Data Privacy Laws in India 2025: What Startups Must Do

Data Privacy Laws in India 2025: What Startups Must Do

The Digital Personal Data Protection Act, 2023 (DPDP Act) is now operational, enforceable law. Every startup that collects personal data of individuals in India — regardless of where it is incorporated — must obtain valid, purpose-specific consent, maintain a data map, set retention schedules, report breaches to the Data Protection Board of India, and govern vendor data flows through proper contracts. Penalties under Schedule A of the Act run up to Rs. 250 crore per violation category. Founders who build privacy into their product architecture come out ahead; those who treat it as a legal footnote face a single incident turning into an existential event.

The DPDP Act 2023: Scope, Key Definitions and What Is New in 2026

The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023. With the DPDP Rules subsequently notified, the framework moved from aspirational legislation to an enforceable regime. For founders who have been watching this space, 2026 is the year the Data Protection Board of India (DPBI) is operationally active and initiating investigations and adjudications.

Territorial scope is deliberately wide. The Act applies to the processing of digital personal data:

• within India, regardless of the nationality or residence of the data principal; and
• outside India, if the processing relates to offering goods or services to individuals located in India.

A US-incorporated startup with Indian users, a Singapore-based SaaS with an India-facing product, and a marketplace that stores Indian delivery addresses all fall squarely within scope.

Core definitions you must internalise:

• Data principal: The individual whose personal data is processed. The Act grants data principals five rights: access, correction, erasure, nomination (for death or incapacity), and grievance redress.
• Data fiduciary: The entity — company, LLP, partnership or individual — that determines the purpose and means of processing personal data. Your startup is the data fiduciary.
• Data processor: A third party that processes data on behalf of the data fiduciary. Your cloud hosting provider, CRM vendor, email marketing platform and analytics tool are data processors.
• Consent manager: An entity registered with the Data Protection Board that aggregates consent management across platforms, enabling data principals to give, manage and withdraw consent through a single interface.
• Significant Data Fiduciary (SDF): A data fiduciary notified by the Central Government based on volume of data processed, sensitivity of data, risk to national security, electoral democracy, rights of data principals and similar factors. SDFs carry materially heavier obligations.

What changed from the IT Act regime? The Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 under the IT Act 2000 remain partially operative, but the DPDP Act supersedes them in most respects. Critically, the DPDP Act does not create a separate "sensitive personal data" category analogous to the old SPDI Rules. Health, financial and biometric data are not singled out in the Act's main body — but higher security expectations and parallel sector regulation continue: Reserve Bank of India guidelines for payment and credit data, Ministry of Health and Family Welfare frameworks for health data, and IRDAI guidelines for insurance data. Compliance with the DPDP Act does not discharge your sector-specific obligations.

The Two Lawful Bases: Consent and Legitimate Uses

Unlike the GDPR's six legal bases, the DPDP Act provides exactly two.

Basis 1 — Consent (Section 6)

Consent under the DPDP Act must be free, specific, informed, unconditional and unambiguous. Each of those words carries weight:

• Free: Not bundled with acceptance of other terms or made a precondition of service where processing is not necessary for that service.
• Specific: Tied to a defined, discrete purpose — not a catch-all "to improve your experience."
• Informed: The data principal must have read (or been given the opportunity to read) the consent notice before consenting.
• Unconditional: No coercion, no penalty for refusal.
• Unambiguous: An affirmative act — clicking "I accept," checking a box, tapping a button. Pre-ticked boxes do not count.

You must serve a consent notice before or at the point of data collection. The notice must state: what personal data is sought, the specific purpose, how the data principal may exercise their rights, and how they may withdraw consent or file a complaint with the Board. The notice must be available in English; where the government notifies additional languages, you must offer those too.

Withdrawal of consent must be as easy as giving it, and you must stop processing and delete the data within a reasonable period following withdrawal — unless another law requires retention.

