Share It!

Authored By: Sh. Khurshid Alam, Law Centre 2, Faculty of Law, Delhi University, India, Research Writer at Law Audience®,

Edited By: Mr. Varun Kumar, Advocate, Himachal, Punjab & Haryana and Founder at Law Audience.

Abstract:

This article examines India’s new Digital Personal Data Protection Act, 2023 (DPDP Act) in the context of global privacy laws, specifically the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We first outline why India needed a data protection law, noting the rise of digital services and that, until 2023, India relied only on the IT Act and 2011 “Privacy Rules” for data privacy[1]. We then summarize the DPDP Act’s key features (definitions, scope, consent regime, data subject rights, obligations, enforcement).

The core of the article compares DPDP with GDPR and CCPA across six dimensions:

Definitions and Scope; Data Subject Rights;
Legal Basis for Processing; Regulatory Authority and Enforcement;
Penalties; Consent and Transparency.

We highlight how DPDP is narrower in scope (covers only digital personal data and excludes certain data), how its rights and legal bases differ, and how its enforcement structure differs from GDPR’s DPAs and CCPA’s regulators. We analyze strengths (e.g. clear consent requirement, no strict localization mandate) and weaknesses (e.g. broad state exemptions, limited rights, a non-independent regulator) of DPDP relative to GDPR/CCPA. We conclude with practical compliance challenges for Indian companies (such as implementing consent and data security measures, setting up grievance redressal, preparing for cross-border rules) and offer recommendations (like expanding data subject rights, strengthening the regulator, and aligning exemptions with global norms). Throughout, we cite statutory text and official analyses to ensure the discussion is evidence-backed.

Keywords

Digital Personal Data Protection Act 2023,
DPDP Act, GDPR, CCPA,
India Data Protection Law,
Privacy,
Data Subject Rights,
Regulatory Authority,
Data Breaches,
Consent,
Enforcement,
Data Fiduciary.

Introduction:

India’s enactment of a dedicated data protection law reflects both domestic needs and global trends. With over 690 million internet users and frequent data breaches reported, the absence of a comprehensive privacy law left India relying on the Information Technology Act 2000 and its 2011 Privacy Rules, which offered limited protection.

In 2017, India’s Supreme Court affirmed that informational privacy is a fundamental right (Puttaswamy v. Union of India), prompting the government to draft a full data protection framework. On the global stage, the EU had implemented the GDPR in 2018 to unify data protection across Europe, and U.S. states like California passed the CCPA in 2018 as one of the first strong consumer privacy laws in the U.S. Reflecting this momentum, India passed the Digital Personal Data Protection Act, 2023 (DPDP Act) on August 11, 2023[2].

This new Act aims to regulate the collection, use, and transfer of “digital personal data” by public and private entities in a manner that recognizes individuals’ rights and lays down duties for organizations.

Unlike earlier drafts, the DPDP Act 2023 is more modest in obligations, but introduces key concepts like “data fiduciaries,” a Data Protection Board, and definitions of data rights. In the sections below, we outline the DPDP Act’s main provisions and then compare its approach to data privacy with the GDPR (EU law) and CCPA (California law) across multiple dimensions, in order to highlight similarities, differences, and implications for Indian businesses and consumers.

Key Provisions and Features of the DPDP Act, 2023

The DPDP Act, 2023 is a new Indian statute governing the processing of personal data in digital form. Its key features include the following:

Definitions and Scope:

The Act defines “personal data” broadly as “any data about an individual who is identifiable by or in relation to such data” [3]. It specifically covers “digital personal data” (personal data in digital form). Offline or analog data are not covered unless digitized. Section 3 states the Act “applies to the processing of digital personal data within the territory of India” and also to processing of personal data outside India if it is in connection with offering goods or services to persons in India[4]. Notably, the Act excludes certain data from its ambit: for example, data processed for purely personal/domestic purposes, or data that has been made publicly available by the individual themselves (or by someone legally obliged to publish it).

Consent and Legal Bases:

The DPDP Act is primarily consent-based. Section 4 provides that a data fiduciary may lawfully process personal data only with the consent of the data principal or for certain specified “legitimate uses” [5]. These legitimate uses include cases like data volunteered by the individual for a purpose (if she doesn’t object), processing to comply with a legal requirement or court order, processing for medical emergencies or public health purposes, and providing services (subsidies, licenses) by the government when the individual has already consented to other services. Unlike the GDPR, the DPDP Act does not recognize contractual necessity or the organization’s legitimate interest as independent lawful bases; consent (or the narrow exceptions) is the main basis[5].

