India DPDP Act

India Digital Personal Data Protection Act 2023

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

Jurisdiction

India

Enacted

Aug 11, 2023

Effective

Nov 13, 2025

Enforcement

Data Protection Board of India (DPBI)

Phased implementation 12-18 months from November 2025

MeitY

Why It Matters

Strictest children's provisions in APAC. 1.4B population. Compliance extremely demanding for AI serving Indian minors.

Recent Developments

Implementation rules being drafted; 12-18 month rollout from November 2025. India confirmed no standalone AI law—regulates via DPDP and IP frameworks.

At a Glance

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data Fiduciaries processing digital personal data in India
Foreign entities processing Indian residents' data

Obligations fall on:

Safety Provisions

Section 9: Children defined as under 18
Section 9: Verifiable parental consent MANDATORY before processing
Section 9: PROHIBITED—tracking, behavioral monitoring, targeted ads to children
Section 11: Right to object to automated decisions with significant effects
Section 8: Consent must be free, specific, informed, unconditional, unambiguous
DPIA for significant processing
Significant Data Fiduciary requirements (DPO, audits)

Compliance & Enforcement

Key Dates

Nov 13, 2025

Partial effect - key provisions take effect

May 13, 2027

Full implementation - all obligations enforceable

Penalties

INR 2.5B

Primary Source

MeitY

https://www.meity.gov.in/data-protection-framework

View on map

India

Focus Areas

Child safety

Algorithmic accountability

Active safeguards required

Compliance Help

Requires VERIFIABLE parental consent (not checkbox); NO tracking/behavioral monitoring/targeted ads for children; DPIA if significant.

See how NOPE helps

Cite This

APA

India. (2023). India Digital Personal Data Protection Act 2023.

Related Regulations

Proposed IN

India Synthetic Media Rules

Would establish due diligence framework for synthetically generated information including labeling, traceability, and platform processes for handling synthetic media harms.

In Effect BN

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect ID

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect ID

Indonesia UU PDP

Indonesia's comprehensive data protection law. Health and children's data = "specific personal data" with enhanced protections. Criminal penalties up to 6 years imprisonment.

In Effect CN

China CSL Amendments

First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.

In Effect NP

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.