Compliance Changes to Consider: India’s DPDPA

Colin O'Malley

Mar 24, 2026 • 8 min read

The steady drumbeat of announcements from the recent India AI Summit demonstrated the keen interest that Big Tech and international business have in India’s strong consumer market. These companies will now need to comply with the DPDPA, India’s Digital Personal Data Protection Act, whose deadline for full compliance is May 2027, just a little more than a year away. The DPDPA marks a pivotal change in data protection compliance in India, with its basis in explicit consent, prescriptive approach, and broad extraterritorial reach. It will impact any entity doing business in India, hiring Indian employees, or targeting Indian consumers.

The long awaited Final Rules interpreting the DPDPA - India’s Digital Personal Data Protection Act - were issued by India’s Ministry of Electronics & Info Technology in November 2025, and indicate a compliance regime that differs significantly from CCPA, GDPR or any other existing data protection regime when it comes to legal definitions and requirements. For entities considering the Indian consumer market, it’s important to know what these differences are, since compliance with CCPA or the GDPR does not necessarily mean compliance with the DPDPA.

In this article we outline the main requirements of the DPDPA, and how they differ from existing data protection regimes - specifically the CCPA and GDPR. We also review some of the primary changes to current workflows that you should plan for in the next year, ahead of the DPDPA’s deadline for full compliance in May 2027.

DPDPA v. CCPA & GDPR: Key Differences

The DPDPA, like CCPA and GDPR, aims to provide a statutory basis for individual data protection rights - but takes a different approach in at least five key areas:

Bases for Processing - The DPDPA has only two grounds for “lawfully” processing personal data - express or opt-in consent and implied consent for certain “legitimate uses” - collection by/for government, employment, security/fraud prevention, legal compliance, medical emergencies, and data security. This means that sharing of digital personal data for advertising, analytics, marketing, or personalization, will require express opt-in consent under the DPDPA.

The Importance of Express, Demonstrated Consent - The DPDPA not only requires express consent in most instances, it also prescribes how that consent must be demonstrated. Specifically, the law requires integration with “consent managers” - a person or entity that is incorporated in India and subject to regulation by the Indian government, and who will provide tools, such as a consent management platform, to extend, manage, and withdraw consent. Consent managers must be incorporated in India and their structure is further prescribed under the Final Rules.

Data Subject Notice - For consent to be valid, the DPDPA requires that individuals be provided “clear, standalone notice,” before any personal data is processed. The notice must include an itemized description of personal data being collected, the purpose for the data processing, a description of goods or services provided and a description/ link to individual redress mechanisms. Where applicable, just in time notices, with a link to the full privacy policy, may be utilized.

Data Rights & Duties - The DPDPA does not provide individuals the right to restrict processing, and the right to data portability. Unlike CCPA or GDPR it also imposes specific duties on individuals such as duties against misrepresentation and impersonation in the context of a DSR request.

Significant Fiduciaries - The DPDPA states that entities that process significant amounts of digital personal data in India will be designated as “Significant Fiduciaries” (SDFs), by India’s Government and subject to specific data localization and retention, privacy assessment, and audit requirements.

Compliance Changes to Consider Ahead Of May 2027

While the DPDPA’S final compliance deadline is May 2027, the deadlines to implement 3 key provisions of the law - integrations with consent managers, data breach reporting, and individual redress - will happen over the next 12-18 months, With the marked differences between the DPDPA and existing data protection laws it’s important to consider needed changes to compliance workflows now. These will likely include the following tasks:

Revisions to Data Nomenclature - Personal data definitions will need to be revised to reflect the specific terminology of the DPDPA. For instance, the law uses the terms data principals (not “data subjects”), and data fiduciaries (not “data controllers"). The law also expands the definition of “persons” beyond individuals, and includes companies, government entities and “undivided Hindu families.” Current data mapping and inventories will need to be updated to reflect these new terms and definitions.
Redefine Bases for Processing - Under the DPDPA, there are only two grounds for “lawfully” processing personal data - consent and “legitimate uses.” This means that data flows currently categorized under these bases, or under a GDPR focused compliance regime, will need to be re-categorized accordingly.
Integrate with Consent Managers - All workflows based on consent (e.g. customer service, marketing, advertising) will now need to integrate with a “Consent Manager” - an Indian based, regulated intermediary, who must register with the Indian government, and whose form is prescribed under the Final Rules. The framework for Consent Managers is expected to track that of Account Aggregators in India’s financial sector. Already, a few companies, including Concur and One Trust, have registered with the Indian government to provide consent management services.
Data Deletion/Retention - The DPDPA requires deletion of personal data once the purpose of the processing for that data has been fulfilled, for e-commerce entities, online gaming intermediaries, and social media intermediaries, the Final Rules prescribe the retention term as 3 years.
Align Contractual Processes - New contracts and/or addenda will need to be drafted and implemented to reflect the DPDPA’s specific definitions and terms. At this time, there are no specific contractual requirements for cross border transfers i.e., transfers of personal data outside of India.
Revise DSR Processes to reflect DPDPA rights - Under the DPDPA, individual rights do not include the right to restrict processing, and the right to data portability. Current DSR processes will need to be revised to reflect these changes; separately, the question of whether to revise DSR processes in India, based on the DPDPA’s narrower definition, may need to be considered. Compliance processes will also need to be established to include additional categories of “persons” beyond natural persons - including companies, government entities, and “undivided Hindu families.” Unlike CCPA and GDPR, the DPDPA also imposes rights on individuals - including the right against registering a false or frivolous grievance or complaint, suppression of relevant information, or false impersonation. Thus, the DPDPA provides potential grounds to suspend or not respond to an individual’s complaint in these instances, and such use cases should also be integrated into any relevant DSR processes.
Special Requirements for SDFs - The DPDPA and Final Rules allow India’s government to designate certain companies as “SDFs” if they process significant amounts of digital personal data in India and are designated as such by the Indian government. If a company is designated as an SDF, it is subject to these additional requirements:
- Data Localization - SDFs must localize all processing of certain categories of personal and traffic data.
- Assessments - SDFs must conduct annual data protection impact assessments for certain kinds of processing, and confirm that their algorithms don’t pose data protection or security risks to data principals.
- Audits - SDFs must conduct annual data protection audits, and submit significant audit findings to India’s Data Protection Board.
- Hire an independent data protection officer that will oversee consent management and individual redress processes..