The Act’s consent standard is strict: consent must be “free, specific, informed, unconditional and unambiguous, with a clear affirmative action” for a specific purpose[6]. The Act also provides for “deemed consent” in certain situations (for example, emergencies or government benefits) under Section 7.

Data Fiduciaries and Data Processors:

The Act distinguishes between Data Fiduciaries (entities that collect or determine the purpose of processing personal data) and Data Processors (entities processing data on behalf of fiduciaries). It imposes duties mainly on fiduciaries, including: providing notice of data collection (Section 5), implementing reasonable security safeguards (Section 16), limiting data use to specified purpose, ensuring data accuracy, and notifying breaches (Section 28). The highest penalty under the Act (up to INR 250 crore) is for failure by a fiduciary to take reasonable security safeguards to prevent a data breach[7].

Data Principal Rights:

The Act grants specific rights to individuals (called “Data Principals”). Key rights include the right to correction, completion, updating, and erasure of personal data they have consented to share[8]. A data principal can request a fiduciary to correct or delete any inaccurate or outdated personal data that she has previously consented to provide. There is also a right to data erasure (subject to exceptions, e.g. if retention is required by law).

The Act establishes the right to grievance redressal:

every fiduciary must maintain a mechanism to address complaints, and
individuals have a right to approach the Data Protection Board if needed[9].

Uniquely, data principals have a right of nomination: they may designate a person to exercise their data rights on their behalf in case of death or incapacity[10]. (Noticeably, unlike earlier drafts or GDPR, the Act does not explicitly grant a general data access or portability right.)

Special Provisions for Children:

The Act defines a “child” as an individual under 18. It mandates that fiduciaries must obtain verifiable parental consent before processing a child’s data[11], and prohibits behavioral tracking, profiling, or targeted advertising of children[12]. The government may specify additional conditions or exemptions, and can also set an age threshold above which safe-processing measures suffice[13] [14].

Significant Data Fiduciaries:

Section 10 empowers the government to designate certain large or sensitive entities as “Significant Data Fiduciaries” (SDFs) based on factors like volume of data, sensitivity, risk to sovereignty or public order, or handling of children’s data[15]. SDFs have extra obligations. For example, an SDF must appoint a Data Protection Officer (DPO) based in India, establish a grievance redressal mechanism, and conduct periodic Data Protection Impact Assessments (DPIAs) and audits. (Earlier bills would have required SDFs to register with the government, but the final Act dropped that registration requirement.)

Cross-Border Data Transfers:

The DPDP Act allows personal data to be transferred outside India. It does not impose an absolute data-localization requirement. However, the government retains power to restrict transfers to specified countries if needed (e.g., on grounds of security or sovereignty)[16]. In practice, sectoral regulators (like the RBI or SEBI) have separate localization rules for banking or finance data, which remain in effect.

Regulatory Authority – Data Protection Board:

The Act establishes a Data Protection Board of India (Section 18) as the statutory body for enforcement and grievance redressal. The Board is not an independent regulatory authority like the EU’s Data Protection Authorities; instead, it is primarily an adjudicatory body.

The Board can inquire into breaches and compliance, summon parties, and impose penalties for violations of the Act[17]. (It has the powers of a civil court when conducting proceedings.) Appeals from the Board’s orders go to the existing Telecom Disputes Settlement and Appellate Tribunal (TDSAT)[18]. The members of the Board are appointed by the government. The Act also allows data fiduciaries to settle complaints by submitting voluntary undertakings to the Board.

Penalties:

The Act prescribes fines and penalties for various violations (Schedule). Major breaches by Significant Data Fiduciaries – such as failing to implement security safeguards – carry the maximum fine of INR 250 crore (about €28 million)[19]. Other contraventions carry lower fines (for example, up to INR 200 crore or 150 crore for some offenses). Lower-level violations (like procedural lapses by small fiduciaries) may incur smaller penalties (e.g. ₹10,000). The DPDP Act also provides a private right of compensation to data principals for certain harms (similar to GDPR’s liability provisions).

Exemptions:

The Act contains broad exemptions. For instance, processing in the interest of national security, public order, sovereignty, or friendly relations with foreign states is generally exempt[20]. Courts and law enforcement processing, or processing for prevention/detection of crime, are exempt.

