DPDP Act 2023 Enforcement – First Penalties under India’s New Data Law: What Startups Got Wrong in Year 1

The Digital Personal Data Protection Act, 2023 (DPDP Act), is India’s first comprehensive data privacy legislation, a significant step towards recognising privacy as a fundamental right by imposing obligations on platforms that process digital personal data. It was enacted on 11th August 2023 and published in the Gazette of India. The DPDP Rules, 2025, were notified by the Ministry of Electronics and Information Technology (MeitY) on 13th November, 2025 (G.S.R. 846(E)). The implementation began immediately, and the provisions related to establishing the functioning of the Data Protection Board of India (DPBI) became effective on 13th November, 2025. The provision of the Consent manager will take effect one year later ( i.e., November 13, 2026), and complete obligations will apply from 13th May, 2027 (18 months from notification), which gives a preparation window of 18 months. As of mid 2026, DPBI is operational, and a framework exists with the complaint mechanisms, but any major penalties have not been imposed yet. The scrutiny on the organizations has been growing as in the early enforcement stages. In further days, penalties can reach up to 250 crore rupees per violation.