Why India’s DPDPA is Rewriting the Global Privacy Playbook

With the phased rollout of India’s Digital Personal Data Protection Act (DPDPA) now underway, organizations must consider the necessary infrastructure changes required to meet this new privacy framework. As the world’s most populous country with 1.47 billion people and a highly globalized economy, India also surpassed 950 million active internet users in 2025. For any organization operating or serving customers in APAC, it’s one of the most significant shifts in global privacy regulation since GDPR went into force.  

Progress Software’s Global Data Privacy Counsel Sarib Khan described the phased implementation as giving “India’s diverse ecosystem a realistic runway to build privacy governance and technical readiness.” That runway, however, is shorter than it looks, and some features introduced by the DPDPA stand out as uniquely Indian solutions that may influence international privacy practice.

The $27M+ Question with a 2027 Deadline

Under the DPDPA, fines for non-compliance can reach up to ₹250 Crore (approximately $27M USD) for failures to maintain reasonable security safeguards, and the board can stack penalties across multiple instances of noncompliance, so exposure adds up fast. More significantly, the Data Protection Board (DPB) can recommend that the government block a noncompliant organization’s access to the Indian market entirely.

Two upcoming dates compliance teams should be aware of:

• November 13, 2026 – Consent Managers must register as third-party intermediaries to manage user consent and permissions. The DPB will handle registration.
• May 13, 2027 – Full operational compliance with the DPDP Act is required for all covered businesses. This date marks the end of the phased implementation period and the activation of the Data Protection Board’s full enforcement authority for core obligations applicable to Data Fiduciaries (see next section for definition).

Definition of Terms

While many terms are common to other data privacy laws, here are some that are unique to the DPDPA.

Data Principal – The individual whose data is being processed, commonly referred to as data subject in other laws.

Registered Consent Manager – This is different from a Consent Management Platform (CMP) and refers to a legal entity that acts as a dashboard for a data principal to manage consent to data processing across many companies. Data fiduciaries do not need to register as a consent manager, and most companies will use their existing CMP to manage the law’s consent requirements. See the section on Consent Manager below for more information.

Data Fiduciary – Any organization that determines the purpose and means of processing personal data is classified as a Data Fiduciary, the Indian equivalent of what GDPR calls a data controller. If your business collects, stores, or processes data about Indian users, that’s you.

Significant Data Fiduciary (SDF) – A subset of data fiduciaries designated by the government, based on: 

• Scale of data processing (telecom companies, major financial institutions, large social media platforms)
• Sensitivity of data handled (financial, health, or biometric data)
• Risk to individual rights or public welfare
• Potential impact on national security, public order, or electoral integrity

Once designated, SDFs face enhanced obligations beyond standard data fiduciary requirements:

• Appoint an India-based Data Protection Officer (DPO), reporting directly to the board
• Conduct mandatory Data Protection Impact Assessments (DPIAs)
• Submit to periodic independent audits
• Apply additional due diligence on algorithms and technical systems

The official SDF list has not yet been published but is expected post-May 2027. Large global platforms with significant Indian user data should assume designation and prepare accordingly.

What Needs to Happen by May 2027

This is a summary of what companies need to have in place by the time DPDPA is in full effect:

• Implement compliant notice mechanisms
• Deploy granular consent management systems
• Establish user rights exercise infrastructure (90-day resolution)
• Implement breach detection and 72-hour notification capabilities
• Deploy security safeguards (encryption, access controls, logging)
• Establish data retention and automated deletion systems
• Implement children’s data protection (verifiable parental consent)
• Establish grievance redressal mechanisms
• Appoint Data Protection Officer (if SDF)
• Conduct Data Protection Impact Assessment (DPIA) and audits (if SDF)

Now, let’s look at some of the key features that companies need to consider.

Data Not Based on Sensitivity

In a clear departure from GDPR, the DPDPA applies uniformly to all types of personal data without regard to sensitivity (like medical information or sexual orientation) and applies to “any data about an individual who is identifiable by or in relation to such data.”

The End of “Legitimate Interest”

The DPDPA’s approach to lawful data processing is more streamlined than most global privacy frameworks and more demanding. Consent is the primary basis for processing personal data, and the grounds for processing without it are narrow and specific: 

• complying with legal obligations
• performing state functions
• responding to medical emergencies
• maintaining public safety 

The flexible “legitimate interest” basis that many organizations rely on under GDPR, along with contractual necessity, simply don’t exist here.

Dark Patterns Get Specific

India’s approach to deceptive design is more legally sophisticated than most privacy frameworks. It doesn’t just prohibit dark patterns, it makes any consent obtained through them legally void. Under Section 6(1) of the DPDPA, consent must be free, specific, informed, unconditional, and unambiguous. A dark pattern that manipulates users into agreeing to data collection fails that standard at the threshold, which means the data processing built on that consent is unlawful from the start.