Certain processing for research or archiving is exempt if the data is not used to make decisions about an individual. Notably, the government has the power to exempt any class of data fiduciaries or specific provisions of the Act for up to five years at a time. These clauses have raised concerns among privacy advocates about potential over-breadth.

Overall, the DPDP Act establishes a comprehensive framework of rules for how “data fiduciaries” handle individuals’ digital personal data, incorporating concepts of notice, consent, purpose limitation, security, and accountability. Compared to earlier proposals, it is somewhat more limited in scope and gives the government considerable discretion in exemptions. In practice, businesses and individuals must await the Act’s rules (expected to be drafted by early 2025) and phased implementation timelines.

Comparative Analysis: DPDP Act vs GDPR and CCPA

India’s DPDP Act emerges in a world where the GDPR (EU) and CCPA (California, USA) already set global benchmarks for data privacy. Below we compare the three laws across key dimensions:

Definitions and Scope-

DPDP Act (India) – Covers “digital personal data”, i.e. personal data (any information about an identifiable individual) in digital form[3]. Offline (paper) data and non-digital personal information fall outside the Act. It excludes personal data voluntarily made public by the individual or legally required to be public[3]. The DPDP Act applies to data collected in India (digitally) and extraterritorially applies to data processing outside India if it relates to offering goods or services to Indian residents[4].

GDPR (EU) – Covers “personal data” (any information relating to an identified or identifiable person)[21]. There is no digital/analog distinction: any form of personal data is covered. Territorial scope is broad: GDPR applies to any processing by an entity established in the EU, regardless of where processing occurs, and also to entities outside the EU if they target EU residents (offering goods/services or monitoring behavior within the EU)[22]. It covers both private and public-sector processing of personal data, with few exceptions.

CCPA (California) – Defines “personal information” as specific categories of data about California residents. These include identifiers (name, address, SSN, email, IP address, etc.), commercial information (purchase history), internet activity, geolocation, inferences, and sensitive categories (health, biometric, etc.)[23]. The definition explicitly excludes publicly available government information[24]. CCPA’s scope is limited by business applicability: it applies to for-profit businesses doing business in California that meet one of several thresholds (annual revenue over $25M, or buying/selling data of 50,000+ consumers, or over 50% revenue from selling personal information)[25]. Nonprofits and most small businesses are exempt. CCPA applies only to processing of data about California consumers (residents).

Data Subject Rights

DPDP Act (India) – Grants a limited set of rights to the data principal. These include the right to correct, complete, update or erase their personal data (that they have provided via consent), and a right to an effective grievance redressal mechanism if obligations are violated. There is also a right to nominate someone to exercise one’s rights after death or incapacity. Notably, the Act does not explicitly provide rights such as general data access or portability. The right to erasure is subject to exceptions (e.g. if retention is required by law). Overall, DPDP’s rights are narrower; for example, it lacks an explicit right to data portability or to restrict processing.
GDPR (EU) – Provides an extensive menu of rights. Data subjects have the right of access (to know what data is held), rectification (correction) and erasure (the “right to be forgotten”) of their data. They can request restriction of processing and object to certain processing (e.g. marketing). A key right is data portability (to receive personal data in a structured format to transfer to another controller). Data subjects can withdraw consent at any time, and have the right to be informed about automated decision-making and profiling[26]. They also have the right to lodge complaints with Data Protection Authorities. In summary, GDPR empowers individuals with robust control and transparency rights over their data. For example, it explicitly includes a right to a copy of data (“obtain from the controller confirmation and a copy of personal data”)[27].

CCPA (California) – Grants rights framed around consumer transparency and choice. California residents have the right to know what personal information businesses have collected about them, including categories of data collected, sources, purposes, and third parties with whom it is shared[28].

They have the right to delete personal information collected (with limited exceptions). They have the right to opt-out of sale or sharing of their information (CCPA introduced an “opt-out of sale” requirement; consumers can use a “Do Not Sell My Info” link). The CPRA amendment added the right to correct inaccurate personal information and right to limit the use/disclosure of sensitive personal information for purposes other than the original collection. There is also a right to non-discrimination (businesses cannot deny service or charge more for exercising these rights)[29]. Unlike GDPR, CCPA does not grant a general right to data portability (though it covers some data transfers), nor a blanket right to restrict all processing; it is more narrowly focused on notice, access to information, and sale/sharing opt-out.

