The Digital Personal Data Protection Act (DPDPA) is India's first comprehensive data protection law. It was passed by Parliament in August 2023 and gives every Indian citizen enforceable rights over how companies collect, store, use, and delete their personal data. Full enforcement begins in May 2027, and every app, website, and service that handles Indian users' data must comply. If you've ever wondered what happens to your data after you hand it over to an app, the DPDPA is the law that finally gives you the right to ask, and the right to demand answers.
Why the DPDPA Matters to You
Before the DPDPA, India had no dedicated law governing how private companies handle your personal data. The Information Technology Act, 2000 covered some aspects of digital security, but it was never designed to address the scale of modern data collection.
Today, the average Indian smartphone user has 40+ apps installed. Each of these apps collects some combination of your name, phone number, email, location, contacts, browsing history, payment information, biometric data, and behavioural patterns. Before the DPDPA, companies could do virtually anything with this data, sell it, share it, retain it indefinitely, or lose it in a breach, with minimal legal consequences.
The DPDPA changes this. It establishes:
- Clear rules for how companies can collect and use your data
- Enforceable rights that you can exercise as a citizen
- Significant penalties for companies that violate these rules (up to 250 crore rupees per violation)
- A dedicated enforcement body (the Data Protection Board of India) to hear complaints and impose penalties
This is not a guideline or a recommendation. It is a law with real consequences.
Key Concepts in the DPDPA
The DPDPA introduces specific terminology. Understanding these terms will help you navigate your rights.
Data Principal (You)
In the DPDPA, you are the "Data Principal." This means you are the person whose data is being collected or processed. Every right in the DPDPA belongs to you as the Data Principal.
Data Fiduciary (The Company)
The company or organisation that collects and processes your data is the "Data Fiduciary." This includes every app on your phone, every website you create an account on, every service that asks for your personal information. The word "fiduciary" is intentional. It implies a duty of care and trust, similar to a financial fiduciary.
Significant Data Fiduciary
Some Data Fiduciaries handle data at such a large scale, or handle such sensitive data, that they are classified as "Significant Data Fiduciaries." These companies face additional obligations, including appointing a Data Protection Officer based in India, conducting regular data audits, and completing Data Protection Impact Assessments.
Personal Data
Any data that can identify you or is about an identifiable individual. This includes your name, phone number, email, Aadhaar number, location data, IP address, biometric data, financial information, health records, and even behavioural data like your browsing patterns or app usage history.
Consent
The DPDPA is built on consent. Companies can only process your personal data if you have given clear, informed, specific consent. Consent must be:
- Free: You cannot be forced or coerced into giving consent.
- Informed: You must be told exactly what data is being collected and why.
- Specific: Consent given for one purpose does not extend to other purposes.
- Unconditional: Companies cannot make their service conditional on you consenting to unrelated data collection. For example, a calculator app cannot require access to your contacts.
You can withdraw your consent at any time.
Your Rights Under the DPDPA
These are the rights you have as a Data Principal. They are enforceable by law.
1. Right to Information
You have the right to know:
- What personal data a company has collected about you
- Why it was collected (the specific purpose)
- Who it has been shared with (third parties, partners, advertisers)
- How long it will be retained
If you ask a company these questions, they are legally required to provide clear, complete answers.
2. Right to Correction and Erasure
You have the right to:
- Correct any inaccurate or misleading personal data a company holds about you
- Complete any incomplete data
- Erase your personal data when it is no longer needed for the purpose it was collected, or when you withdraw your consent
When you request erasure, the company must also instruct any third parties they shared your data with to erase it.
3. Right to Grievance Redressal
Every Data Fiduciary must provide a grievance redressal mechanism. If you have a complaint about how your data is handled, the company must:
- Acknowledge your complaint
- Provide a response within a defined timeframe
- Offer a clear resolution
If you are unsatisfied with the company's response, you can escalate your complaint to the Data Protection Board of India.
4. Right to Nominate
You can nominate another person to exercise your data protection rights on your behalf in the event of your death or incapacity. This is particularly relevant for digital estates and ensures your data rights don't disappear when you can no longer exercise them yourself.
What Companies Must Do Under the DPDPA
The DPDPA places specific obligations on every organisation that processes personal data of Indian citizens.
Obtain Lawful Consent
Before collecting any personal data, the company must present a clear, plain-language notice explaining:
- What data they are collecting
- The specific purpose for collecting it
- How you can withdraw consent
- How you can file a grievance
Buried-in-terms-and-conditions consent is not valid. The consent request must be prominent, understandable, and separate from other terms.
Purpose Limitation
Companies can only use your data for the exact purpose they stated when collecting it. If a food delivery app collects your location to deliver food, it cannot use that same location data to build a behavioural profile and sell it to advertisers. If they want to use your data for a new purpose, they must obtain fresh consent.
Data Minimisation
Companies must collect only the data that is genuinely necessary for the stated purpose. A messaging app that needs your name for a display name does not need your date of birth, home address, or employer name. Collecting excessive data is a violation.
Storage Limitation
Companies cannot retain your data indefinitely. Once the purpose for which the data was collected has been fulfilled, or once you withdraw consent, the data must be deleted. Companies must define and disclose their data retention periods.