Basis 2 — Legitimate Uses (Section 7)

Legitimate uses allow processing without explicit consent in defined circumstances:

• Processing by the State for subsidies, licences, permits or other services
• Processing to comply with a court order, judgment or legal obligation
• Processing to protect life or prevent health emergencies or disasters
• Employment-related processing — HR, payroll, background checks, benefits — subject to rules
• Processing where the data principal has voluntarily submitted data for a publicly stated purpose

Do not try to stretch legitimate use to cover commercial data monetisation. Marketing analytics, behavioural segmentation, personalisation and retargeting all require consent. The legitimate use category is narrow by design.

Building Your Data Map: A Practical Step-by-Step Process

A data map — sometimes called a Record of Processing Activities — is the foundation of every compliance obligation that follows. Without it you cannot write an accurate consent notice, set defensible retention schedules, know which vendors to audit, or respond credibly to the Board. Here is how to build one in five steps:

Step 1: Inventory every data-collection touchpoint. Go through your product, mobile app, website, API integrations, customer support tools (Intercom, Freshdesk), marketing automation (Mailchimp, Clevertap), analytics platforms (Mixpanel, Firebase) and HR systems. List every place where personal data enters your organisation.

Step 2: For each touchpoint, record:

• What data is collected (name, phone, email, device ID, IP address, location, browsing history, purchase data, UPI reference, biometric login)
• Who the data principal is (customer, registered user, visitor, employee, vendor, job applicant)
• The lawful basis for collection (consent or which specific legitimate use)
• The stated purpose
• Where the data is stored (AWS region, GCP bucket, Salesforce, on-premise server)
• Who has access (internal teams, third-party processors, sub-processors)
• The retention period
• How it is deleted or anonymised at the end of that period

Step 3: Map every third-party processor. For every SaaS tool your team uses — Salesforce, HubSpot, Razorpay, AWS, Google Workspace, Zoho, any attribution or A/B testing tool — confirm whether it processes personal data of your users or employees. If yes, a Data Processing Agreement (DPA) is mandatory (see vendor contracts below).

Step 4: Identify gaps. The most common gaps in practice: data collected at sign-up with no documented retention schedule; marketing email lists built before 2023 with no auditable consent record; employee data stored in personal Google Drive folders outside any DPA; customer support transcripts on third-party tools with no data processing contract.

Step 5: Assign ownership and a review cadence. The data map degrades quickly. Every new feature that collects a new data field changes it. Assign a named owner — CTO, Legal, or a designated privacy lead — and review the map every quarter and every time a data-collecting feature is shipped.

Significant Data Fiduciary Status: Additional Obligations and How to Know If You Qualify

Section 10 of the DPDP Act empowers the Central Government to notify entities as Significant Data Fiduciaries. The criteria include: volume and sensitivity of data processed, risk to data principals' rights, potential impact on national sovereignty and security, risk to electoral democracy, and public order.

Do not assume you are not an SDF because you are pre-Series B. An ed-tech platform with 10 million school-age users, a health-tech startup handling diagnostic reports at scale, or a fintech processing large-volume credit decisioning data can meet the threshold once sector-specific notifications are issued. Watch the MCA and MeitY notification portals for your sector.

If you are notified as an SDF, you must:

1. Appoint a Data Protection Officer (DPO) — a qualified individual based in India, accountable directly to the board of directors (not to the CEO or CFO). The DPO is the Board's single point of contact. The DPO may be an employee or an external professional engaged under a services agreement.
2. Conduct a Data Protection Impact Assessment (DPIA) — a structured risk analysis of purpose, data type, likely harms to data principals, and technical and organisational safeguards deployed. Conduct a DPIA before launching any new high-risk processing activity and at a periodic interval thereafter.
3. Commission an independent audit — from a qualified auditor who reviews and reports on compliance with the Act and Rules.
4. Maintain detailed processing records and make them available to the Data Protection Board on request.

Penalty for non-compliance with SDF obligations: up to Rs. 150 crore per violation under Schedule A, Item 4 of the DPDP Act.

