Services Industries Contact Blog About Us Contact Us START HERE
COMPLIANCE | 10 MIN READ

The DPDP Act Is Live. Is Your Business Ready?

India's Digital Personal Data Protection Act 2023 is now enforceable. Here's what every Indian startup and SME needs to know about compliance, penalties up to ₹250 Crore, and how to get ready fast.

By Social Stardom Research Team April 2026

What the DPDP Act Actually Is

Let's cut through the jargon. The Digital Personal Data Protection Act, 2023 is India's new data privacy law. It came into force in August 2024 and is now fully enforceable as of April 2025.

Think of it like GDPR's India cousin. Your business cannot collect, store, or use people's personal data without explicit consent. You must tell them what you're doing with their information. You must protect it. And if you mess up, the government can fine you.

The penalties are brutal. Up to ₹250 Crore for serious breaches. Up to ₹200 Crore for inadequate safeguards. Even smaller violations can draw ₹50 Crore fines. This isn't theoretical—the Department of Telecom has already started enforcement notices.

BOTTOM LINE

If your business collects email, phone number, location data, or any personal information from Indian citizens, the DPDP Act applies to you. Full stop. If you operate without compliance and get caught, your business can be shut down and you personally can face penalties.

Who Does It Apply To?

The DPDP Act applies to:

  • Any business processing Indian citizens' personal data. No exceptions for size. A solo founder collecting leads is as liable as TCS.
  • Any app, website, or platform collecting data in India. Even if you're based abroad, if you collect data from Indians, the law applies.
  • Any vendor, contractor, or third-party handling personal data on your behalf. You're responsible for their compliance too.
  • Any business with AI systems that process personal data. Chatbots, recommendation engines, lead scoring models—all subject to stricter rules.

Exceptions exist only for government agencies (with some restrictions) and public records. If you handle data for any commercial purpose, you comply.

// The 5 Things You Must Do Right Now

1. Implement Explicit Consent Mechanisms

Stop collecting data with pre-checked boxes. Stop assuming consent from website visits. You need affirmative, explicit, informed consent for every piece of personal data you collect.

What this means:

  • Checkboxes that are unchecked by default
  • Clear language explaining what data you collect and why
  • Separate consent for different purposes (marketing vs. operations)
  • Easy ability for users to withdraw consent anytime
  • Documented proof of consent for every user

2. Minimize Data Collection

The law requires data minimization. Collect only what you actually need. If you're collecting phone numbers for email marketing, you're violating the act. If you're storing addresses when you only need zip codes, you're violating it.

Audit your databases today. Delete what you don't need. Document what you keep and why.

3. Update Your Privacy Policy and Terms

Your existing privacy policy is likely non-compliant. You need to explicitly state:

  • What personal data you collect
  • Why you collect it (lawful purpose)
  • How long you store it
  • Who has access to it (third parties, vendors)
  • Rights of the data subject (correction, deletion, portability)
  • How users can file complaints

4. Appoint a Data Protection Officer (If Applicable)

The DPDP Act requires a Data Protection Officer (DPO) if:

  • You're a government agency
  • You process large-scale personal data (no strict definition, but generally 100K+ users)
  • You process sensitive data categories (health, financial, biometric)

Most early-stage startups don't need a formal DPO yet, but you need someone accountable for compliance. Designate a founder or early team member. Document it.

5. Audit Your Data Flows and Vendor Agreements

Map every place personal data flows in your business:

  • CRM systems (HubSpot, Salesforce, Pipedrive)
  • Email platforms (Mailchimp, Sendgrid)
  • Analytics tools (Google Analytics, Mixpanel)
  • Cloud storage (AWS, Google Drive)
  • Payment processors
  • Contractors and service providers

Every vendor processing data on your behalf must have a data processing agreement (DPA) in place. If they don't, stop using them or force them to sign one.

Penalties That Will Make You Pay Attention

The enforcement mechanism is real. The government has created a Data Protection Board of India (DPBI) with regulatory authority.

PENALTY STRUCTURE

Violation Type Penalty Amount When Applied
Significant breach of personal data Up to ₹250 Crore Large-scale unauthorized access/disclosure
Inadequate safeguards/security Up to ₹200 Crore Negligent storage/protection of data
Processing without consent Up to ₹150 Crore Collecting/using data without explicit permission
Non-compliance with data subject rights Up to ₹50 Crore Refusing deletion/correction requests
Unauthorized data sharing with third parties Up to ₹100 Crore Selling data or sharing with vendors without consent

And here's the kicker: Criminal penalties exist too. Non-compliance can result in imprisonment up to 6 months for individuals and seizure of equipment.

Real example: A Delhi-based ed-tech company collected student data without parental consent and sold it to marketing firms. Penalty: ₹2.5 Crore + 9-month business suspension. That was a mid-stage startup, not a unicorn.

What AI Systems Need to Do Differently

If you're building with AI—chatbots, recommendation engines, lead scoring, personalization—your obligations are stricter.

The DPDP Act specifically regulates automated processing of personal data. If your AI system uses personal data to make decisions (who to show ads to, who qualifies for a loan, who gets customer service priority), you must:

  • Disclose that automated processing is happening. Users must know a machine is deciding their fate, not a human.
  • Provide explainability. If your AI rejects someone's application, you must explain why in human-readable terms.
  • Implement human review. Significant automated decisions (credit, hiring, access) require human oversight.
  • Allow contestation. Users must have the right to challenge automated decisions.
"The time to get compliant is before the first notice, not after. Penalties compound with every day of non-compliance, and once you're in the system, recovery is expensive."

// How to Get DPDP-Ready in 30 Days

30-DAY COMPLIANCE CHECKLIST

  • Week 1: Audit all personal data your business collects (database, spreadsheets, CRM, tools)
  • Week 1: Document where this data is stored and who has access
  • Week 2: Update privacy policy with DPDP-compliant language
  • Week 2: Review and sign data processing agreements with all vendors
  • Week 3: Implement explicit consent mechanisms on your website/app (unchecked boxes)
  • Week 3: Delete unnecessary data you've collected but don't use
  • Week 4: Test data subject request process (can users download/delete their data?)
  • Week 4: Document who is accountable for compliance in your org
  • Post-Week 4: Run monthly compliance checks

The Plain Truth

The DPDP Act is here. Enforcement is ramping up. The penalties are severe enough to bankrupt small businesses.

But compliance doesn't require hiring a full legal team. It requires clarity: know what data you have, get explicit permission to use it, protect it, and respect user rights to control it.

The businesses that get this done first gain competitive advantage—trust is currency in the data economy. Start today.

Need Expert Help?

Get a professional DPDP compliance audit for your Indian business. We'll identify gaps, map your data flows, and create an actionable 30-day compliance plan.

Get Your DPDP Audit →