Data Security
Companies must implement "reasonable security safeguards" to protect your data from breaches, leaks, and unauthorised access. The specific safeguards are not prescribed in detail (they will be elaborated in rules), but the obligation is clear: if a company collects your data, it is responsible for protecting it.
Breach Notification
If a data breach occurs, the company must notify both the Data Protection Board of India and the affected users. The notification must be prompt (specific timelines will be defined in the rules). Companies can no longer quietly cover up breaches.
Penalties for Violations
The DPDPA has teeth. The penalty structure is among the most significant in Asia:
| Violation | Maximum Penalty | |---|---| | Failure to take security safeguards leading to a data breach | ₹250 crore | | Failure to notify the Board and affected users of a breach | ₹200 crore | | Non-compliance with obligations regarding children's data | ₹200 crore | | Failure to comply with Data Principal's rights requests | ₹50 crore | | Other violations | ₹50 crore |
These penalties are per incident. A company that commits multiple violations faces cumulative penalties. For context, ₹250 crore is approximately $30 million USD, which is a significant deterrent even for large companies.
The Data Protection Board of India
The DPDPA establishes the Data Protection Board of India (DPBI) as the primary enforcement body. The Board's responsibilities include:
- Receiving and adjudicating complaints from Data Principals
- Investigating potential violations
- Imposing penalties
- Issuing directions to Data Fiduciaries
The Board functions as a digital tribunal. Complaints can be filed electronically, hearings are conducted virtually, and the Board is designed to be accessible to ordinary citizens, not just corporations with legal teams.
As of 2026, the Board is operational in a preliminary capacity, handling inquiries and establishing procedures ahead of full enforcement in May 2027.
What the DPDPA Does Not Cover
Understanding the limitations of the DPDPA is as important as understanding its protections.
Non-Digital Data
The DPDPA applies only to digital personal data and personal data that is collected offline but later digitised. Purely offline data handling (paper records that are never digitised) falls outside its scope.
Government Exemptions
The DPDPA provides exemptions for government agencies in certain situations, including national security, public order, and prevention of offences. These exemptions have been criticised by privacy advocates as being too broad, but they are part of the current law.
Non-Personal Data
Data that cannot identify you as an individual (aggregated statistics, anonymised datasets) is not covered. However, if "anonymised" data can be re-identified (a common problem in poorly anonymised datasets), it falls back under the DPDPA's scope.
Cross-Border Transfers
The DPDPA allows the government to restrict data transfers to specific countries through notification. As of 2026, no country has been blacklisted, but the provision exists for future use. Data can be transferred internationally unless the government specifically restricts a destination.
How to Exercise Your Rights (Practically)
Knowing your rights is one thing. Here's how to actually use them:
Step 1: Identify Who Has Your Data
Start with the apps on your phone. Every app you've created an account with has some of your personal data. Make a list of the major ones: social media, messaging, banking, shopping, food delivery, ride-hailing, health and fitness.
Step 2: Send a Data Request
Contact the company's Data Protection Officer or privacy team (their contact should be in their privacy policy). Request:
- A copy of all personal data they hold about you
- The purposes for which it's being processed
- Any third parties it has been shared with
- Their data retention period
You can send this as a simple email. There is no prescribed format. The company is legally required to respond.
Step 3: Request Correction or Deletion
If the data is inaccurate, request correction. If you no longer want the company to hold your data, request deletion. Specify clearly what you want corrected or deleted.
Step 4: Escalate If Necessary
If the company doesn't respond within a reasonable timeframe (30 days is a standard expectation), or if their response is inadequate, you can file a complaint with the Data Protection Board of India through their online portal.
How AirlockChat Approaches DPDPA Compliance
AirlockChat is built with data minimisation as a core architectural principle, not as a compliance checkbox. Here's what that looks like in practice:
Minimal Data Collection
When you verify on AirlockChat through DigiLocker, we receive only your verified first name and a masked document number (last 4 digits). We never receive your full Aadhaar number, address, date of birth, or full document photograph. We collect the minimum data needed for the platform to function and nothing more.
Clear Consent
The DigiLocker verification process includes an explicit consent screen operated by the government's own portal. You see exactly what data is being shared before you approve. Nothing happens without your clear, informed consent.
Defined Retention
If you delete your AirlockChat account, all personal data, including verification data, is purged within 30 days. We do not retain your data indefinitely. Your data exists on our servers only for as long as you choose to use the platform.
No Data Selling or Sharing
AirlockChat does not sell, share, or monetise your personal data. Your data is used for exactly one purpose: operating your account on the platform. It is not shared with advertisers, data brokers, or third-party analytics companies.
Grievance Mechanism
Our privacy policy includes clear contact information for data-related queries and complaints. If you have a concern about how your data is handled, you can reach us directly and receive a response.
Key Takeaways
The DPDPA gives every Indian citizen real, enforceable rights over their personal data for the first time. You have the right to know what data companies collect about you, the right to correct or delete it, and the right to complain if they don't comply. Companies face penalties of up to ₹250 crore for violations. Full enforcement begins in May 2027, but your rights exist now, and responsible companies are already complying. Understand your rights, exercise them, and choose services that treat your data with the respect the law demands.