India DPDP Act
India Digital Personal Data Protection Act 2023
STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.
Jurisdiction
India
IN
Enacted
Aug 11, 2023
Effective
Nov 13, 2025
Enforcement
Data Protection Board of India (DPBI)
Phased implementation 12-18 months from November 2025
What It Requires
Who Must Comply
This law applies to:
- • Data Fiduciaries processing digital personal data in India
- • Foreign entities processing Indian residents' data
Who bears obligations:
Safety Provisions
- • Section 9: Children defined as under 18
- • Section 9: Verifiable parental consent MANDATORY before processing
- • Section 9: PROHIBITED—tracking, behavioral monitoring, targeted ads to children
- • Section 11: Right to object to automated decisions with significant effects
- • Section 8: Consent must be free, specific, informed, unconditional, unambiguous
- • DPIA for significant processing
- • Significant Data Fiduciary requirements (DPO, audits)
Compliance Timeline
Nov 13, 2025
Partial effect - key provisions take effect
May 13, 2027
Full implementation - all obligations enforceable
Enforcement
Enforced by
Data Protection Board of India (DPBI)
Penalties
INR 2.5B
Up to INR 250 crore (~$30M) per violation. No criminal penalties.
Quick Facts
- Binding
- Yes
- Mental Health Focus
- No
- Child Safety Focus
- Yes
- Algorithmic Scope
- Yes
Why It Matters
Strictest children's provisions in APAC. 1.4B population. Compliance extremely demanding for AI serving Indian minors.
Recent Developments
Implementation rules being drafted; 12-18 month rollout from November 2025. India confirmed no standalone AI law—regulates via DPDP and IP frameworks.
What You Need to Comply
You need: VERIFIABLE parental consent (not checkbox); NO tracking/behavioral monitoring/targeted ads for children; DPIA if significant.
NOPE can helpCite This
APA
India. (2023). India Digital Personal Data Protection Act 2023. Retrieved from https://nope.net/regs/in-dpdp
BibTeX
@misc{in_dpdp,
title = {India Digital Personal Data Protection Act 2023},
author = {India},
year = {2023},
url = {https://nope.net/regs/in-dpdp}
} Related Regulations
India Synthetic Media Rules
Would establish due diligence framework for synthetically generated information including labeling, traceability, and platform processes for handling synthetic media harms.
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
Indonesia PP 17/2025
Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.
Indonesia UU PDP
Indonesia's comprehensive data protection law. Health and children's data = "specific personal data" with enhanced protections. Criminal penalties up to 6 years imprisonment.
Nepal AI Policy
Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.
Pakistan AI Policy
Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.