India's DPDP act: What it means for your app

India has more than 1 billion internet users - TRAI reported 969 million subscribers by March 2025 and crossed 1 billion by mid-2025. Until 2023, none of them had a standalone data privacy law protecting their personal information. Companies could collect, process, and share Indian users' data with minimal legal constraint.

That changed with the Digital Personal Data Protection Act (DPDP Act), passed in August 2023. The law introduces consent-based data processing, individual rights, mandatory breach notification, and penalties up to 250 crore INR - roughly $30 million per violation.

If your app has Indian users, this law applies to you. It doesn't matter where your company is based. A SaaS product built in the US with 10,000 users in Mumbai is subject to the same rules as an Indian startup in Bangalore. And unlike GDPR, which had a two-year grace period, the Indian government is rolling out enforcement in phases - meaning some obligations are active now and others will apply as rules are notified.

Who does this apply to?

The DPDP Act uses two key terms: Data Fiduciary (the entity that decides why and how data is processed) and Data Principal (the individual whose data is being processed).

You're a Data Fiduciary if:

• Your app collects personal data from users in India

• You determine the purpose and means of processing that data

• This applies whether your company is in India or not - the law has extraterritorial reach for processing related to offering goods or services to people in India

The scope is broad. Personal data under the DPDP Act means any data about an individual that can identify them, or is identifiable in relation to them. This includes names, email addresses, phone numbers, location data, IP addresses, cookie identifiers, and any other data that relates to an identifiable person.

What's excluded:

• Data that has been anonymized (truly anonymized, not just pseudonymized)

• Personal data processed by an individual for personal or domestic purposes

• Data made publicly available by the Data Principal themselves or required to be published by law

Significant data fiduciary: The higher compliance tier

The Indian government can designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on:

• Volume and sensitivity of personal data processed

• Risk to the rights of Data Principals

• Potential impact on India's sovereignty and integrity

• Risk to electoral democracy

• Security of the state

• Public order

If you're designated as a Significant Data Fiduciary, you face additional obligations that regular Data Fiduciaries don't:

The government hasn't published the full list of Significant Data Fiduciaries yet. But if your app processes data from millions of Indian users or handles sensitive categories (health, financial, biometric), plan as if you'll be designated.

What the law requires

The DPDP Act is built on seven core obligations. Each one maps directly to architecture decisions in your app.

1. Consent-based processing

All personal data processing requires the Data Principal's consent, unless it falls under a "legitimate use" exception. The consent must be:

• Free - not bundled with access to the service (no "consent or leave" walls for non-essential data)

• Specific - tied to a stated purpose

• Informed - the Data Principal knows exactly what data is collected and why

• Unconditional - no penalties for withholding consent for non-essential processing

• Unambiguous - clear affirmative action, not pre-checked boxes or implied consent

The consent notice must be in plain language. If your app serves users across India's linguistic diversity, the notice should be available in English and relevant regional languages.

The withdrawal test. The DPDP Act requires that withdrawing consent must be as easy as giving it. If consent takes one tap, withdrawal can't require navigating five settings pages and sending an email. This is a design constraint, not just a legal one.

Legitimate uses (no consent needed)

The DPDP Act allows processing without consent in specific scenarios:

• Voluntary provision - data the user provides voluntarily for a specific purpose (e.g., filling out a delivery address for an order)

• State functions - government-authorized processing for subsidies, licenses, permits

• Legal obligations - processing required by law (tax reporting, regulatory filing)

• Medical emergencies - processing necessary to protect life or health

• Employment - processing necessary for employer-employee relationships

• Public interest - preventing fraud, network security, credit scoring (within bounds)

Even under legitimate use, you must still provide notice about the processing and honor Data Principal rights.

2. Rights of data principals

The DPDP Act grants individuals five rights. Your app must have mechanisms to fulfill each one.

Right to Information - Data Principals can request a summary of their personal data being processed, the processing purposes, and the categories of third parties with whom data has been shared.

Right to Correction and Erasure - Data Principals can request correction of inaccurate data and erasure of data that's no longer necessary for the purpose it was collected.

Right to Grievance Redressal - Every Data Fiduciary must have a grievance redressal mechanism. The Data Principal can escalate unresolved grievances to the Data Protection Board of India.

Right to Nominate - Data Principals can nominate another individual to exercise their rights in case of death or incapacity. This is unique to the DPDP Act - GDPR doesn't have an equivalent.

Duties of Data Principals - Unique to the DPDP Act, individuals also have duties: not to file false complaints, not to suppress material information, and not to provide false personal data.

3. Purpose limitation

Data can only be processed for the purpose stated in the consent notice. If you collect email addresses for order confirmation, you can't use them for marketing without separate consent. Each new purpose requires fresh consent.

4. Data retention limits

Personal data must be erased once the purpose for which it was collected has been fulfilled and retention is no longer necessary for that purpose - or when the Data Principal withdraws consent. You can't keep data indefinitely "just in case."