Notably, under CCPA consumers cannot sue businesses for most violations – enforcement is by the California AG (see below) – except that consumers have a limited private right of action for certain data breaches.

Legal Basis for Processing

DPDP Act (India) – Essentially requires consent or specified exceptions. Section 4 states that processing is lawful only if the data principal’s consent has been obtained, or it falls under a narrow list of “legitimate uses”. These legitimate uses are largely situations like voluntary data sharing by the individual (absent objection), legal compliance, employment contexts, medical emergencies, or government services.

The Act’s consent requirement is stringent (“free, specific, informed and unambiguous”). Importantly, the Act does not provide for processing based on contractual necessity or the controller’s legitimate interests (as GDPR does). This means Indian businesses cannot rely on a broad “legitimate interest” exception; outside of consent, only the enumerated cases permit processing.

GDPR (EU) – Lists six lawful bases for processing personal data (Article 6).

These are: (a) consent;

(b) performance of a contract with the individual;

(d) protection of vital interests;

(e) tasks carried out in the public interest or official authority; and

(f) the legitimate interests pursued by the controller (except where overridden by the data subject’s interests).

Thus, under GDPR, organizations have multiple bases besides consent. For example, a business can process data if necessary to fulfill a contract, even without fresh consent. The DPDP Act is narrower: it aligns only with consent and government-specified purposes, whereas GDPR broadly allows many bases.

CCPA (California) – Does not use the “legal basis” framework like GDPR or DPDP. It is essentially an opt-out Businesses may collect, use, and share personal information so long as they comply with notice and consumer rights provisions. Consent is only required in the sense of an affirmative opt-in for the sale of minors’ data under age 16 (otherwise consumers must opt-out of sale).

Unlike GDPR, CCPA does not require businesses to identify a lawful ground for each processing activity; it assumes processing is permitted unless it involves selling data (which requires an opt-out) or unless the consumer exercises their rights. In summary, DPDP’s consent-centric model is more similar to GDPR than to CCPA; the CCPA treats data more like a consumer commodity with opt-out of sale rules rather than requiring consent for every use.

Regulatory Authority and Enforcement

DPDP Act (India) – Enforcement is through the Data Protection Board of India, a new statutory body created by the Act. The Board can investigate complaints and breaches, conduct inquiries, and issue directions. It has quasi-judicial powers (can summon entities, examine witnesses, etc.), but limited statutory authority.

Unlike the EU’s model, the DPDP Act does not give the Board broad supervisory powers or regulatory rulemaking authority. (For example, it cannot issue binding regulations on businesses except those made under the Act’s rules, and it cannot proactively audit companies without cause.) Appeals from the Board’s orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). In practice, this means compliance enforcement will be handled by the Board under government oversight, which critics note is not as independent as EU authorities.

GDPR (EU) – Each EU Member State has an independent Data Protection Authority (DPA) responsible for monitoring and enforcing GDPR in that jurisdiction. Together they form the European Data Protection Board (EDPB) to ensure consistency across the EU. DPAs have powers to investigate complaints, conduct audits, and impose penalties. They also issue binding guidance (or codes of conduct) for businesses. Data subjects can lodge complaints with their national DPA. Appeals from DPAs typically go to national courts. Thus, GDPR enforcement is decentralized but structured, with strong independence.
CCPA (California) – Enforcement primarily lies with the California Attorney General (AG). The AG’s office can investigate and bring civil actions against businesses for CCPA violations, seeking the statutory penalties. (Starting in 2023, a new California Privacy Protection Agency (CPPA) has been created by the CPRA amendment with broader enforcement powers, but as of early 2025 the AG remains active.) CCPA also grants a limited private right of action to consumers in the event of certain data breaches; affected individuals may sue for statutory damages ($100–$750 per consumer per incident) if sensitive data was exposed and the business failed to implement reasonable security[30] [31].

For other CCPA violations, only the AG/CPPA may enforce (after the consumer complains and gives the business 30 days to cure). In contrast to GDPR’s multi-jurisdictional setup, CCPA enforcement is handled at the state level, and its private right is quite narrow (breach-specific).

Penalties

DPDP Act (India) – Violations can attract heavy fines. The highest penalties target serious lapses: for example, failure by a Significant Data Fiduciary to employ reasonable security safeguards (leading to a data breach) can incur up to INR 250 crore (about €28 million).

