Compliance10 min readUpdated May 2025
DPDP Act 2023: Website Compliance Guide for Indian Businesses
India's Digital Personal Data Protection Act is in force. This guide explains what it means for your website, what you must implement, and how to check compliance for free in 30 seconds.
Check DPDP Compliance Free →2023
Enacted
₹250Cr
Max fine
3 types
Data categories
7 rights
Data Principal rights
5 duties
Fiduciary obligations
Free
Compliance checker
Overview
What is the DPDP Act?
1
Full name: Digital Personal Data Protection Act 2023
India's first comprehensive data protection law. Received presidential assent on 11 August 2023. Replaces the previous IT Act data protection provisions.
2
Primary goal
To protect the personal data of Indian citizens (called 'Data Principals') while allowing legitimate data processing for business purposes.
3
Key principle: consent-first processing
Unlike some other data protection frameworks, DPDP uses consent as the primary lawful basis for processing personal data. You must obtain clear, informed consent before collecting data.
4
Three categories of data
The Act distinguishes Personal Data (any data that can identify an individual), Sensitive Personal Data (financial, health, biometric), and Children's Data (extra protections apply for under-18s).
5
Enforced by the Data Protection Board of India (DPBI)
The DPBI is the regulatory body established to handle complaints, conduct investigations, and impose penalties for violations.
Scope
Who It Applies To
1
Any website that collects personal data from Indian users
If your sign-up form, contact form, or checkout captures names, emails, phone numbers, or addresses of Indian individuals, DPDP applies.
2
Indian and non-Indian organisations alike
Extra-territorial scope: a US, EU, or UK company with Indian users is a Data Fiduciary under DPDP — similar to GDPR's extra-territorial reach.
3
SaaS products with Indian subscribers
Any SaaS, app, or platform that has registered Indian users falls under the Act's scope, regardless of where the product is built or hosted.
4
E-commerce platforms selling to Indian customers
Order data, delivery addresses, and payment information of Indian customers constitute personal data under DPDP.
5
Exempt: personal or domestic processing
Data processed purely for personal or household purposes is exempt. Research and journalistic activities may have limited exemptions.
Requirements
What Your Website Must Do
1
Implement a clear consent mechanism
Before collecting any personal data, display a clear notice explaining what data is collected, the purpose, and how it will be used. The user must actively consent — pre-ticked boxes are insufficient.
2
Publish a privacy notice
Your privacy policy must explain: what personal data you collect, the purpose of processing, how long you retain it, whom you share it with, and how users can exercise their rights.
3
Enable the right to access and erasure
Data Principals (your users) have the right to: obtain a summary of their personal data, correct inaccurate data, and request erasure of their data ('right to be forgotten').
4
Implement reasonable security safeguards
The Act requires 'reasonable security safeguards' to prevent data breaches. At minimum: HTTPS enforcement, encrypted storage for sensitive data, access controls, and a breach response plan.
5
Notify data breaches to the DPBI and affected individuals
In the event of a data breach, you must notify the DPBI 'without delay'. The notice must describe the nature of the breach, the data affected, and remediation steps.
6
Implement Data Retention Limits
Personal data should not be retained beyond the purpose for which it was collected. Implement data deletion schedules for inactive accounts and expired data.
7
Appoint a Consent Manager if operating at scale
Large-scale Data Fiduciaries may be required to appoint a Consent Manager — a platform that helps users manage their consents across services.
Check
How to Check Compliance
1
Step 1: Run AuditAI's free DPDP compliance scan
AuditAI checks the website-visible signals: consent mechanism, privacy policy link, HTTPS enforcement, exposed personal data, and third-party tracker disclosure.
2
Step 2: Review your data collection forms
List every form on your site. For each form, verify you have a consent checkbox, a link to your privacy notice, and that you only collect the minimum data necessary.
3
Step 3: Audit your privacy policy
Ensure it covers: data collected, purposes, retention periods, third parties, user rights (access, correction, erasure), and your contact information for data requests.
4
Step 4: Verify HTTPS enforcement
All pages, including login, checkout, and any page with a form, must serve over HTTPS. An HTTP page collecting personal data is a direct DPDP violation.
5
Step 5: Document your data flows
Create a Data Processing Record — a log of what personal data you collect, where it's stored, how long it's kept, and who can access it. This is essential evidence of compliance during an investigation.
Check your DPDP compliance in 30 seconds
AuditAI is the only free tool that checks DPDP Act compliance alongside GDPR and CCPA in a single scan — no signup required.
Check DPDP Compliance Free →Frequently Asked Questions
Does the DPDP Act apply to websites hosted outside India?+
Yes. The DPDP Act has extra-territorial reach — it applies to any organisation that processes personal data of data principals (individuals) in India, regardless of where the organisation or its servers are located. A UK startup with Indian users must comply, just as GDPR applies to non-EU companies with EU users.
What is a 'Data Fiduciary' under the DPDP Act?+
A Data Fiduciary is any person or organisation that determines the purpose and means of processing personal data. If your website collects and processes data about Indian users (email addresses, names, phone numbers, browsing behaviour), you are a Data Fiduciary and must comply with the DPDP Act's obligations.
When will the DPDP Act be enforced?+
The DPDP Act received presidential assent in August 2023. The Data Protection Board of India (DPBI) is being constituted to handle enforcement. While enforcement is ramping up, the law is in force and organisations should begin compliance work now. Early movers avoid the risk of being targeted in initial enforcement actions.