Architecture requirement: Build automated data lifecycle management. Define retention periods per data category. When the period expires or the purpose is fulfilled, trigger deletion.

5. Data security

Data Fiduciaries must implement "reasonable security safeguards" to prevent data breaches. The Act doesn't prescribe specific technical standards (unlike PCI DSS, for example), but the expectation is industry-standard security practices: encryption, access controls, monitoring, and incident response.

The threat is real. India's Ministry of Home Affairs told Parliament that 22.68 lakh (2.27 million) cybercrime complaints were filed in 2024 - a 42% jump over 2023 - with Indians losing Rs 22,845 crore (approximately $2.7 billion) to cyber fraud, a 206% increase from the prior year. For companies processing Indian user data, "reasonable security safeguards" is a standard that regulators will evaluate against a threat landscape growing faster than almost anywhere else in the world.

6. Breach notification

If a personal data breach occurs, you must notify:

• The Data Protection Board of India - timing and format to be specified in rules

• The affected Data Principals - with details about the breach and remediation steps

The notification timelines haven't been finalized in the rules yet. But the expectation is rapid disclosure - likely within 72 hours, mirroring the GDPR standard.

7. Cross-border data transfer restrictions

This is one of the DPDP Act's most impactful provisions. Personal data of Indian users can only be transferred to countries that the Indian government has specifically approved through notification.

What this means in practice:

• If your servers are in the US and you process Indian user data, the US must be on the approved list

• Cloud infrastructure in non-approved countries may need to be reconsidered

• Third-party services (analytics, CRM, email platforms) hosted in non-approved countries may need alternatives or data localization

The government hasn't published the final approved-country list as of 2026. But the direction is clear: India is moving toward a whitelist model, not a default-open model. Plan your infrastructure accordingly.

How it affects your app architecture

Consent management layer

The DPDP Act's consent requirements are strict and granular. Your consent management system needs to:

• Collect purpose-specific consent - not a single blanket consent checkbox, but separate consent for each processing purpose

• Support easy withdrawal - a consent dashboard where users can revoke specific consents with the same effort it took to grant them

• Record consent proof - timestamp, purpose, version of consent notice, and method of consent for every consent event

• Handle consent in multiple languages - India has 22 official languages; at minimum, support English and Hindi

Architecture pattern: Build a consent service that sits between your data collection layer and your data processing layer. Every data write checks the consent state for the relevant purpose. If consent isn't present, the write is blocked.

Data principal rights system

Similar to GDPR's Data Subject Access Request (DSAR) system, you need infrastructure to handle rights requests:

• Access requests - generate a structured summary of all personal data held for a Data Principal

• Correction requests - update data across all systems where it's stored

• Erasure requests - delete data from primary databases, backups (within reasonable timeframes), and third-party systems

• Nomination management - store and verify nominee designations

Response timelines will be defined in the rules. Plan for 30 days as a reasonable baseline, matching the GDPR standard.

Data localization architecture

Given the cross-border transfer restrictions, your infrastructure for Indian user data should default to Indian data centers:

• Primary database - hosted in India (AWS Mumbai, Azure Central India, or GCP Mumbai)

• Backups - also in India unless the backup destination country is on the approved list

• CDN and edge caching - personal data shouldn't be cached at edge locations outside India

• Third-party integrations - audit every integration for where data is processed. If your CRM is US-only, you may need an India-compatible alternative or an Indian data processing node

Children's data: Under 18 in india

The DPDP Act sets the age of consent at 18 - higher than GDPR's 16 or COPPA's 13. If your app has Indian users under 18, you need:

• Verifiable parental consent before collecting any personal data

• No behavioral monitoring or tracking of child users

• No targeted advertising to child users

• Age verification that's appropriate to the risk level

This is a significant architectural consideration for apps popular with teenagers (social media, gaming, educational platforms). A 15-year-old can consent to data collection under GDPR but not under the DPDP Act.

Grievance redressal mechanism

Every Data Fiduciary must provide a way for Data Principals to raise grievances about data processing. This isn't just a "Contact Us" form - it needs to be:

• Accessible within the app (not just on a website footer)

• Tracked with response timelines

• Escalatable to the Data Protection Board if unresolved

Build this as a ticketing system with SLA tracking. If a grievance isn't resolved within the prescribed timeline, the Data Principal can escalate to the Data Protection Board - and that's when regulatory scrutiny begins.

DPDP act vs. GDPR: Key differences

"The cross-border transfer rules are where DPDP projects get stuck. With GDPR, you have multiple mechanisms - SCCs, adequacy decisions, BCRs. With DPDP, you have one: government-approved countries. Until the approved-country list is finalized, the only safe default is Indian data centers for Indian user data. Every project we start for the Indian market begins with data localization as the baseline, not an option." - RaftLabs Engineering Team

If you've already built for GDPR, you're 70-80% of the way to DPDP compliance. But the differences matter.

