What is DPDP Act India?

DPDP stands for Digital Personal Data Protection Act. It is India's data protection law passed in 2023. It tells companies how they must handle your personal data — what they can collect, how they must ask your permission, and what happens if they break the rules.

What rights do I have under DPDP?

You have the right to know what data a company has about you, the right to ask them to fix wrong data, the right to ask them to delete your data, and the right to complain if they don't follow the rules.

When does DPDP start?

The DPDP Act was passed in August 2023. The government is rolling out the rules in phases. Companies should already be preparing, but full enforcement depends on government notification of specific sections.

What happens if a company breaks DPDP?

The government can fine companies up to Rs 250 crore (about $30 million) for serious violations. The exact penalties depend on which rule was broken.

Privacy guide

What is DPDP? India's data protection law, explained.

DPDP stands for Digital Personal Data Protection Act. It is India's law that tells companies what they can and cannot do with your personal data. Think of it as rules for how companies must treat your information — your name, phone number, email, browsing history, and anything else that identifies you.

What DPDP says companies must do

Tell you what they collect. Before a company collects your data, they must clearly tell you what they are collecting and why. No hiding it in a 50-page legal document.

Ask your permission. They need your clear, specific consent. "I agree to everything" is not good enough. They should ask separately for different things — one permission for analytics, another for marketing emails, another for sharing with other companies.

Only use it for what they said. If they said they need your email to send you a receipt, they cannot use it to send you ads. Each piece of data should only be used for the reason they told you about.

Name every outside company that sees your data. If they share your information with other companies — like advertising networks or analytics tools — they must tell you who those companies are.

Answer when you ask. If you email a company and ask "what data do you have on me?" — they must actually answer. They cannot send you in circles or ignore you.

What rights do you have

Right to know. You can ask any company what personal data they have about you.

Right to fix. If the data they have is wrong, you can ask them to correct it.

Right to delete. You can ask them to delete your personal data.

Right to complain. If a company does not follow the rules, you can file a complaint.

From our investigation

We checked whether 107 Indian companies are ready for DPDP.

We signed up on every website, read every privacy policy, captured every tracker, and sent data-rights emails. The gap between what DPDP requires and what companies actually do is wide. Many have trackers their policy never mentions. Many bundle all consent into one button. Some never answered our emails.

See the DPDP readiness report →

What this means for you

Right now, most people accept privacy policies without reading them. Most companies collect more data than they tell you about. DPDP is supposed to change that. But the law only works if companies actually follow it — and if regular people know their rights.

Start by asking: does this company really need my phone number? Did they ask my permission separately for each thing? Do I know who else sees my data? If the answer is no, DPDP says that is not okay.

If you are a company

Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →

Your right under Indian law

Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →

Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the report Try the experience