DPDP Act 2023 and DPDP Rules 2025: Why Indian Companies Must Update Their Privacy Policy Now

The Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the DPDP Rules, 2025 represent the most significant overhaul of India’s data protection regime in over a decade. Together, they form the cornerstone of India’s data protection law and establish a comprehensive, rights-first framework that every business operating in India must now reckon with. While full enforcement is scheduled for May 2027, businesses that treat this as a distant deadline will find themselves behind — operationally, legally, and reputationally.

Updating your privacy policy under the DPDP Act is not just compliance hygiene. It is a strategic imperative — and the foundation on which every other DPDP compliance obligation will eventually rest.

1. What Has Changed: SPDI Rules vs DPDP Act — India’s New Data Protection Framework

India’s data protection framework has moved from a principle-light regime under the Information Technology Act, 2000 and the SPDI (Sensitive Personal Data or Information) Rules, 2011 to a comprehensive, rights-based law modelled on global standards. The DPDP Act, 2023 introduces foundational concepts including Data Fiduciaries, Data Principals, valid consent, purpose limitation, data minimisation, breach notification, and significant penalties of up to INR 250 crore per instance of non-compliance.

The DPDP Rules, 2025, notified by the Ministry of Electronics and Information Technology (MeitY), operationalise the Act. They prescribe the form and content of consent notices under DPDP, standards for consent management in India, requirements for data breach notification to the Data Protection Board of India, timelines for grievance redressal, obligations on children’s data, and additional duties for Significant Data Fiduciaries. In plain terms, the Rules convert the Act’s broad obligations into enforceable checklists that your privacy policy must reflect.

What Were the SPDI Rules, and How Do They Compare?

The SPDI Rules were notified in 2011 under Section 43A of the Information Technology Act, 2000, and governed the handling of personal data by body corporates in India for over a decade. In substance, they focused narrowly on a defined category of sensitive data: passwords, financial information, physical and mental health conditions, sexual orientation, medical records, and biometric data.

Body corporates were required to publish a privacy policy, obtain written consent before collection, limit use to the stated purpose, maintain reasonable security practices (such as IS/ISO/IEC 27001 compliance), and appoint a grievance officer. However, the SPDI Rules were thin on Data Principal rights, carried no meaningful penalty regime beyond civil damages under Section 43A, and did not address modern realities such as algorithmic processing, cross-border data transfers outside India, consent withdrawal, children’s data protection, or data breach notification timelines.

The DPDP Act, 2023 read with the DPDP Rules, 2025 replaces this light-touch regime entirely. Understanding the contrast between the SPDI Rules and the DPDP Act is the essential starting point for any honest privacy compliance gap analysis.

2. Is Your Privacy Policy DPDP Compliant? Why Most Existing Policies Fall Short

Most privacy policies in India today were drafted under the SPDI Rules and reflect that older, narrower standard. If you have not revisited yours recently, the answer to the question “is my privacy policy DPDP compliant?” is almost certainly no. Here are the most common gaps.

• Notice standards: The DPDP Act requires a clear, itemised consent notice under DPDP in plain language, available in English and any of the 22 languages listed in the Eighth Schedule of the Constitution. Most existing policies are dense, jargon-heavy, and English-only — a direct non-compliance.
• Consent architecture: Consent must be free, specific, informed, unconditional, unambiguous, and capable of being withdrawn as easily as it was given. Bundled consents, pre-ticked boxes, and implied acceptance clauses are no longer valid. Effective consent management in India under DPDP demands a granular, purpose-by-purpose architecture.
• Data Principal rights in India: Users now have statutory rights to access, correction, erasure, grievance redressal, and nomination of a representative. Your privacy policy must clearly describe how each right can be exercised, along with turnaround timelines.
• Purpose specification: Data must be processed only for the specific purpose disclosed at the time of collection. Catch-all phrases like “for business purposes” or “to improve our services” are no longer legally defensible.
• Children’s data protection in India: Verifiable parental consent is mandatory for users under 18 years of age, along with strict restrictions on behavioural tracking and targeted advertising directed at children.
• Grievance officer under DPDP: Contact details of a named grievance officer — and a Data Protection Officer where the entity qualifies as a Significant Data Fiduciary — must be published prominently in the privacy policy.
• Cross-border data transfer India: Transfers of personal data outside India are subject to government notifications specifying restricted jurisdictions. Your policy must name destination countries and the legal basis for each transfer.

3. Your DPDP Compliance Checklist: A Privacy Policy Update Is Necessary, But Not Sufficient

This is the part most businesses get wrong. Refreshing the privacy policy on your website is the visible, public-facing piece of DPDP compliance — and it is non-negotiable. But on its own, it is nowhere near enough. A compliant policy sitting on top of non-compliant data practices is a liability, not a shield.