Consent Management, Children's Data and Retention Periods

Building a Compliant Consent Flow

A single checkbox at the bottom of a sign-up screen reading "I agree to the Privacy Policy" fails Section 6. Here is a minimal viable consent flow for a B2C app:

1. Before data collection begins, display a short, plain-language consent notice (not embedded in a 3,000-word policy).
2. Use purpose-specific descriptions: "We use your email to send you order updates" and separately "We use your email to send you promotional offers" — presented as distinct items the user can accept or decline independently.
3. Use affirmative opt-in for each non-essential purpose. Do not pre-tick boxes.
4. Provide a "Manage my consent" section in account settings, accessible within two taps or clicks.
5. Log every consent event (timestamp, user ID, version of consent notice presented) in a tamper-evident record.
6. Process withdrawal requests immediately on receipt and confirm in writing to the user.

Children's Personal Data

Under Section 9 of the DPDP Act, processing personal data of a child — defined as an individual under 18 years of age — requires verifiable parental consent. You must also not: track the child's behaviour online, target advertising at children, or process data in a manner that could cause detrimental effect on a child's well-being.

The Rules may eventually permit processing without parental consent for specific categories of fiduciaries serving older teenagers. Until your entity is explicitly listed in any such notification, apply the full parental consent requirement to all under-18 users. Age-gating at registration is not optional for platforms that knowingly serve minors.

Penalty for children's data violations: up to Rs. 200 crore under Schedule A, Item 3.

Retention Periods

There is no single statutory retention period. The Act requires you to retain data only as long as necessary for the purpose stated at collection (Section 8(7)) or as required by any other applicable law. Practical guidance:

• Customer transaction data: retain for 8 years (aligned with income-tax limitation period and GST audit requirements)
• Marketing email list entries where consent is withdrawn: delete within 30 days of withdrawal
• Employee records: align with applicable labour and statutory law (typically 5–7 years post-employment)
• Website analytics and session data: review quarterly; delete session-level personal data not needed for product improvement within 90 days

Breach Notification: Timeline, the Data Protection Board and Incident Response

Section 8(6) of the DPDP Act requires every data fiduciary to notify both the Data Protection Board of India and the affected data principals of a personal data breach in the manner and within the timeline prescribed by the DPDP Rules. The Rules specify the prescribed format and timeline; the operational benchmark aligned with international norms — including GDPR's 72-hour window — is to notify the Board within 72 hours of becoming aware of a breach, followed by a fuller report. Confirm the exact timeline from the Rules as notified.

A personal data breach is any unauthorised access, disclosure, alteration, loss or destruction of personal data — whether caused by a ransomware attack, an insider exfiltration, a misconfigured storage bucket, an accidental email to the wrong recipient, or a vendor's security failure.

Incident Response: A Minimum Viable Plan

Every startup — even at pre-revenue stage — needs a written Incident Response Plan (IRP). At minimum:

1. Detection and triage: How is a breach flagged? SIEM alert, vendor notification, user complaint? Who is notified within the first hour — CISO, CTO, CEO?
2. Containment: Specific technical steps to isolate affected systems within four hours.
3. Assessment: Who determines the scope, the categories of data affected, and the estimated number of data principals impacted?
4. Notification decision: The DPO (or legal lead, if no DPO) decides whether the breach triggers Board and data-principal notification.
5. Board notification: Draft the prescribed notice — name of data fiduciary, nature and date of breach, data categories affected, estimated individuals affected, likely consequences, and measures taken or proposed.
6. Data-principal notification: A plain-language message stating what happened, what data was involved, what you are doing and what the individual should do to protect themselves.
7. Post-incident review: Root-cause analysis, remediation of the specific vulnerability, updated controls, and a written report to the board.

Penalty for failure to notify: up to Rs. 200 crore under Schedule A, Item 2. The penalty attaches to the failure to notify — independently of any penalty for the underlying security failure. A startup that suffers a breach and notifies promptly is in a categorically better position than one that notifies late after internal deliberations.