Looking AheadLucid Privacy will continue to keep a keen eye on developments as companies move to interpret the DPDPA, and implement its requirements over the next 16 months. Drawing on our technical expertise, and our experience with CCPA and GDPR compliance, we have developed the DPDPA Assessment to help you tackle the necessary workflows to bring your processing in line with the DPDPA’s requirements. Please let us know how we can work with you and your team to prepare you for compliance with this important new law.

Comparison Matrix - DPDPA/GDPR/CCPA

The table below outlines the main features of the DPDPA, and how these contrast with the CCPA and the GDPR, representing the US and EU approach respectively.

	DPDPA	GDPR	CCPA
Legal Foundation	Right to Life and Personal Liberty, Article 21 and Part III of India’s Constitution,	Right to Personal Data Protection, Article 8 of the EU Charter of Fundamental Rights, and the laws of individual member states.	Article 1, Section 1, of the California Constitution
Scope	Digital personal data of Indian citizens or “persons” Outsourcing exemption excludes processing of personal data of non Indian citizens, under certain conditions.	Online and offline information that directly or indirectly identifies a natural person (EU resident)	Any data identifying or related to a California resident or household in California.
Legal Bases for Processing	Consent (demonstrated through a Consent Manager), and Legitimate Uses (government, employment, fraud, legal compliance, certain medical emergencies, and security)	Consent, Contract,Legal Obligation, Legitimate Interests, Public Task, Vital Interests	No stated basis; permits processing so long as individual rights are provided.
Data Localization	Entities that are viewed by India’s Central Government view as a “Significant Data Fiduciary” must localize personal data of Indian citizens.	No data localization requirements.	n/a
Data Deletion/Retention	Personal data must be deleted once the purpose for the processing has been met. For e-commerce entities, online gaming intermediaries, and social media intermediaries the term is 3 years.	Data Retention requirements in some cases. Consumers have the right to request deletion of their personal data.	Consumers have the right to request that personal data be deleted and businesses must respond to these requests within 45 days. The Delete Act and the DROP mechanism (mid 2026) will provide a way to delete all personal data from data brokers with a single request to a platform managed by the California Privacy Protection Agency.
Individual Rights	Rights of Access, Correction, Erasure, and the Right to grievance redress.	Rights of Access, Correction, Erasure, Data Portability, Restricting data processing, Object to processing, To be Forgotten, and the Right to not be subject to certain decisions (which have legal effects) based solely on automated processing, e.g., profiling. Does not prescribe individual duties.	Rights to Know, Delete, Opt-Out (of sale/sharing for targeted ads), Opt-Out of Profiling, Correct, and Limit (use of sensitive data), and against discrimination for exercising these rights. Does not prescribe individual duties.
Children	Any individual under 18 years of age. The law restricts monitoring online behavior or serving targeted ads to these individuals without the “verified consent” of a guardian or parent.	Any individual under 16 years, although individual Member States may lower this age to a minimum of 13 years.	Opt in consent for children under 13-15; For children under 13 - defined under federal Children's Online Privacy Protection Act, which requires the “verified consent” of a guardian or parent before marketing to a child online.
Cross Border Transfers	Permits cross-border transfers, so long as transfers to the receiving jurisdiction have not been restricted by the Indian government.	Requires standard contractual clauses for cross border transfers	n/a
Data Breach Reporting	Data Breaches must be reported to the Data Protection board, with a detailed report, 72 hours after they are discovered.	Data Breaches must be reported to the local Data Protection Authority 72 hours after they are discovered.	Must notify CA residents of all breaches involving personal data of over 500 individuals; must notify Attorney General within 15 days of publishing this notice.
Data Protection Officers	Data protection Officers are required at companies deemed to be a “Significant Data Fiduciary,”	Required when core activities involve large-scale regular and systematic monitoring of individuals, or large-scale processing of special categories of data	No data protection officer requirement.
Primary Regulator	Data Protection Board, which will be composed of a Chairman and 3 members, each of whom are appointed for a term of two years. The Board will focus on adjudication of data breaches, user complaints, and non-compliance cases involving companies and intermediaries.	EU Commission and Data Protection regulators of individual Member States	-California Privacy Protection Agency (CalPrivacy or CPPA) -California Attorney General California
Enforcement Penalties	Significant monetary fines may be assessed for data breaches, breaches involving children’s data, and for non compliance by SDFs. Additionally, the DPDPA allows the Indian Government to restrict the cross border transfer of personal data outside of India, if it deems necessary.	2-4% of annual turnover, depending on the severity of the violation.	$2,500 per unintentional violation, and up to $7,500 per intentional violation. For data breaches, which have a private right of action, consumers can recover up to $750 per incident. The highest CCPA fine ever was assessed in 2026 against Disney for $2.75 million.

Sign up for more like this.