The biggest practical difference is cross-border transfers. GDPR offers multiple mechanisms (Standard Contractual Clauses, Binding Corporate Rules, adequacy decisions). The DPDP Act offers one: government-approved countries. If India doesn't approve your hosting country, you're stuck.

What compliance costs vs. what non-compliance costs

Building DPDP-compliant: $35,000-$90,000

Incremental cost of building DPDP compliance into your app architecture:

• Consent management system - $8,000-$20,000 (purpose-specific, multi-language)

• Data Principal rights infrastructure - $10,000-$25,000 (access, correction, erasure, nomination)

• Data localization setup - $5,000-$15,000 (Indian data center configuration, data routing)

• Grievance redressal system - $3,000-$8,000

• Children's data handling - $5,000-$12,000 (age verification, parental consent for under-18)

• Legal review - $4,000-$10,000

Non-compliance penalties

The DPDP Act uses a fixed penalty model, not a revenue-based model:

These are per-violation penalties. A single data breach affecting multiple provisions could trigger penalties under multiple categories simultaneously.

Questions to ask your development partner

1. Have you built apps that comply with Indian data protection requirements? Look for: specific experience with Indian data localization, familiarity with the DPDP Act's consent model, and understanding of the Significant Data Fiduciary tier.

2. How do you handle data localization for Indian users? Look for: experience with AWS Mumbai, Azure Central India, or GCP Mumbai regions. They should understand data routing to keep personal data within India. Red flag: "We'll just host everything in US-East."

3. How do you build consent management for multiple purposes and languages? Look for: purpose-specific consent architecture, Hindi/English at minimum, consent withdrawal that matches consent collection in ease of use.

4. What's your approach to the under-18 age threshold? Look for: awareness that India's threshold is 18, not 13 or 16. Age verification and parental consent flows appropriate for a teenage user base.

5. How do you handle cross-border data transfer restrictions? Look for: understanding that DPDP uses a whitelist model, practical data routing architecture, audit of third-party services for data processing locations.

6. Can you build the grievance redressal mechanism required by the DPDP Act? Look for: ticketing system with SLA tracking, escalation paths, integration with the app's user interface. Red flag: "We'll add a contact form."

Your compliance checklist

Consent management

• Purpose-specific consent is collected for each data processing activity

• Consent notices are clear, specific, and available in relevant languages

• Consent can be withdrawn as easily as it was given (same number of steps)

• Consent records are stored with timestamp, purpose, notice version, and method

• No data processing occurs without valid consent or a legitimate use basis

• Consent is refreshed when purposes change or new processing activities begin

Data principal rights

• Access request mechanism exists and responds within the prescribed timeline

• Correction requests update data across all systems where it's stored

• Erasure requests delete data from primary databases, backups, and third-party systems

• Nomination feature allows Data Principals to designate a nominee

• All rights requests are logged and tracked with response timestamps

Data localization and transfers

• Indian users' personal data is stored in Indian data centers by default

• Cross-border transfers only occur to government-notified approved countries

• Third-party services have been audited for data processing locations

• Data routing rules prevent Indian personal data from flowing to non-approved jurisdictions

• Cloud infrastructure configuration is documented for audit purposes

Children's data (under 18)

• Age verification is implemented for Indian users

• Verifiable parental consent is obtained for users under 18

• No behavioral monitoring or tracking of child users

• No targeted advertising to child users

• Separate retention policies apply to children's data

Security and breach response

• Reasonable security safeguards are implemented (encryption, access controls, monitoring)

• Data breach detection and notification procedures are in place

• Breach notification workflows cover both the Data Protection Board and affected Data Principals

• Incident response plan specifically addresses personal data breaches

Grievance redressal

• Grievance mechanism is accessible within the app

• Grievances are tracked with SLA timelines

• Escalation path to the Data Protection Board is documented

• Response quality and timelines are monitored

Significant data fiduciary (if applicable)

• Data Protection Officer is appointed and based in India

• Data Protection Impact Assessment has been conducted

• Independent audit is scheduled per the required frequency

• Periodic reporting to the Data Protection Board is in place

India's DPDP Act is the most significant privacy law to emerge since GDPR. With over 1 billion internet users and a government that's shown willingness to enforce digital regulations, this isn't a law you can ignore. The DPDP Rules were notified in November 2025 with a full compliance deadline of May 13, 2027 - meaning the clock is running. The smartest approach: build compliance into your architecture now, while the rules are still being finalized, rather than scrambling to retrofit once enforcement begins.

If you're building an app that serves Indian users, RaftLabs's team has deep experience with Indian market requirements and data localization architecture. We build the consent management, data principal rights, and localization infrastructure in the first architecture sprint - not as an afterthought.