India's DPDP Act: what it actually means for your personal data
India's Digital Personal Data Protection Act began its phased rollout in 2025. Here is what is in force, what is not, where it sits between GDPR and CCPA, and why CERT-In quietly complicates everything.
India's Digital Personal Data Protection Act — DPDP — is the country's first horizontal privacy law, and as of early 2026 it is partly in force, partly waiting on rules, and partly still being argued about in trade press. The phased rollout is deliberate: the government has spent the last twelve months turning a 19-page statute into a working compliance regime without breaking a digital economy that touches a billion people. The interesting parts, for users and for VPN providers, are in the gaps between phases.
If you have read GDPR or CCPA, DPDP will feel familiar in shape and unfamiliar in detail. It is broader than CCPA, narrower than GDPR on certain points, and unique in at least one direction — its breach notification rule is unusually strict.
The phased timeline
- 2023: DPDP Act passed by Parliament.
- 2025: phased commencement begins. Definitions, the Data Protection Board's constitution, and the broad obligations of "data fiduciaries" enter force.
- November 2026: consent managers — a uniquely Indian innovation — begin formal registration with the Board. These are the regulated intermediaries that will sit between users and data fiduciaries to manage consent at scale.
- 13 May 2027: full compliance deadline. Every obligation, including the rules around significant data fiduciaries, cross-border transfer notifications, and grievance redressal SLAs, applies.
In practice, large Indian tech platforms have been operating as if the law is fully live since mid-2025. The phased clock is mostly relevant for medium-sized businesses and for foreign companies trying to figure out when they are formally on the hook.
How it compares to GDPR and CCPA
DPDP is broader than CCPA in three meaningful ways. It applies to all personal data, not just the data of consumers in a commercial relationship. It grants rights — access, correction, erasure, grievance redressal — by default rather than only on request. And it imposes affirmative obligations on data fiduciaries to maintain data quality and security regardless of whether a user complains.
It is narrower than GDPR in three ways too. There is no statutory right to data portability in the European sense. The legal bases for processing are simpler: consent, or a small set of "legitimate uses" listed in Section 7. And the Board is an executive body, not a judicial one — penalties are administrative fines, capped at 250 crore rupees per breach, with no parallel criminal exposure.
Where DPDP is genuinely sharper than either is breach notification. GDPR requires notification only when a breach is "likely to result in a risk" to the data subject. DPDP requires notification of every personal data breach to both the user and the Board, full stop, regardless of the assessed risk. This is a deliberate calibration on India's part — the assumption is that risk is hard to assess in advance, and silence is not a safe default.
What rights you actually have
DPDP gives every user — called a "data principal" in the statute — the same core toolkit you would expect:
- Right to access: request a summary of what personal data is being processed, by whom, and for what purpose.
- Right to correction: have inaccurate data corrected and incomplete data completed.
- Right to erasure: have personal data deleted once the purpose for which it was collected has been fulfilled, with limited exceptions for legal compliance.
- Right to grievance redressal: a regulated complaint process directly with the data fiduciary, escalating to the Board if unresolved.
- Right to nominate: name another person to exercise these rights on your behalf in case of death or incapacity. Quietly one of the most thoughtful provisions in the statute.
Children's data — defined as anyone under 18 — gets additional protection. Verifiable parental consent is required, and behavioural tracking and targeted advertising aimed at minors are flatly prohibited. The verification mechanism is one of the things consent managers will operationalise from late 2026.
The CERT-In complication
Here is where things get awkward, particularly for VPN providers. In April 2022 — almost three years before DPDP came into force — the Indian Computer Emergency Response Team issued a directive requiring VPN, VPS, and cloud providers to retain detailed customer logs for five years. The directive predates DPDP and was not repealed when DPDP passed. The two regimes coexist, and they pull in opposite directions.
DPDP says: minimise personal data, retain only as long as necessary, delete on request. CERT-In says: keep five years of customer name, address, contact details, IP allocation history, and purpose-of-use logs, ready for production within a "reasonable" period. The Indian government's public position is that the two are reconcilable because CERT-In data is collected under a statutory exception. Industry's position, broadly, is that the exception is being asked to do a lot of work.
The practical outcome since 2022 is that nearly every VPN provider with an audit-public no-logs policy — including us — has either pulled physical infrastructure out of India or moved to a model where the Indian-region exit nodes are operated by partners under terms that CERT-In has accepted. We have written about our own arrangement separately. The short version: our routing fabric is Panama-domiciled, our authentication is logless, and traffic destined for Indian sites either egresses outside India or transits a partner who maintains the records CERT-In requires without surfacing them to us.
What this means for you in practice
For Indian users, DPDP is a real tool. The Board is functioning, complaints are being filed, and the early enforcement actions in 2025 against payment-app fiduciaries set a useful tone. If a service is mishandling your data, the grievance path now exists. Use it. The Board has been receptive to well-documented complaints and impatient with stonewalling.
For users outside India who route traffic through Indian VPN exits, the picture is murkier. CERT-In retention applies to the operator of the exit node, not to you, but the metadata footprint exists somewhere. If India is not the country you actually want to appear from, choose a different region. We are explicit about which exits are partner-operated and which are not, and we publish that map.
Where the law goes from here
Three things to watch through 2026 and 2027. First, the consent-manager rules — the implementation detail will determine whether this becomes a useful piece of privacy infrastructure or a compliance veneer. Second, cross-border transfer rules: DPDP gives the government discretion to designate "blacklisted" countries for transfers, and the first list has not yet been published. Third, the relationship between DPDP and the long-promised replacement for CERT-In's 2022 directive. A reconciliation is overdue, and we are watching it as closely as anyone.
Frequently asked
Does DPDP apply to me if I am not in India?+
It applies to processing of personal data of users physically in India, regardless of where the company doing the processing is based. If you are not in India and the service is not targeting you, DPDP does not directly grant you rights — but a service that complies with DPDP for its Indian users will usually extend similar processes globally.
Can I sue a company under DPDP?+
No. DPDP is enforced by the Data Protection Board through administrative action, not by private lawsuits. You file a grievance with the company first, then escalate to the Board.
Is the CERT-In log retention rule enforced against individual VPN users?+
No. The obligation falls on the VPN provider operating Indian infrastructure. Users do not retain logs. The relevant question for you is which VPN regions you trust, not which laws apply to you personally.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
PrivacyPP · DispatchWhat a VPN actually does (and what it doesn't)Privacy · 7 minWhat a VPN actually does (and what it doesn't)
Strip away the marketing — here is what an honest VPN can promise you, and what it cannot. Spoiler: it cannot make you anonymous, and it cannot beat a court order.
- PrivacyPP · DispatchBrowser fingerprinting: how trackers find you even with a VPNPrivacy · 8 min
Browser fingerprinting: how trackers find you even with a VPN
A VPN swaps your IP. It does not change the way your browser draws a triangle, names your fonts, or pronounces a sine wave. That is the part that gives you away.
- PrivacyPP · DispatchThe data broker industry: how to disappear from people-search sitesPrivacy · 9 min
The data broker industry: how to disappear from people-search sites
Your name, address, phone number, and approximate income are sitting on at least forty websites right now. Here is the supply chain that put them there, and the realistic plan for taking them down.