The Digital Personal Data Protection Act, 2023 — notified in August 2025 — is India's first comprehensive data privacy legislation, giving citizens rights over their personal data held by companies, requiring explicit consent for data processing, and mandating organisations to appoint Data Protection Officers and report breaches within 72 hours. One year after notification, a compliance survey by the Data Security Council of India covering 500 companies across sectors finds that 72% have not completed even basic compliance steps.
DPDP Act Compliance Status — One Year On
- 72% of surveyed companies: no Data Protection Officer appointed
- 68%: no operational consent framework for existing customers
- 81% of small and medium businesses: unaware of Section 9 (children's data) obligations
- Data Protection Board: 2,847 complaints received; 0 penalties issued (as of April 2026)
- Penalty under DPDPA: up to ₹250 crore per incident
- MEITY has not yet issued full rules under the Act — 11 out of 40 rule-making powers used
“The law exists. The regulator exists. But the rules are incomplete, companies are not complying, and the Board has issued no penalties. We have a data protection law in name only at this stage.”
— Apar Gupta, Executive Director, Internet Freedom Foundation
72%
Companies non-compliant
0
Penalties issued (1yr)
₹250Cr
Max penalty per incident
2,847
Complaints to DPB
How did this story make you feel?
Rajan Mehta
Technology & Digital Policy Reporter
Rajan reports on digital governance, data rights and tech policy from Bangalore. He has tracked India's Digital Stack since 2018.