Skip to main content

DPDP guide (India)

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's flagship privacy law. If your website serves visitors in India, the DPDP Act likely applies to your business.

Who's affected

The DPDP Act applies if:

You process the personal data of people in India.

You offer goods or services to people in India, even from outside the country.

You operate a website that Indian residents can use, where any personal data is collected.

In practice, almost every website with Indian visitors has DPDP considerations.

Key terms

Data Principal. The individual whose personal data is being processed (similar to "data subject" under GDPR).

Data Fiduciary. The business or organization that decides how personal data is processed (similar to "controller" under GDPR).

Significant Data Fiduciary. A business handling large volumes of sensitive data, with extra obligations.

What the DPDP Act expects

A few rules that matter most for cookies and tracking:

Consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked boxes don't count. Visitors must actively choose.

A clear notice before consent. Visitors must be told what data is being collected and why, in plain language, and in their preferred Indian language where required.

Withdrawable easily. Visitors must be able to withdraw consent just as easily as they gave it.

Special protection for children. Anyone under 18 needs verifiable parental consent before their personal data is processed.

Specific purposes only. You can't repurpose data the visitor consented to for one thing into something else without fresh consent.

Rights for Data Principals. Visitors have the right to access their data, correct or update it, request erasure, nominate someone in the event of death or incapacity, and seek grievance redressal.

Penalties. Non-compliance can lead to penalties up to ₹250 crore (around $30 million USD).

How One Privacy helps

Opt-in banner with clear notice. Accept All, Reject All, and Manage Settings clearly visible. Visitors decide before any non-essential cookie runs. See Visibility settings.

Granular categories. Visitors can accept some categories and reject others. See Cookie settings popup.

Easy withdrawal. The persistent floating button lets visitors reopen their preferences any time. See Floating cookie settings button.

Local language support. Add Indian languages so the consent experience reads naturally for every visitor. See Multilingual banners.

Audit trail. Every consent decision is recorded with timestamps, regions, and category states, ready for any DPDP enquiry. See Consent audit overview.

Geo-aware targeting. Show a DPDP-aligned banner specifically to Indian visitors. See Creating a geo rule.

What's still on you

One Privacy handles the consent layer. To round out your DPDP compliance, your business also needs:

A documented process for handling Data Principal requests (access, correction, erasure, grievance redressal) within the legal timeframe.

A grievance officer designated and contactable, with response timelines that meet the Act.

For Significant Data Fiduciaries: a Data Protection Officer, Data Protection Impact Assessments, and additional reporting.

A process for breach notification to the Data Protection Board of India and affected Data Principals.

If you transfer data outside India, alignment with the cross-border transfer rules the government issues.

Your legal team can help with these pieces.

What's next

GDPR guide.

CCPA / CPRA guide.

Multilingual banners.

Creating a geo rule.