Lesser breaches (e.g. not designating a DPO when required, or not notifying breaches) carry lower fines (ranging in the hundreds of millions of rupees, see the Act’s Schedule). A modest fine (₹10,000) can apply for minor infractions by non-significant fiduciaries. In addition to fines, the Board can impose directions, and data principals can seek compensation for harm caused. Thus, DPDP’s penalty structure is significant, though still generally lower in absolute terms than GDPR’s (below).

GDPR (EU) – Imposes tiered fines. For “less serious” infringements (e.g. failing to keep records, not obtaining consent properly), penalties can reach up to €10 million or 2% of global annual turnover[32].

For the most serious violations (breach of core principles like consent, data security, transfer rules), fines can be up to €20 million or 4% of global turnover, whichever is higher. Many high-profile GDPR fines have reached the €50–100 million range, illustrating its strong enforcement. There are also remedies for data subjects (compensation for damage) and possible criminal charges under Member State laws, but the key deterrent is the high administrative fines.

CCPA (California) – Penalties are comparatively lower. Civil fines for violations are up to $2,500 per violation for a non-intentional violation, and up to $7,500 per violation for intentional violations[33]. (The CPRA successor may allow higher fines for certain breaches of consumer rights.)

In addition, data breaches of unencrypted personal information trigger statutory damages of $100–$750 per consumer per incident (with an aggregate cap absent but subject to due process). The CCPA has no analog of percentage-of-revenue fines. Instead, most enforcement comes via injunctions or modest fines. Businesses also risk class-action suits for breaches (outside the statutory remedy if state law is violated).

Consent and Transparency

DPDP Act (India) – Central to DPDP is obtaining valid consent and giving clear notice. Section 6 requires that consent be voluntary, specific and informed; the Act explicitly forbids pre-ticked boxes or implied consent.

When collecting data, fiduciaries must provide a notice (Section 5) that includes the purpose of collection, types of data, rights of the principal, and grievance redress details[34]. The consent notice must be in clear language and cover only the data needed for that purpose.

Thus, DPDP places strong emphasis on transparency at the point of collection. Consent can later be withdrawn by the individual, requiring erasure of data if no other legal basis applies. These rules mirror GDPR’s high standard for consent (free, specific, informed).

GDPR (EU) – Also emphasizes transparency. GDPR Articles 12–14 require controllers to inform data subjects about processing – including the controller’s identity, processing purposes, legal basis, data recipients, retention period, and the data subject’s rights – at the time of data collection[35].

If data is not obtained from the subject, additional notice rules apply. Consent under GDPR must likewise be clear and affirmative (Article 4). GDPR’s transparency obligations are extensive; for example, Article 13 lists dozens of pieces of information that must be provided to individuals when collecting their data. Controllers must also provide privacy notices about users’ rights (access, erasure, portability, complaint) and data transfers. In practice, GDPR pushes organizations to be highly transparent about data use.

CCPA (California) – Requires notice and transparency but not in the same granular way as GDPR. Businesses must publish privacy policies or notices disclosing the categories of personal information collected, purposes of use, and categories of third parties with whom data is shared or sold.

The CCPA specifically requires an easy-to-find “Do Not Sell My Info” notice if the business sells data. If a consumer exercises their rights, the business must respond with required information.

Unlike GDPR or DPDP, CCPA does not require businesses to obtain opt-in consent for most uses; it instead focuses on giving consumers the choice to opt-out of sales. For example, a California privacy notice typically outlines categories of personal info collected and how it is used or sold. Thus, DPDP and GDPR are more consent-centric and require upfront transparency, whereas CCPA grants consumers opt-out rights but generally allows businesses to process data unless consumers object or the data is sold.

Strengths and Weaknesses of the DPDP Act (vs. GDPR/CCPA)

The DPDP Act represents India’s balancing act between individual privacy and economic/sovereign interests.

Strengths:

Consent-centric protection: By requiring free, informed consent for most processing, the Act firmly places user choice at the core. This high standard (no bundled or blanket consent) and the duty to provide clear notice (purpose, rights, Board contact) are positive steps that align with GDPR principles. In this respect, India’s law can empower individuals over their data similarly to EU law.
Focused scope and practical flexibility: The Act applies only to digital data, which simplifies compliance for many organizations and reflects India’s goal of a digital economy. It also refrains from mandatory data localization: notably, it does not itself impose residency requirements. (Government powers to restrict transfers are balanced by the recognition that sector regulators may already have their own rules.) This could facilitate cross-border business with fewer constraints than an absolute localization rule.
Exemptions for small entities: The Act allows the government to exempt classes of fiduciaries (e.g. startups) from certain obligations (notice, accuracy, erasure, etc.)[36]. This built-in flexibility can ease the burden on small companies and encourage compliance rather than imposing one-size-fits-all rules.
New institutional framework: Creating a specialized Board is a step toward dedicated oversight. The Board’s powers to impose substantial fines (up to INR 250Cr)[19] mean that organizations now face real consequences for breaches. The concept of “significant fiduciaries” with extra duties (DPOs, DPIAs) also acknowledges that larger firms need stricter controls.

