DPDPA Rules: How India’s Privacy Law Will Be Put into Practice

In our previous guide to India’s Digital Personal Data Protection Act (DPDPA), we explored the high-level architecture of India’s first comprehensive privacy law. Since the act’s 2023 enactment, the landscape has shifted from legislative theory to operational reality.

While the 2023 act provided only the high-level framework, regulators have now implemented rules that inform what compliance must look like in practice. The most critical update in the rules is the timeline set for compliance, summarized below:

Key Terms to Know

While India’s DPDPA uses some terms common to other data privacy laws, it also includes several unique terms. Here’s what you need to be familiar with:

• Registered consent manager: A licensed legal entity that acts as a single dashboard for a data principal to manage consent to data processing across many companies (we cover this in more detail later in the article).

• Data fiduciary: Any individual who, independently or in collaboration with others, determines the purpose and means of processing personal data.

• Data principal: The individual whose data is being processed, also referred to as a data subject in other data privacy laws.

• Significant data fiduciary (SDF): A data fiduciary designation made by the central government based on factors such as the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of the country, the risk to electoral democracy, security of the state, and public order.

Who Must Comply with the DPDPA and What Are its Exemptions?

The DPDPA applies to your organization if you:

• Process digital personal data within India, or
• Process digital personal information related to offering goods and services to data principals in India.

However, one of the controversial aspects of the DPDPA is its broad set of exclusions. Many government agencies are exempt, and the central government has the power to regulate certain categories of organizations (such as startups) in the future. Other exempted activities include processing publicly available personal data, personal data for research purposes, and non-Indian citizens’ data under certain circumstances, which may make it easier to carry out targeted advertising.

How to Stay DPDPA Compliant

Privacy Notices

By May 2027, notices must:

• Be accessible via a conspicuous link (e.g., “privacy policy”) on website homepages
• Be reasonably accessible and clear
• Include an itemized description of the specific types of data being collected (e.g., name, phone number, device ID)
• List the identities of all other data fiduciaries and data processors with whom the personal data has been shared along with a description of the shared personal data
• Provide a clear explanation of why the data is being collected and the specific goods/services it enables
• Explain the individuals’ data subject rights as well as the method they can be exercised
• Provide a means of exercising data subject rights (e.g., a data subject rights portal)
• Explain how authorized agents can exercise data subject rights
• Provide the contact details for the organization’s data protection officer (DPO) or an authorized person who can answer questions or resolve complaints.
• Provide information on how to file a complaint with the Data Protection Board of India.

If you’re familiar with privacy notice requirements in other privacy laws, you’ll recognize that this is a lot more prescriptive and granular. For example, regulations like the GDPR only require you to list the categories of data types and the third parties that receive personal information; the DPDPA requires an itemized list of both.

This presents two challenges for businesses:

• How to identify relevant details (like types of data or third parties receiving data)
• Disclosing potentially sensitive business relationships

Businesses with a limited understanding of their website and data processing activities will struggle with listing out those details in the privacy policy. Meanwhile, many businesses will feel reluctant to disclose who they specifically transfer data to, especially if those vendors have a poor reputation or if the relationship is sensitive in some way.

Consent Management

The DPDPA’s definition of consent tracks with other privacy laws for the most part. However, its purpose limitation and right to withdraw consent at any time stand out.

The DPDPA limits businesses from processing data for purposes other than what the consumer consents to. Most data privacy laws also permit the use of data under other legal bases, but the DPDPA only permits data processing for purposes that the consumer explicitly consented to and a narrow list of certain legitimate uses (e.g., fulfilling a legal obligation or responding to a medical emergency).

Additionally, the moment a data principal withdraws consent, the data fiduciary is legally obligated to not only stop processing but also delete the data, unless retention is specifically mandated by another Indian law.

Consent Manager vs. Consent Management Platforms: What’s the Difference?

The DPDPA features a few terms that may be confusing for businesses seeking to comply with the law. The act uses the specific term “consent manager” to describe a new type of regulated legal entity, whereas most businesses just need a technical tool (a consent management platform, or CMP) to manage their own users.

Do I Need a "Registered Consent Manager" for India?

No. You do not need to register as a consent manager, nor are you forced to use one that is registered with the Indian government. Most companies will simply use their existing CMP to support the law’s notice and consent requirements.

Data Subject Rights

The rights afforded to data subjects (or data principals), aside from the ability to consent to data collection and withdraw that consent, mirror the standard set of rights found in other data privacy laws. The right to consent is set aside from the normal set of rights to emphasize India’s adherence to an opt-in model of consent, rather than the opt-out model seen regularly in US state privacy laws.

Notably, however, the right to portability is absent.

The DPDPA’s data privacy rights are as follows:

• Right to know/confirm
• Right to access
• Right to correct/rectification
• Right to delete
• Right to obtain a list of third parties to whom the business sold or shared the requester’s data
• Right to consent to data collection: Data fiduciaries must obtain clear and informed consent, ensuring individuals are aware of and agree to data collection and processing.
• Right to use an authorized agent to submit requests
• Right to appeal denials of rights requests

Unlike certain data privacy laws like the CCPA, verification of requesters is allowed for all rights requests. Businesses only need to consider requests made in writing by a person who can be authenticated. Additionally, businesses must honor requests submitted by authorized agents for requesters who have a disability or are children.

You have a maximum of 90 days to complete a request, but this includes any appeals. Based on industry standards, it may make the most sense to set the default fulfillment timeline to 30 days–this should give you enough time to action the request and handle any appeals that may result.

Assessments

Completing privacy assessments is an implicit necessity for meeting compliance obligations under the DPDPA. The only explicit requirement to conduct assessments is reserved for significant data fiduciaries, who must perform a data protection impact assessment (DPIA) when directed by the data protection authority (DPA). However, the precise definition and criteria for what constitutes a "significant data fiduciary" remain largely undefined beyond the general characteristics outlined in the legislation.

Vendor Management

Unlike some laws where a vendor shares direct statutory liability for a breach, the DPDPA places the responsibility squarely with the fiduciary. The law doesn’t prescribe formal obligations for processors, which makes it even more important for fiduciaries to conduct their due diligence on vendors to ensure they are handling data responsibly and securely. Most businesses will likely align their India third-party risk management (TPRM) process with EU TPRM program processes.

Data Mapping

As noted, the DPDPA is a consent-first framework with a strict purpose limitation. This requires rigorous data mapping to ensure that personal data is only processed for the purpose described to data subjects. Under Rule 8, data must be deleted the moment that purpose is deemed no longer served, making automated retention schedules a necessity.

Price of Noncompliance

The DPDP Board is a digital-first enforcement body with significant teeth. Penalties are tiered based on the violation.

Looking Ahead

The on-ramp to DPDPA compliance in 2027 may feel long, but the operational requirements require immediate planning. Now is the time to transition from high-level policy to technical implementation.

Compliance with any data privacy law can be complicated, but given the unique provisions of the DPDPA and the sheer number of individuals it protects, businesses may struggle to get compliant quickly.

Fortunately, Osano can help with a number of DPDPA requirements. Businesses using the Osano platform will be able to:

• Secure, manage, and record data principals’ consent
• Automate subject rights requests
• Map their data to avoid unnecessary data sprawl (and therefore, unnecessary risk)
• Score and identify trustworthy vendors to partner with
• And holistically manage their end-to-end privacy program

Schedule a demo of Osano today to take your first steps toward DPDPA compliance.