites reference the DPDPA in their consent flows, privacy notices, or homepage links
- No website provides a Data Principal rights page or a link to the Data Protection Board’s complaint mechanism
The CMP infrastructure often already exists on these sites – it is simply not activated for Indian visitors. This means the technical lift to achieve compliance is smaller than it appears. What is missing is the configuration, not the capability.
Penalties
The DPDPA uses a fixed-amount penalty structure rather than the GDPR’s percentage-of-revenue model. Penalties are per violation:
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent a data breach | INR 250 crore (~USD 30M) |
| Failure to notify the Board or affected individuals of a data breach | INR 200 crore (~USD 24M) |
| Breach of children’s data obligations | INR 200 crore (~USD 24M) |
| Breach of Significant Data Fiduciary obligations | INR 150 crore (~USD 18M) |
| Data Principal filing false complaints or impersonating others | INR 10,000 (~USD 120) |
| Breach of a voluntary undertaking accepted by the Board | Up to the penalty applicable for the underlying breach |
| Breach of any other provision of the Act or Rules | INR 50 crore (~USD 6M) |
While individual penalties may be lower than the GDPR’s 4% of global turnover for the largest companies, the fixed-amount structure means they hit mid-sized publishers proportionally harder. And unlike the GDPR’s risk-based approach to breach notification, the DPDPA requires reporting all data breaches to the Board – there is no materiality threshold.
What Publishers Should Do Now
May 2027 may seem distant, but the compliance work needs to start now. Here is what publishers serving Indian traffic should prioritize:
- Extend your CMP to Indian visitors. If you already run a consent management platform for EU traffic, the technical foundation is in place. Configure geo-detection to serve consent flows to Indian visitors – not just European ones. Disable legitimate interest toggles for DPDPA, since consent is the only available basis for advertising.
- Switch to consent-only mode for Indian traffic. Remove any reliance on legitimate interests for ad-tech processing. All tracking cookies, analytics, and advertising scripts must be gated behind explicit opt-in consent.
- Audit your consent notice. Ensure it meets Rule 3 requirements: standalone presentation, itemized data categories, specific processing purposes, Data Principal rights with actionable links, and a link to the DPBI complaint mechanism.
- Review children’s data handling. If your audience includes anyone under 18, ensure behavioral tracking and targeted advertising are suppressed for minors. The DPDPA prohibits tracking children for advertising purposes, with only narrow exemptions for healthcare and education.
- Establish a breach notification process. The DPDPA requires all breaches to be reported – there is no materiality threshold. The Board receives a two-stage notification: an initial alert “without delay” followed by a detailed report within 72 hours (extendable with Board permission). Affected Data Principals must also be notified “without delay” as a separate obligation. Have a process ready before you need it.
Clickio Consent supports the key requirements for DPDPA compliance: purpose-specific consent collection, geo-detection for Indian visitors, easy consent withdrawal via a persistent privacy settings icon, consent-only mode with no legitimate interests, and multi-language support.
Data Principal Rights
The DPDPA grants Data Principals four core rights:
- Right to Information (Section 11) – the right to obtain a summary of personal data being processed and the processing activities
- Right to Correction and Erasure (Section 12) – the right to correct inaccurate data and erase data that is no longer necessary
- Right to Grievance Redressal (Section 13) – the right to an accessible complaint mechanism, with escalation to the DPBI if unresolved
- Right to Nominate (Section 14) – the right to nominate another individual to exercise these rights in case of death or incapacity. This is unique to the DPDPA and has no equivalent in GDPR.
Notable by its absence: the DPDPA does not include a right to data portability, unlike the GDPR. Publishers who already handle data subject access requests (DSARs) for GDPR will find the DPDPA process similar, though the specific rights and the nomination concept are different.
Cross-Border Data Transfers
The DPDPA takes a simpler approach to cross-border transfers than the GDPR. Under Section 16, personal data may be transferred to any country unless the government specifically restricts it. As of now, no countries are on the restricted list.
This “negative list” model means publishers do not need to worry about adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules for data flowing out of India – at least for now. Significant Data Fiduciaries face additional data localization requirements for government-specified categories, but these do not yet affect most publishers.
This is a significant practical advantage compared to the GDPR’s complex transfer framework, and it simplifies compliance for publishers with global ad-tech infrastructure.
Looking Ahead
The DPDPA represents a fundamental shift for India’s digital ecosystem. With 950 million internet users and a rapidly growing digital ad market, the stakes are enormous – both the compliance risks and the opportunities.
Several developments to watch between now and May 2027:
- DPBI guidance – the Board has not yet issued implementation guidance on consent notices, cookie requirements, or the language provision. Expect clarifications as the enforcement date approaches.
- Consent Manager registration (November 2026) – this new intermediary framework will shape how individuals interact with consent across services, but it does not change what publishers need to do with their CMPs.
- Google requirements for India – Google has not yet mandated India-specific consent requirements for ad serving (unlike the EU’s TCF mandate). When this happens – and it likely will after May 2027 – publishers with consent infrastructure already in place will be ahead of the curve.
- IAB GPP India section – the IAB has formed a working group under its Cross-Jurisdiction Privacy Project to develop an India section for the Global Privacy Platform. No technical specification has been released yet, but this will eventually provide a standardized consent signal for programmatic advertising in India.
The May 2027 deadline is firm, the penalties are real, and the compliance gap across Indian websites is vast. But for publishers who already operate consent infrastructure for GDPR or other regulations, extending coverage to Indian traffic is an achievable step – not a ground-up rebuild. The time to start is now.