Weaknesses/Concerns:

Limited data subject rights: Compared to GDPR, DPDP grants fewer rights. For examplethere is no explicit right to data portability and only a limited concept of erasure. One critique is that the Act omits the “right to be forgotten” (as a standalone, unconditioned right) and data portability[37]. Without access or portability rights, users have less control than under GDPR. CCPA also offers broader access rights than DPDP (e.g. right to know/visibility of categories collected) which DPDP does not fully match.
Broad state exemptions: A major weakness is the Act’s sweeping carve-outs for government and security purposes. For instance, processing for “sovereignty and integrity of India, security of the state, public order” etc., is explicitly exempt.

Moreover, the government can suspend any provision of the law for up to five years at a time. Critics point out that these clauses are much broader than in GDPR and risk undermining privacy: as one analysis notes, national security exemptions “may lead to data collection, processing and retention beyond what is necessary”. Such open-ended exemptions could conflict with the fundamental privacy right unless carefully circumscribed.

No “legitimate interest” basis: While GDPR’s legitimate-interest provision provides flexibility for businesses, DPDP lacks this basis. This means that Indian companies may have to seek fresh consent for data uses that GDPR would cover under legitimate interest. In practice, this makes compliance more cumbersome for companies (having to re-notify or obtain consent) and is seen as a drawback compared to GDPR’s flexible approach.
Regulator limitations: The Data Protection Board, while a new enforcement body, has a narrow mandate. Unlike EU DPAs, it cannot issue binding rules or proactively supervise businesses – it only enforces the Act’s provisions as written. Its members are government-appointed, and terms are short (2 years, reappointment possible)[38]. Critics argue that this could compromise independence and long-term enforcement strategy. In contrast, the GDPR’s independent authorities have rulemaking and audit powers.
Potential compliance confusion: Because the Act is broad but not yet in force, businesses face uncertainty. Rules are still pending, and it remains unclear how the Board will operate. This hiatus could be seen as a weakness in enforcement readiness. (See next section on challenges for more detail.)
In summary, the DPDP Act strengthens Indian data protection significantly but still falls short of GDPR’s standards in key areas of rights and independence. It is somewhat closer to GDPR’s philosophy than CCPA’s, given its emphasis on consent and regulatory control, but leaves gaps (e.g. no legitimate interest, heavy exemptions). Alignment with global norms (e.g. for EU adequacy) may require future amendments, as legal analysts have noted.

Compliance and Implementation Challenges for Indian Stakeholders

With the DPDP Act enacted, Indian businesses, startups, and other data fiduciaries face several practical hurdles in achieving compliance:

Implementation Timeline and Rules: The Act itself is not immediately in force. The Government must notify which sections come into effect and enact detailed rules to operationalize the law.

For example, the draft Digital Personal Data Protection Rules, 2025 were only published for comment in January 2025. Until the rules are finalized, many obligations lack specifics. Companies must therefore track rulemaking closely and prepare to adapt once the final timelines are announced.

(The Act’s text notes that requirements like establishing the Board or reporting breaches come into effect upon rule notification[39].) Stakeholders should not delay planning: aspects like notice formats, consent forms, DPO job descriptions, and breach protocols should be drafted proactively.

Consent Management and Notices: Organizations will need to revise user interfaces, contracts, and policies to capture and record explicit consent in the mandated form. Consent must be granular (e.g. separate checkboxes for different purposes) and cannot be bundled.

Companies should update their privacy notices to clearly state the purpose of each data collection, the legal basis (consent or legitimate use), categories of recipients, and data retention limits, as required by Sections 5–6. Implementing such notice-and-consent flows is a significant task, especially for legacy data.

Startups that collect data from the outset can build this in, but older enterprises may need to retrofit their databases (and seek fresh consents).

Data Security and Breach Response: Under Section 16, fiduciaries must implement “reasonable security safeguards” to prevent breaches. The scheduled penalties make clear that failures in security carry the heaviest fines.

