Read this carefully
This is an informational explainer, not legal advice. As of April 16, 2026, the DPDP Act is not fully operational in one single block. The official commencement notification dated November 13, 2025 brings different sections into force on different timelines.
India's Digital Personal Data Protection Act, 2023 is the country's main personal data law for digital personal data. But the most important practical point for users is this: the Act exists, yet the legal system is still rolling its core rights and obligations into force in phases.
Status snapshot
The official commencement notification published on November 13, 2025 says some provisions took effect immediately, some after one year, and many core sections including sections 3 to 17 are scheduled to come into force eighteen months from publication. That means several headline privacy rights people talk about are framework rights today, not all fully live rights yet.
What is the DPDP Act meant to do?
At a high level, the Act creates the legal framework for how digital personal data should be collected, used, protected, corrected, and erased in India. It covers digital personal data, including data collected online and some offline data that is later digitized.
The Act uses its own terminology. A person whose data is being used is called a Data Principal. The organization deciding why and how that data is processed is a Data Fiduciary. In everyday language, that usually means you and the company, app, platform, employer, service provider, or institution handling your digital personal data.
What rights does the Act create?
Once the relevant substantive sections are in force, the Act creates a set of rights and processes for Data Principals. In simplified terms, the best-known ones include:
Right to clear notice and consent structure
The law builds around notice, consent, and specific recognized grounds for processing. The idea is that people should know what data is being used and why.
Right to ask what personal data is being processed
The Act creates access-related rights that, once operative, allow a Data Principal to seek information about personal data and how it is being used.
Right to correction, completion, updating, and erasure
Section 12 of the Act creates the main correction and erasure framework, subject to lawful retention needs and the structure of the Act.
Right to grievance redressal
The Act creates a mechanism under which a person should first use the Data Fiduciary's grievance route before escalating further under the Act's framework.
Right to nominate another person
The Act also creates a nomination concept, so a person can nominate someone to exercise rights in certain circumstances like death or incapacity.
What does the law expect from organizations?
Again, once the relevant provisions commence, the Act expects Data Fiduciaries to do more than simply publish a vague privacy policy. In practical terms, the framework expects them to:
- process data only on legally recognized grounds under the Act;
- give notice in a clear format;
- protect personal data with reasonable security safeguards;
- delete data when purpose is complete unless retention is legally required; and
- follow additional duties where children or certain notified classes are involved.
Why this matters
The biggest shift is not just "privacy policy language." The Act is meant to move India toward a rights-and-obligations model for digital personal data, with formal accountability and penalties in the background.
What changed on November 13, 2025?
The official Gazette notification dated November 13, 2025 did not switch on the entire Act at once. It created three commencement buckets:
- Immediate commencement on publication: section 2, sections 18 to 26, section 35, sections 38 to 43, and parts of section 44, along with section 1(2).
- One-year commencement: section 6(9) and section 27(1)(d).
- Eighteen-month commencement: sections 3 to 5, most of section 6, sections 7 to 17, most of section 27, sections 28 to 34, sections 36 and 37, and part of section 44.
That eighteen-month bucket is especially important because it includes many of the sections people normally associate with notice, consent, and Data Principal rights. So if someone tells you "all your DPDP rights are already fully live today," that is too simplistic.
What should users do right now?
Even during a phased rollout, you should still treat privacy notices and grievance channels seriously. Good practical steps include:
- read the app or platform privacy notice before sharing sensitive information;
- use official in-app or company grievance channels and keep screenshots or email records;
- avoid sharing excessive KYC, financial, medical, or family documents where unnecessary;
- watch for updated privacy notices as providers adjust to the Act and future rules; and
- track official notifications instead of relying on social media summaries.
Practical reality
During this transition period, privacy complaints may still involve a mix of sector-specific rules, contractual terms, consumer law, platform grievance systems, and evolving DPDP compliance steps. The official notifications matter as much as the Act text itself.
What about children's data?
The Act gives special attention to the processing of children's personal data and creates higher obligations in that area. The detailed operational picture also depends on the relevant sections and rules coming into force. If a service is aimed at or widely used by children, its compliance burden is likely to be much higher than an ordinary "accept all cookies" approach.
Official sources
Trust & Safety
How KanoonPilot handles privacy, safety, and sensitive documents.
FAQs
Read more about how legal information and privacy are handled on the site.
More Guides
Explore more practical legal explainers written in plain language.