India’s DPDP Act Enforcement Deadline Looms: Tech Giants Face ₹250 Crore Fines Starting October
The clock is ticking — and for every company handling Indian users’ personal data, the margin for error is shrinking fast.

India’s Digital Personal Data Protection Act, passed in August 2023, is moving from legislative milestone to operational reality. With enforcement mechanisms expected to activate this October, technology companies — from Silicon Valley giants to Bengaluru-based startups — are racing to restructure their data practices before regulators begin issuing penalties that could reach ₹250 crore per violation. The scramble is real, the stakes are historic, and many organisations are still dangerously underprepared.
—
What the DPDP Act Actually Requires
The DPDP Act establishes a comprehensive framework governing how the personal data of Indian citizens must be collected, stored, processed, and deleted. At its core, the law requires companies to obtain free, informed, specific, and unambiguous consent before processing any personal data. Consent cannot be buried in lengthy terms-of-service documents or pre-ticked boxes — a practice that has been standard across the industry for years.
Beyond consent, the Act introduces the concept of “Data Fiduciaries” — entities that determine the purpose and means of data processing — and holds them accountable for protecting user rights. Those rights include the ability to access one’s data, correct inaccuracies, and request erasure. Companies must also notify both users and the Data Protection Board of India in the event of a data breach.
Critically, the law applies not only to Indian companies but to any organisation processing the personal data of individuals located in India, regardless of where that organisation is headquartered. That extraterritorial reach puts global platforms squarely in the regulatory crosshairs.
—
The Data Protection Officer Mandate

One of the most immediate compliance requirements is the appointment of a **Data Protection Officer** (DPO). Significant Data Fiduciaries — a category the government will designate based on factors such as data volume, sensitivity, and potential risk — must appoint a DPO based in India who reports directly to the board of directors.
This is not a checkbox role. The DPO is expected to serve as the primary point of contact for the Data Protection Board, oversee compliance programmes, and respond to grievances filed by data principals — the individuals whose data is being processed. For multinational companies, this means establishing a senior, accountable presence within Indian jurisdiction, rather than assigning an overseas compliance officer to handle Indian matters remotely.
Demand for qualified DPOs has surged in recent months, with legal and privacy professionals commanding significantly higher compensation as companies compete for a limited pool of expertise. Many mid-sized startups, which lack dedicated legal teams, are turning to fractional DPO services — an emerging consulting category that barely existed two years ago.
—
Google, Meta, and the Consent Framework Overhaul
For platforms like Google and Meta, the challenge of overhauling consent architecture is enormous in scale. Both companies serve hundreds of millions of users in India and have historically relied on broad, consolidated consent mechanisms that are unlikely to satisfy the DPDP Act’s granular requirements.
Under the new framework, consent must be sought separately for distinct purposes. A user agreeing to receive personalised advertisements cannot be assumed to have also consented to their data being shared with third-party analytics providers. Each processing purpose requires its own clear, affirmative action from the user.
Industry sources indicate that both companies have been in active dialogue with India’s Ministry of Electronics and Information Technology (MeitY) to clarify implementation timelines and technical requirements. No public compliance roadmaps have been released, however, leaving observers to watch for changes in user-facing interfaces as a signal of broader backend restructuring.
Homegrown platforms face their own version of this challenge. Fintech apps, edtech platforms, and e-commerce players that built their growth on aggressive data collection and retargeting will need to rethink acquisition funnels, re-permission existing user bases, and potentially accept reduced data pools as users begin exercising their new rights.
—
The Fine Structure: Understanding the ₹250 Crore Risk
Penalties under the DPDP Act are tiered, calibrated to the severity of the violation. Failure to implement reasonable security safeguards that results in a personal data breach can attract fines of up to ₹250 crore. Failure to notify the Data Protection Board of a breach carries penalties of up to ₹200 crore. Even procedural violations — such as failing to maintain adequate grievance redressal mechanisms — can result in fines of up to ₹50 crore.
These are per-violation figures. A company that experiences a large-scale breach affecting millions of users could therefore face compounding liability. For startups operating on thin margins, a single enforcement action could prove existential. For large platforms, the reputational damage may ultimately outweigh the financial penalty.
The Data Protection Board of India, once fully constituted, will have the authority to investigate complaints, conduct inquiries, and impose these penalties. The Board is also empowered to direct companies to take corrective action — a provision that could force operational changes far more disruptive than any fine.
—
What Companies Should Be Doing Right Now
Organisations that have not yet begun their DPDP compliance journey are not simply behind — they are exposed. Legal and technology teams should prioritise several immediate steps.
The first is conducting a comprehensive data audit to map what personal data is collected, where it is stored, and how it flows across systems. This audit forms the foundation of every subsequent compliance decision. From there, companies should review and rewrite consent flows, update privacy notices to meet the Act’s plain-language requirements, and establish clear mechanisms for users to submit data-related requests and receive timely responses.
Organisations that anticipate being designated Significant Data Fiduciaries should also begin the process of identifying and appointing a qualified DPO without delay. Engaging outside counsel with specific expertise in the DPDP Act — rather than general data protection law — is increasingly advisable, given the nuances of Indian regulatory expectations.
—
The Broader Significance for India’s Digital Economy
The DPDP Act represents more than a compliance burden. It signals a fundamental shift in the relationship between Indian consumers and the platforms that profit from their data. For too long, the asymmetry of information and power has favoured data collectors. The Act begins to rebalance that equation.
For companies willing to invest in genuine compliance — not merely surface-level adjustments — the law also presents an opportunity. Demonstrating responsible data stewardship can become a meaningful competitive differentiator in a market where consumer trust is increasingly fragile and increasingly valuable.
October is not a distant deadline. It is the moment India’s data protection era truly begins. The companies that treat it as such will be far better positioned than those still waiting to see how enforcement unfolds.
Send free SMS worldwide
Reach any mobile number in 200+ countries from your browser. No signup, no app.
Send a free SMS →