The DPDPA works in tandem here with the Central Consumer Protection Authority’s Guidelines for Prevention and Regulation of Dark Patterns, 2023, which formally enumerates thirteen prohibited patterns. Several of these map directly onto DPDPA consent violations:

• Confirm Shaming: Using guilt-tripping language to nudge a Yes.
• Forced Action: Making access to a product or service conditional on consent to data processing that isn’t necessary for that service
• Basket Sneaking: Adding items to a cart (like insurance) without explicit consent
• Interface Interference: Visually obscuring the decline option while highlighting “accept all”
• Subscription Trap: Burying the consent withdrawal process in layers of menus or deliberately making it confusing
• Nagging: Repeatedly disrupting or prompting users to make a transaction 

The practical implication is significant: a UX pattern your team may have treated as an aggressive-but-legal conversion tactic is now a compliance failure. Web and product teams need to audit consent flows with the same rigor applied to legal review. 

The Consent Manager: A New Privacy Infrastructure Layer

You don’t need to become a registered Consent Manager, and you’re not required to integrate with one. What you do need is a compliant consent management platform of your own – one that captures granular, auditable consent records and can honor withdrawals promptly. The distinction matters because the two terms get conflated: a standard CMP handles consent for your own website or app; a registered Consent Manager is an independent legal entity serving users across many companies simultaneously, registered with India’s Data Protection Board and required to maintain immutable consent records for seven years.

The technical bar for your own consent infrastructure is still substantial. Consent records must be structured, auditable, and specific, documenting exactly what the user consented to, for which purpose, and when. And Consent Managers must be incorporated in India to qualify for registration, meaning global platforms won’t be eligible for that role. But for most data fiduciaries, the focus should be on getting your own consent capture and record-keeping in order well before the May 2027 enforcement date.

Children’s Data: A Higher Bar

The DPDPA sets 18 as the age threshold for children’s data protection, which is higher than GDPR’s 13-16 range. Under Section 9, behavioral tracking, profiling, and targeted advertising directed at minors are prohibited outright, and processing their personal data requires verifiable parental or guardian consent. The 2025 Rules are specific about what “verifiable” means: organizations can use identity information already on file for existing users, rely on details voluntarily provided by a parent, or use a third-party verification service like a virtual token mapped to the parent’s credentials. Exceptions exist for healthcare, education, and daycare services to process children’s data, but the default is restrictive.

As attorney Komal Thacker noted in a February 2026 IAPP analysis, the age number itself isn’t really where the compliance burden falls; it’s the verification and design architecture the law requires around it. An honor-system date-of-birth field doesn’t meet the standard. Onboarding flows, parental consent mechanisms, and data architecture all need to be built around the assumption that a meaningful portion of users may be minors, and websites that can’t reliably make that determination will be in violation.

Notices in 22 Languages – Not a Suggestion

India’s Constitution recognizes 22 official languages in its Eighth Schedule, ranging from Hindi and Bengali to Tamil, Telugu, Kannada, and Maithili. Under the DPDPA, consent notices must be accessible in English and all 22 of those languages. A notice a user cannot understand in their own language is potentially invalid consent, which means the data processing built on it is unlawful.

Breach Notification: Every Breach, Every Time

Most breach notification frameworks, GDPR included, build in a materiality threshold. You assess the risk, and if it clears a certain bar, you notify. The DPDPA drops that threshold entirely. Under Rule 7 of the 2025 Rules, every personal data breach triggers a three-part notification obligation, with no minimum severity requirement.

First, affected individuals must be notified without delay through their registered communication channel in plain language:

• the nature and extent of the breach
• likely consequences relevant to that individual
• mitigation steps underway
• safety measures they can take 
• a contact person for follow-up questions

Second, the Data Protection Board must also receive an initial notification without delay, with a preliminary description of the breach and its likely impact.

Third, within 72 hours, the Board requires a comprehensive follow-up: the broad facts and circumstances of how the breach occurred, mitigation measures taken or proposed, any findings about who caused it, remedial steps to prevent recurrence, and a full report on the individual notifications sent.

Where ObservePoint Fits In

The DPDPA’s requirements don’t just live in your legal team’s inbox; they live in your tag manager, consent flows, third-party scripts, and data architecture. Knowing what your privacy policy says is one thing. Knowing what your website is actually doing is another, and under the DPDPA, the gap between those two things is where liability lives.

ObservePoint’s automated web governance platform continuously scans your digital properties to audit tag behavior, validate that consent management platforms are functioning correctly, and surface instances where data collection may be happening outside the bounds of what users actually consented to. That matters across every dimension of DPDPA compliance we’ve covered here: dark patterns that silently invalidate consent, third-party scripts firing before consent is captured, children’s data flowing through systems without parental consent, and notice requirements that only work if the right version is actually being served to the right user.

The DPDPA places the burden of proof squarely on the data fiduciary. If a question arises in any proceeding about whether valid consent was obtained, you have to be able to demonstrate it. That requires more than good intentions. It requires a documented, auditable, continuously verified record of what’s happening across your properties in real time. That’s the infrastructure ObservePoint is built to provide.

The Bottom Line for Leaders

India has nearly a billion active internet users, no legitimate interest basis for data processing, a universal breach notification requirement, an 18-year age threshold for children’s data, mandatory notices in 22 languages, and a Data Protection Board with the authority to recommend blocking your access to the market entirely. It’s not just another compliance checkbox but a fundamental rethinking of how your digital products handle personal data for this market.

The organizations that navigate May 2027 without disruption are building that infrastructure now, mapping data flows, retooling consent architecture, stress-testing breach response playbooks, and auditing what their sites are actually doing versus what their policies say they’re doing. The phased timeline was designed to give organizations a runway. How much of that runway you have left depends on when you start.