Privacy guide

DPDP penalties: what happens if a company breaks the law.

DPDP penalties and fines explained simply for Indian companies and users, including why evidence and readiness matter.

The simple answer

DPDP creates serious penalty risk for companies that mishandle personal data. The biggest numbers get attention, but the practical point is simpler: companies need to show good-faith readiness before enforcement pressure arrives.

Fines are not the only risk. Trust, customer complaints, buyer diligence and board questions can arrive before regulators do.

What to check

1
Know what personal data you collect.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
Know who receives it.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Have consent and notice evidence.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Have deletion and grievance workflows.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

5
Fix high-risk gaps before enforcement.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

Penalty risk follows evidence gaps.

State of Privacy shows why companies should prepare now. If a company cannot explain trackers, vendors, consent or grievance responses, it will struggle to prove readiness.

What to do next

1
Run a readiness audit.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Prioritize legal, tech and operational gaps.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Keep records of fixes and decisions.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

What is the maximum DPDP penalty?

Serious violations can attract penalties up to INR 250 crore depending on the breach and provision.

Does every mistake mean a fine?

No. Enforcement depends on facts, law and regulator process. But poor evidence increases risk.

What should companies do first?

Map data flows and fix the gaps that create the highest user or enforcement risk.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience