Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules

The Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules

The End of “Chalta Hai” Attitude

For years, India’s approach to personal data was casual (“chalta hai”). You would share your mobile number at a billing counter, and by evening, you would receive spam calls for credit cards. That era is ending. The Digital Personal Data Protection (DPDP) Act, 2023, fully active with the 2025 Rules, changes the rules of the game.

Think of this law as a new “contract” between two people

The Data Principal (You): The common citizen (or “Aam Aadmi”) whose data is being used.

The Data Fiduciary (The Company): The shop, bank, app, or government office collecting your data.

Caption: From helpless to protected: The law gives you a shield against data misuse.

Strict Deadline: Companies have about 18 months (until mid-2027) to fix their systems.

Big Fines: If companies are careless with your data, they can face penalties up to ₹250 Crore. There is no jail time, but the financial hit is massive.

Your Mobile Number is Now Your Property

This is the most “meaningful” change for every Indian. In India, our mobile number is everything—it’s our bank ID (UPI), our tax ID (GST), and our social ID (WhatsApp).

The “WhatsApp Group” Problem

Before the Law:

You give your number to a property broker just to see a flat. The next day, he adds you to a WhatsApp group called “Best Real Estate Deals” with 500 strangers. Everyone can see your number. You felt annoyed, but you couldn’t do anything legally.

After the Law:

This is now a Data Breach.

1. Permission Violation: You gave the number to see a flat, not to join a group. Using it for the group is illegal without asking you again.

2. Privacy Leak: By adding you to the group, the broker exposed your number to 500 strangers. This is “unauthorized disclosure.”

3. Consequence: The broker (Data Fiduciary) must report this mistake to the government and to YOU. If they don’t, they face huge fines.

Asking for Permission (Consent)

Companies can no longer hide behind long terms and conditions that no one reads.

Clear Permission in Your Language

When an app wants your data, they must ask nicely and clearly.

No Tricks: They cannot say “I Agree” is pre-ticked. You must tick it yourself.

In Your Mother Tongue: The request must be available in 22 Indian languages. If you speak Tamil or Hindi, the app must ask for permission in that language.

Easy to Cancel: If you can join with one click, you must be able to leave with one click. You can withdraw your consent anytime through a “Consent Manager”.

When Permission is Not Needed

Sometimes, life moves too fast for forms. The law allows “Legitimate Uses” where companies don’t need to ask:

• Medical Emergency: If you are in an accident, the hospital doesn’t need your signature to process your ID.
• Employment: Your boss doesn’t need new permission every day to use your data for salary processing.
• Government Services: The government can use your data to give you subsidies or certificates without asking every time.

Protecting Our Children

The internet is dangerous for kids. This law builds a “digital wall” around them.

No Tracking Kids

If a user is under 18

No Targeted Ads: Apps cannot show ads based on a child’s behavior.

Parental Lock: Companies must get verifiable permission from parents before collecting a child’s data.

Meaning: Gaming apps and tuition apps cannot secretly track what your child does online to sell them things.

Visual: A child playing a game on a tablet. A digital “shield” graphic surrounds the child, blocking icons representing “Ads”, “Trackers”, and “Strangers”.

Safe Play: The law bans targeted advertising and behavioral tracking for anyone under 18.

Impact on Small Business (MSMEs) & CAs

This law isn’t just for Google or Facebook. It applies to the Chaiwala collecting numbers for loyalty points and the Chartered Accountant (CA) filing taxes.

The Chartered Accountant (CA) Alert

CAs handle very private data—PAN cards, bank statements, and Tax returns.

The “CC” Mistake: A CA office often sends an email to 50 clients saying, “Please file your returns,” and puts everyone’s email in “CC”. Now, everyone sees everyone else’s email.

The Penalty: This is a Data Breach. The CA firm must report this to the Data Protection Board. It is treated as a serious failure of security.

The Solution: CAs must use “BCC” or special software. They must treat client data like gold.

The Small Shop Dilemma

Small businesses (MSMEs) are worried. A small shop owner usually writes customer numbers in a notebook.

The Challenge: How does a small shopkeeper issue a “Privacy Notice” in English and Hindi?

The Risk: If they lose that notebook, or if an employee steals the customer list to start a rival shop, the owner is liable.

Visual Reality: Imagine a Kirana store owner looking confused at a legal document. The law is strict, but we hope the government will be lenient on small players.

Your Rights as a Digital Citizen

You are now a “Data Principal.” You have power.

Right to Know: You can ask Amazon or Swiggy: “What data do you have on me?” and “Who did you share it with?” They must answer.

Right to Delete: You can tell a company, “I stopped using your service. Delete my data.” They must erase it (unless the law says they must keep it for tax reasons).

Right to Nominate: Just like a bank nominee, you can nominate someone to handle your digital data if something happens to you.

Conclusion: A Safer Digital India

The DPDP Act, 2023 is a massive cleanup of the Indian internet.

• For Business: It is time to stop being careless. Data is a liability, not just an asset.
• For People: You have rights. If someone misuses your number or spams you, you can complain to the Data Protection Board.

By 2027, we expect a digital India where your privacy is respected, not just as a courtesy, but as the law.