Cross-Border Transfers, Vendor Contracts and the Negative List

Section 16 of the DPDP Act establishes a negative list approach to cross-border data transfers. Personal data of Indian data principals may be transferred to any country or territory except those notified as restricted by the Central Government. As of mid-2026, the final negative list had not been published, which means transfers to the US, UK, EU, Singapore, UAE and most other jurisdictions remain permissible — subject to your contractual controls.

This permissibility does not eliminate risk. When your data lands in an EU-regulated cloud region or touches EU data subjects, GDPR obligations continue to apply at the receiving end. Layer your compliance accordingly: build GDPR standard contractual clauses (SCCs) into contracts with US-based SaaS vendors where your EU customer data flows through them.

Vendor Contract Checklist

For every data processor that handles personal data of your users or employees, your contract or Data Processing Agreement must include:

• [ ] Purpose limitation: the processor may only process data for purposes you specify in writing
• [ ] Security obligations: processor must implement safeguards at least equivalent to those you deploy
• [ ] Sub-processing controls: written approval required before a sub-processor is engaged
• [ ] Breach notification: processor notifies you within 24–48 hours of becoming aware of a breach affecting your data
• [ ] Audit rights: you may audit or appoint an independent auditor to verify compliance
• [ ] Return or deletion: on termination, processor returns all data or deletes it and provides a written certificate of deletion
• [ ] Data localisation: where applicable law requires India-resident storage (RBI for payment data, IRDAI for insurance data), the contract enforces it

Most global SaaS vendors — AWS, Google Cloud, Salesforce, HubSpot, Razorpay — publish standard DPA templates on their legal or trust portals. Retrieve the current version, review it against this checklist, execute it as a formal addendum, and file it with your legal records.

GDPR vs DPDP: Key Differences That Matter for Startups Serving Global Users

If your startup serves EU users, you are subject to both frameworks simultaneously. The compliance tension is real but manageable if you understand where the regimes diverge.

Practical advice: Implement GDPR as your baseline standard if you have any EU users. The DPDP Act fits largely within a GDPR-compliant framework. The India-specific additions are: the DPDP consent notice format, the children's data parental consent requirement, the Board notification process, and the negative-list approach to cross-border transfers. Build one privacy programme that satisfies both rather than maintaining two parallel compliance tracks.

Worked Example: Penalty Exposure for a Series A E-Commerce Startup

Consider Alpha Bazaar (a fictional entity), a B2C e-commerce platform with 800,000 registered Indian users. It processes names, delivery addresses, phone numbers, purchase histories and UPI payment references. Its privacy infrastructure has not been updated since 2022.

Violation 1 — Non-compliant consent mechanism. Alpha Bazaar's sign-up page uses a bundled "I agree to Terms and Privacy Policy" checkbox. There is no separate, purpose-specific consent notice, no granular opt-in for marketing communications, and no easy withdrawal path. This fails Section 6. Penalty: up to Rs. 50 crore (non-compliance with other provisions, Schedule A Item 5).

Violation 2 — Failure to implement security safeguards. A misconfigured AWS S3 bucket exposes the payment reference data of 200,000 users for 48 hours. No encryption at rest was deployed on this particular storage bucket; access logs were disabled; no vulnerability management schedule was in place. This is a failure of the Section 8(5)(a) obligation to implement reasonable security safeguards. Penalty: up to Rs. 250 crore (Schedule A Item 1).

Violation 3 — Failure to notify the Data Protection Board within the prescribed timeline. Alpha Bazaar's CTO discovers the breach on Day 1. However, the company has no incident response plan. Internal legal discussions delay the decision to notify. The Board is informed only on Day 9. Penalty: up to Rs. 200 crore (Schedule A Item 2).

Total penalty exposure in this single incident: up to Rs. 500 crore. Even if the Data Protection Board levies 5% of maximum — representing a Rs. 25 crore total penalty — Alpha Bazaar, which raised Rs. 30 crore at Series A, faces an existential threat. Enterprise customers reviewing their vendor risk register terminate contracts. Payment gateway partners suspend integration. The reputational damage outlasts the statutory penalty by several years.