Businesses will need to conduct security audits, possibly encrypt or pseudonymize data, and enforce access controls. They must also set up an internal process for breach detection and notification: a data breach affecting personal data must be reported to the Board under Section 28.

These requirements echo existing best practices (e.g. IT Act rules and CERT-In guidelines), but DPDP makes them statutory. Companies (especially in tech, banking, e-commerce) may need to appoint or train security officers and invest in data security technologies.

Setting Up Grievance Redressal: Section 10 mandates that every fiduciary have a mechanism to address data grievances from consumers. This could be an internal team, an online portal, or a third-party “consent manager.” Many businesses may need to establish new procedures (e.g. a dedicated email address, staffing a data-complaint desk) and ensure timely resolution.

Moreover, companies should document grievance outcomes, since they could be examined by the Board or courts. Training staff on how to handle such complaints will be important.

Governance and Accountability: Larger organizations identified as “Significant Data Fiduciaries” must appoint a Data Protection Officer (DPO) in India who will answer to the board of directors. For global or listed companies, this means adding a dedicated executive role for privacy compliance. Additionally, SDFs must conduct Data Protection Impact Assessments (DPIAs) and independent audits on processing activities. Even non-SDF companies should consider incorporating privacy-by-design principles, as this can mitigate liability. Building a culture of accountability (with privacy policies, training, and internal compliance checks) will help meet the Act’s requirements.

Cross-Border Data Flows: Companies that transfer data internationally must monitor notifications of any restricted countries by the Indian government. Although the Act currently allows transfers broadly, it empowers the government to “blacklist” certain destinations.

Businesses will need clauses in data transfer agreements and ensure that any transfers comply with Indian law. Those with EU data may also need to harmonize DPDP compliance with GDPR obligations (such as additional safeguards for international transfers). Similarly, U.S. companies doing business in India (or vice versa) will face multi-jurisdictional compliance.

For example, a U.S. cloud provider handling Indian user data will now be a data fiduciary under DPDP and must update its contracts and practices accordingly.

Coexistence with Other Laws: Several existing Indian laws overlap with DPDP. For instance, financial firms already follow RBI’s localization and cybersecurity requirements; health data handlers may follow rules under the Clinical Establishments Act.

Firms need to map how DPDP interacts with sectoral rules, the IT Act, telecom regulations, and criminal laws (PDP Act has some penal provisions for data misuse). Unresolved questions (e.g. can information collected under older contracts be reused under DPDP?) may arise. Close legal review will be needed.

Uncertainty and Training: Many Indian startups and SMEs lack privacy expertise. The novelty of the law means companies may not fully understand their obligations. Training employees about the Act’s requirements, and possibly hiring or consulting with privacy specialists, will be necessary.

The uncertainty (e.g. how broadly will the Board enforce, how will regulations apply) means companies may temporarily over-comply (implementing extra safeguards) or under-comply (waiting for clarity), both of which have risks.

Early adopters should seek guidance from legal advisors and watch for regulatory guidance after the rules are published.

Consumer Expectations and Market Impact: Indian consumers are increasingly aware of privacy, partly due to global media on GDPR and data breaches.

Businesses that adapt to the DPDP Act early may gain trust among users by emphasizing data protection. Conversely, companies that lag risk losing customers or facing reputational harm if breaches occur.

There may also be international business implications: for example, EU authorities will assess whether the DPDP Act provides “adequate” protection for EU data transfers (India’s law must be essentially equivalent to GDPR for adequacy).

In summary, compliance is not just a legal checkbox but a strategic imperative for global competitiveness.

In short, while the DPDP Act’s framework echoes global standards, Indian stakeholders must now build or adjust robust compliance programs. This includes technical changes (data mapping, security), process changes (consent handling, grievance management), and organizational changes (assigning accountability). Government outreach and model policies will be valuable in easing this transition.

Conclusion and Recommendations

India’s Digital Personal Data Protection Act, 2023 marks a significant milestone: for the first time, India has a dedicated law governing personal data. The Act brings India closer to global privacy norms by codifying consent requirements, data security obligations, and individual rights. However, as our comparative analysis shows, there are gaps when measured against the GDPR or CCPA standards. The DPDP Act currently offers fewer rights (no portability, no broad access right), omits broad legal bases like legitimate interest, and contains extensive exemptions for state actions. Its regulatory body, the Data Protection Board, lacks the independence and proactive enforcement powers of European Data Protection Authorities.

