DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting
July 2, 2026
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection law. Enacted on August 11, 2023, it governs how organizations collect, store, use, and share the digital personal data of individuals in India — and it gives those individuals, called Data Principals, enforceable rights over their own data.
For two years the Act sat on the statute book waiting for its operating manual. That changed on November 13, 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules, 2025. The law is now live, the Data Protection Board of India is operational, and every business that touches the personal data of people in India is on a compliance countdown.
If you process the digital personal data of anyone in India — customers, employees, users, or vendors — you are a Data Fiduciary under the Act, with binding obligations. This is true whether you are a two-person startup or a listed enterprise, and it applies to foreign companies offering goods or services to people in India as well.
The Act deliberately avoids the sector-by-sector approach of older Indian regulations. There is no revenue threshold and no exemption for small businesses processing customer data in digital form. If you run a website with a signup form, an app with user accounts, a CRM full of leads, or an HRMS with employee records, the DPDPA applies to you.
Some organizations will additionally be designated Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process. SDFs carry extra obligations: appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments (DPIAs), and undergoing independent audits.
The DPDPA gives every Data Principal four core rights:
Each of these rights implies operational machinery on your side: identity verification, request tracking, SLA timers, and an audit trail proving you responded correctly and on time.
Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Pre-ticked boxes, bundled consents, and dark patterns do not qualify. Every request for consent must be accompanied by a notice — available in English or any of the 22 languages in the Eighth Schedule of the Constitution — explaining what data is collected, for what purpose, and how to withdraw consent or complain.
Critically, withdrawing consent must be as easy as giving it. If your product has a one-tap signup and a five-screen deletion flow, that asymmetry is now a legal problem, not just a UX one.
The Schedule to the Act sets out financial penalties that are among the highest in Indian regulatory history. Failure to take reasonable security safeguards to prevent a personal data breach can attract a penalty of up to ₹250 crore per instance. Failure to notify a breach, and violations involving children's data, each carry penalties up to ₹200 crore.
The Data Protection Board — operational since November 2025 — is the adjudicating body. It can inquire into complaints, direct remediation, and impose penalties. Compliance that cannot be proven is not compliance: the Board will expect evidence, not assurances.
The DPDP Rules, 2025 phase in over 18 months:
May 2027 sounds distant, but the technical lifting — consent architecture, rights workflows, vendor contracts, evidence systems — takes most organizations several quarters. Starting after Phase 2 is a credible way to miss Phase 3.
A practical first month looks like this: map where personal data lives across your systems; identify your lawful basis (consent or legitimate use) for each processing purpose; stand up a consent notice and withdrawal flow; designate a grievance contact; and start keeping evidence of all of it.
This is where Data Adhikaar comes in. Built by Qodequay Technologies, Data Adhikaar is an agentic DPDPA compliance fabric — ten specialist AI agents that automate consent capture, data principal rights, breach response, DPIAs, vendor management, and audit evidence, with a human in the loop where the law demands one. Connect once via SDK, API, or MCP, and be compliant in days, not quarters.
Start with a free DPDPA readiness assessment — it takes minutes and shows you exactly where your gaps are.
The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. It governs how organizations collect, store, use, and share the digital personal data of individuals in India, and gives individuals enforceable rights over their data.
Any organization that processes the digital personal data of people in India — customers, employees, users, or vendors — is a Data Fiduciary with binding obligations, regardless of size. It also applies to foreign companies offering goods or services to people in India.
The DPDP Rules were notified on November 13, 2025. The Data Protection Board is already operational; Consent Manager provisions take effect November 13, 2026; and the full substantive regime, including notices, consent, breach reporting, and security safeguards, applies from May 13, 2027.
Penalties are set per instance in the Act's Schedule: up to ₹250 crore for failing to take reasonable security safeguards, up to ₹200 crore for failing to notify a breach or for violations involving children's data, and up to ₹150 crore for breach of Significant Data Fiduciary obligations.
This article is general guidance on the DPDP Act, 2023 and not legal advice. Consult a qualified professional for your specific compliance needs.
Free 30-minute consultation with our team — or see our products in action.