technology
Your data, their rules: what India's new data protection framework actually means for you
The Digital Personal Data Protection Act is now being enforced with operational rules. Here's what changes for citizens, startups, and the apps you use every day — explained without jargon.
Key takeaways
- ▸The DPDP Act requires explicit, informed consent before any company collects your personal data — pre-ticked boxes are now illegal.
- ▸Data breaches must be reported to CERT-In and affected users within 72 hours.
- ▸Citizens can request complete deletion of their data from any platform — the 'right to erasure.'
- ▸Startups face compliance costs estimated at ₹5-15 lakh annually, with penalties up to ₹250 crore for violations.
- ▸Children's data requires verifiable parental consent — a requirement that could reshape how EdTech operates in India.
Article provenance
Proof pendingChain ID: 137
No transaction hash available yet.
Shortcuts: j/k scroll, d toggle theme. Reading position is saved automatically.
Readability score: 36
Sentiment tone: neutral
Here is a question that most Indians have never been asked: do you know which companies have your Aadhaar number, your phone number, your location history, and your spending patterns — and what they are doing with that information?
Until 2023, the answer was: nobody knew, and nobody was legally required to tell you. India had no comprehensive data protection law. Your personal data — from the food delivery apps tracking your location to the EdTech platforms recording your child's learning patterns — existed in a regulatory void. Companies collected what they wanted, stored it where they pleased, and shared it with whoever paid.
That era is ending. But the new era is complicated.
What the DPDP Act Actually Says
The Digital Personal Data Protection Act, passed in August 2023, creates India's first comprehensive framework for how personal data can be collected, stored, processed, and deleted. The operational rules — which specify how companies must actually comply — began enforcement in phases starting late 2025.
Here is what matters for ordinary citizens:
Your Consent Now Means Something
Every app, website, or service that collects your personal data must obtain your explicit, informed consent before doing so. This means:
- No more pre-ticked consent boxes buried in 40-page terms of service
- Companies must explain, in plain language, exactly what data they are collecting and why
- You can withdraw consent at any time — and the company must stop processing your data within a reasonable period
The Right to Be Forgotten
For the first time, Indian citizens have a legal right to erasure. You can request any company to permanently delete all personal data they hold on you. The company must comply — or face penalties. This is modelled on the European Union's GDPR, but adapted for India's digital ecosystem.
Breach Notification — 72 Hours
If a company suffers a data breach that affects your personal information, they must notify CERT-In (India's cybersecurity agency) and you within 72 hours. No more quietly covering up breaches and hoping nobody notices — as multiple Indian companies have done in the past.
What This Means for Startups
For India's startup ecosystem, the DPDP Act introduces real compliance costs. NASSCOM estimates that early-stage startups will spend ₹5-15 lakh annually on data protection compliance — covering consent management systems, breach detection tools, data mapping, and legal counsel.
"For a 10-person startup burning ₹20 lakh a month, adding ₹10 lakh in annual compliance costs is not trivial," said Rama Vedashree, former NASSCOM Data Protection Council chair. "But the alternative — a ₹250 crore penalty — is existential."
The maximum penalty for significant violations is ₹250 crore per incident. For repeated violations, it can go higher.
The Children's Data Problem
Perhaps the most consequential provision for India's EdTech industry: processing children's data (under 18) requires verifiable parental consent. This means platforms like BYJU'S, Unacademy, and Vedantu cannot simply collect a child's data through a school signup form. They need documented, verifiable consent from a parent or guardian.
For an industry that has built its user acquisition model on school partnerships and bulk student onboarding, this is a fundamental operational challenge.
The Enforcement Question
The law exists. The rules are being implemented. But enforcement — the part that actually matters — remains India's historical weakness in regulation. The Data Protection Board of India, which will adjudicate complaints and levy penalties, has been constituted but has not yet heard a major case.
"Laws are only as good as their enforcement," said Apar Gupta, executive director of the Internet Freedom Foundation. "India has strong consumer protection laws too. Ask any consumer how easy it is to get redress."
The next twelve months will reveal whether the DPDP Act becomes India's GDPR — a framework that genuinely changes corporate behaviour — or another well-intentioned law that companies learn to navigate around. For now, the rules are on paper. The test is whether they reach your phone.
Trust score
- Source reliability86
- Evidence strength63
- Corroboration27
- Penalties−0
- Total65
Source Transparency Chain
100% claims sourcedRelated coverage
technology
ChatGPT in the classroom: India's schools are using AI before the rules exist
2026-02-19
technology
From MoUs to megafabs: India's semiconductor mission enters the make-or-break year
2026-02-19
technology
India AI Impact Summit 2026: Modi calls for human-centric AI, 20,000 GPUs pledged
2026-02-19
technology
India's AI reckoning: MeitY confronts Grok over deepfakes as DeepSeek V4 faces distillation charges
2026-02-18