For better alignment with international best practices, India might consider future amendments or clarifications. For example, adding certain rights (e.g. formalizing data access or portability) could boost citizens’ control. Introducing lawful-basis flexibility (beyond consent) could help businesses while still safeguarding privacy.

Ensuring the Board’s independence (by fixed non-renewable terms, for instance) and limiting the scope of broad exemptions could enhance trust and possibly facilitate an EU adequacy finding. Industry and regulators should collaborate to fill implementation gaps: comprehensive rules and guidelines (especially on sensitive processing and government exemptions) will help avoid ambiguity.

Ultimately, the DPDP Act lays the foundation for a modern data protection regime in India, but it will evolve. Stakeholders — from startups to multinational corporations — must engage actively in rulemaking and refine their practices. By learning from GDPR and CCPA experiences, India can strengthen its law in future, achieving both consumer trust and business facilitation. In the interim, companies should view compliance not just as a legal duty but as an opportunity to build data-privacy into their operations, aligning India’s digital economy with global data protection standards.

References

The Digital Personal Data Protection Act, 2023 (India) – Official text of the Act, Government of India (Ministry of Law & Justice, 11 Aug 2023).
Ministry of Electronics and IT (India), Data Protection Rules, 2025 (draft) – Draft rules for DPDP Act (Jan 2025).
Ministry of Electronics and IT (India), Data protection laws in India (DLA Piper summary)[1][16].
Nishant Sharma et al., “Understanding India’s New Data Protection Law”, Carnegie Endowment (Oct 2023)[18][20].
Nikhil Sinha et al., “India’s Data Protection Law – Insights and Analysis”, Latham & Watkins (Aug 2023)[5][19].
General Data Protection Regulation (GDPR), EU Regulation 2016/679 – Text and commentary (e.g. gdpr-info.eu)[21][22].
California Consumer Privacy Act (CCPA), Cal. Civ. Code §§1798.100–1798.199 (2018, amended 2020) – Official California AG FAQs[40][29] and legislative text[23][24].
California Privacy Rights Act (CPRA, 2020) – Amendment to CCPA granting additional rights (e.g. right to correct, limit)[30].
California Office of the Attorney General – CCPA Enforcement and FAQs[33][29].
Carnegie Endowment India Centre, Data Protection Bill analyses (various)[41][42].
PRS Legislative Research (India) – DPDP Bill summaries and issues (2023)[43][37].
Various sources on data protection (privacy rules, case law, news reports) for context (e.g. India’s Aadhaar breaches, global privacy regulations).

SOURCES-

[1] [2] [7] [16] [39] Data protection laws in India – Data Protection Laws of the World

https://www.dlapiperdataprotection.com/?t=law&c=IN

[3] [4] [8] [9] [10] [11] [12] [13] [14] [15] [34] meity.gov.in

https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

[5] [6] [19] India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison

https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf

[17] [18] [20] [36] [41] [42] Understanding India’s New Data Protection Law | Carnegie Endowment for International Peace

https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law?lang=en

[21] Art. 4 GDPR – Definitions – General Data Protection Regulation (GDPR)

https://gdpr-info.eu/art-4-gdpr/

[22] Art. 3 GDPR – Territorial scope – General Data Protection Regulation (GDPR)

https://gdpr-info.eu/art-3-gdpr/

[23] [24] Section 1798.140. Definitions – Consumer Privacy Act

https://www.consumerprivacyact.com/section-1798-140-definitions/

[25] [28] [29] [30] [40] California Consumer Privacy Act (CCPA) | State of California – Department of Justice – Office of the Attorney General

https://oag.ca.gov/privacy/ccpa

[26] [32] What are the GDPR Fines? – GDPR.eu

https://gdpr.eu/fines/

[27] [35] Art. 13 GDPR – Information to be provided where personal data are collected from the data subject – GDPR.eu

https://gdpr.eu/article-13-personal-data-collected/

[31] Section 1798.150. Private right of action – Consumer Privacy Act

https://www.consumerprivacyact.com/section-1798-150-private-right-of-action/

[33] Section 1798.155. Civil penalties – Consumer Privacy Act

https://www.consumerprivacyact.com/section-1798-155-civil-penalties/

[37] [38] [43] The Digital Personal Data Protection Bill, 2023

https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

[1] Data protection laws in India – Data Protection Laws of the World