India’s Privacy Era Begins: DPDP Act Officially Comes Into Force

India’s first digital privacy law sets new standards for data protection and user rights  
On November 14, the Indian government notified the rules under the Digital Personal Data Protection (DPDP) Act, 2023, formally putting the country’s first digital privacy law into effect. The move follows years of deliberation and fulfills the Supreme Court’s 2017 directive affirming privacy as a fundamental right.

The DPDP Act establishes a national framework for handling personal data, with clear obligations for “data fiduciaries”—entities that process user information—and rights for “data principals,” or individuals. The law mandates verifiable consent, purpose-limited data use, breach notifications, and grievance mechanisms. A phased rollout gives companies 12–18 months to comply, while consent managers must register within a year.

Major takeaways  

• DPDP Act operationalised after two years of legislative and public consultation  
• Law mandates consent-based data processing and breach notification protocols  
• Data fiduciaries must offer clear opt-in and opt-out mechanisms for users  
• Consent managers and intermediaries given 12–18 months to comply  
• RTI Act amended to restrict access to personal data held by public bodies  

Sources: New Indian Express, The Hindu, Business Standard