To build genuine DPDP readiness in India, the privacy policy must be supported by a broader DPDP compliance checklist that covers:

• A data inventory and mapping exercise across every system that touches personal data — including third-party processors and SaaS vendors.
• Revised consent management platforms capable of granular capture, timestamped storage, and one-click withdrawal.
• Updated vendor and processor contracts with DPDP-aligned data processing clauses, including data breach notification obligations under DPDP.
• Internal policies on retention schedules, deletion protocols, breach response, and access controls.
• Training programmes for employees, particularly customer-facing and engineering teams who handle personal data.
• A documented grievance redressal mechanism with clear SLAs and a named grievance officer under DPDP.
• A published privacy policy that accurately reflects all of the above — in plain language, in the required languages, with the required disclosures.

While the policy is not the whole answer, it is unquestionably a critical starting point. It is the document that regulators, investors, enterprise customers, and Data Principals will look at first — and often, it is the only document they will read.

4. DPDP Act Enforcement Date India: Why Waiting Until May 2027 Is a Mistake

The DPDP Act enforcement date in India is May 2027. That date has lulled many businesses into a false sense of time. Here is why DPDP readiness in India cannot wait until 2027.

a) Compliance Cannot Be Retrofitted Overnight

Data mapping, consent re-capture, vendor renegotiation, and engineering changes typically take 9 to 18 months for mid-sized companies. DPDP compliance for startups in India is no different: a privacy policy drafted in April 2027 cannot be operationalised by 1 May 2027. Starting now gives you the runway to test, fix, and iterate.

b) Investor and Enterprise Customer Due Diligence Is Already Happening

Fundraising rounds, M&A processes, and B2B procurement cycles increasingly include DPDP readiness as a diligence checklist item. A non-compliant or outdated privacy policy can stall a deal, shave valuation, or cost you a contract — well before May 2027.

c) Consumer Trust Is a Competitive Moat

Indian consumers are becoming measurably more privacy-aware. A clear, plainly written, DPDP-aligned privacy policy signals maturity and earns trust, which converts directly into higher opt-in rates, lower churn, and better brand equity.

d) Existing Obligations Under the IT Act Still Apply

The SPDI Rules, 2011 and Section 43A of the IT Act are in force right now. Many privacy policies are already outdated against this lower baseline. Addressing DPDP compliance now lets you close legacy gaps in the same exercise.

e) The Data Protection Board of India Is Expected to Be Active from Day One

Unlike some regulators who adopt a soft-launch approach, the Data Protection Board of India is expected to commence adjudicatory functions immediately upon the Act’s enforcement. Complaints filed on 1 May 2027 can trigger formal investigations and DPDP penalties from that date. There will be no grace period for organisations that chose to wait.

f) DPDP Penalties Are Severe and Tiered

Financial penalties under the DPDP Act are among the steepest in India’s regulatory landscape:

• Up to INR 250 crore for failure to implement reasonable security safeguards leading to a personal data breach.
• Up to INR 200 crore for breaches involving children’s data or failure to comply with children’s data protection obligations under DPDP.
• Up to INR 150 crore for failure to comply with additional obligations applicable to Significant Data Fiduciaries.
• Up to INR 50 crore for failure to meet Data Principal rights obligations or grievance redressal requirements.

Critically, these are per-instance penalties, not aggregate annual caps. For most Indian SMEs and startups, a single breach against a backdrop of a non-compliant privacy policy could be existential.

5. India Data Protection Law 2026: The Bottom Line for Businesses

Privacy is no longer a back-office compliance line item. It is board-level governance, investor diligence, and customer-facing trust rolled into one. The DPDP Act, 2023 and the DPDP Rules, 2025 are fundamentally reshaping what Indian businesses must disclose, capture, store, share, and delete.

Yes, enforcement begins in May 2027. No, that does not mean you have two years to start. Diligence deals are happening today. Customer onboarding checklists reference DPDP readiness today. A modern, plain-language, DPDP-aligned privacy policy is the cheapest, fastest, and most visible signal of compliance intent.

Start now. Audit what you collect, rewrite your consent notice, publish it in plain language, and build the operational machinery behind it. In May 2027, the businesses that began their DPDP compliance programme in 2025 and 2026 will be the ones that sleep soundly.

---

This article is for general information only and does not constitute legal advice. Businesses should consult qualified legal counsel for advice tailored to their specific operations, data processing activities, and jurisdictional requirements.