The cost of compliance is proportionate. Building a data map, redesigning consent flows, executing vendor DPAs and writing an incident response plan would cost Alpha Bazaar approximately Rs. 5–10 lakh in Year 1 — a fraction of the exposure even at 1% of maximum penalties.

Common Mistakes and How to Fix Them

Mistake 1: Treating the Privacy Policy as the Consent Notice

A privacy policy and a consent notice are legally distinct. The policy is your comprehensive disclosure document — it covers everything about your processing. The consent notice is the brief, purpose-specific communication you serve at the moment of data collection. Many startups publish a 4,000-word policy and assume it covers consent. It does not satisfy Section 6.

Fix: Create short, context-specific consent notices at each data-collection touchpoint — sign-up screen, contact form, newsletter subscription, app permission request — that name the specific data sought and the specific purpose.

Mistake 2: No Workflow to Process Erasure Requests

Data principals have the right to erasure under Section 12. If your startup cannot locate and delete a user's data across production databases, analytics warehouses, backup stores, CRM records and email marketing lists, you will fail this obligation when the first request arrives.

Fix: Build an "Account Deletion" function in your product that triggers deletion requests to every integrated system. Log each request, its receipt date, the systems queried, and the completion date. Retain only what you are legally compelled to retain, with a documented legal basis (e.g., GST invoice data for 8 years).

Mistake 3: Vendor DPAs Signed After Processing Has Already Begun

Signing a DPA with your cloud vendor six months after you started storing user data does not retrospectively legalise the period before execution. The obligation arises at or before the commencement of processing.

Fix: Run a vendor audit immediately. For every SaaS tool your team uses that touches personal data, pull the relevant DPA from the vendor's legal or trust portal, execute it today, and file it.

Mistake 4: Ignoring Employees and Job Applicants as Data Principals

The DPDP Act applies to all personal data — not only customer data. Employee records, payroll data, biometric attendance data, candidate CVs, background check outputs and termination records are all within scope.

Fix: Build a separate HR data map. Ensure employment contracts reference data processing, background-check consent is documented and signed before checks are run, and retention schedules for ex-employee data are formally set and enforced.

Mistake 5: Assuming "No Harm, No Notification" on Breaches

Many founders believe that if a breach caused no identifiable harm — the exposed data was accessed briefly but not exfiltrated, for example — there is no notification obligation. This is incorrect. The obligation attaches to the breach event, not to demonstrated downstream harm.

Fix: Default to notification. A precautionary notification to the Board and to affected data principals is always less damaging than a concealed breach that surfaces later under adversarial circumstances.

Key Takeaways

• The DPDP Act 2023 is live, enforceable and carries real financial penalties. Penalties under Schedule A range from Rs. 50 crore (other violations) to Rs. 250 crore (security safeguards failure) per violation category. A single incident can generate multiple concurrent penalty exposures.
• Your data map comes first. Without knowing what you collect, from whom, for what purpose, where it is stored and when it is deleted, no downstream compliance step — consent, retention, breach response — can be done properly.
• Valid consent under Section 6 is specific, granular and documented. Rebuild every consent flow to give data principals a genuine, informed, per-purpose choice with an easy withdrawal path. Log every consent event with a timestamp and notice version.
• Children's data requires verifiable parental consent before processing begins. If your product is used by under-18s and you cannot implement and verify parental consent, you carry up to Rs. 200 crore in penalty exposure per violation event.
• Notify the Data Protection Board promptly on any breach. The operational benchmark is 72 hours. Failure to notify is a separate, independent penalty event — up to Rs. 200 crore — entirely apart from any penalty for the underlying security failure.
• Execute vendor DPAs before processing starts. Every SaaS tool that handles your users' or employees' personal data is a data processor. The contract must cover purpose limitation, security, sub-processing, breach notification, audit rights and deletion on termination.
• If you also serve EU users, build to GDPR standard as your baseline — it is the more demanding of the two frameworks on most dimensions. Add India-specific consent notice format, children's data rules and Board notification process as DPDP-specific layers on top. One privacy programme covering both is more efficient than two parallel tracks.