India’s Data Privacy Law - Understanding DPDP Act, challenges and opportunities in the space | Episode 49
Figuring out where the combination of product + strong revenue model will lie will probably be the most challenging task of all
One of the most interesting conversations that I had few days back revolved around data privacy and business/product models around it. This episode of Indiafintech is in a way, continuation of that conversation.
There is a visible, palatable excitement and, dare I say, confusion in the Indian fintech ecosystem around what will eventually happen once the DPDP act is enforced, how easy/difficult it is to build products around this and most importantly, where/what is the revenue model here. We will discuss all this today! Treat this as an explainer of the act as well some discussion around opportunities in the space.
India took a landmark step toward digital sovereignty and individual privacy with the passage of the Digital Personal Data Protection (DPDP) Act, 2023. This long-awaited legislation lays the groundwork for a structured data protection regime in one of the world's largest and fastest-growing digital economies. More than just a compliance framework, the DPDP Act reflects India’s maturing digital governance narrative.
The Road to the DPDP Act
The roots of this Act can be traced back to the 2017 Supreme Court ruling in Justice K.S. Puttaswamy vs. Union of India, where the right to privacy was officially recognized as a fundamental right under Article 21 of the Constitution. Prior to this, India lacked a dedicated privacy law. Regulatory oversight was limited to the Information Technology (IT) Act, 2000, particularly Section 43A and the Sensitive Personal Data or Information (SPDI) Rules of 2011, both of which were inadequate in the age of platform-driven ecosystems and data capitalism.
Against the backdrop of growing digitization, increasing cyber threats, and rising concerns around surveillance, the Indian government finally enacted the DPDP Act in August 2023. This was a response not just to constitutional mandates, but also to the need for enabling trust in India’s booming digital economy. The act is yet to be notified and enforced.
Scope and Applicability
The DPDP Act has broad applicability, covering the processing of digital personal data:
Within India, where the data is either collected digitally or collected offline but subsequently digitized.
Outside India, where data is processed in relation to offering goods or services to individuals within India.
Interestingly, the Act does not apply to personal data processed for personal or domestic purposes, nor to data that is publicly available. This ensures that household-level data practices are exempt, while commercial and institutional processing is fully regulated.
Core Concepts and Definitions
Understanding the Act begins with three key terms:
A Data Principal refers to the individual whose personal data is being collected or processed.
A Data Fiduciary is the entity—typically a company or organization—that decides the “why” and “how” of processing that data.
A Data Processor works on behalf of a Data Fiduciary to process data but doesn’t decide the purpose or means.
This clarity of roles helps distribute accountability and streamline enforcement mechanisms.
Consent and "Legitimate Uses"
At the heart of the DPDP Act lies the principle of informed consent. No organization can process personal data without the express, clear, and affirmative consent of the data principal, except in certain well-defined scenarios.
These exceptions—termed "legitimate uses"—include:
Performance of state-mandated legal duties or functions.
Compliance with judicial orders or legal obligations.
Addressing emergencies like medical crises or natural disasters.
Consent must be free, informed, specific, and unambiguous, and must be provided via clear affirmative action. Importantly, individuals retain the right to withdraw consent at any time, and data fiduciaries are required to honor that request and cease processing unless required otherwise by law.
That right to withdraw consent at anytime will mean major operational expense increase for all the data heavy players, be it fintech or a D2C company. This is also where probably there will be a lot of VC backable business that will get built.
Rights of Data Principals
The DPDP Act grants substantive rights to individuals, placing them at the center of the data ecosystem.
The key rights provided for in the DPDP act are as follows -
Right to Access: Individuals can demand a summary of their personal data being processed, the identities of processors, and the purposes involved.
Right to Correction and Erasure: Individuals can request rectification of inaccurate or outdated information and ask for deletion of data no longer necessary.
Right to Grievance Redressal: Every fiduciary must provide a mechanism for handling user complaints and must respond within a prescribed time frame.
Right to Nominate: Recognizing life events like death or incapacity, the Act allows users to nominate someone to exercise their data rights in such situations.
These rights shift the power dynamic, enabling greater agency and control for users over their digital footprints. This also means how a player identifies itself (are they a Data Processor or Data Fiduciary or Data Principal) will also greatly determine how their liabilities will look like.
Responsibilities of Data Fiduciaries
Organizations, especially those processing large volumes of data, are bound by a robust set of obligations:
They must implement technical and organizational safeguards to prevent data breaches and unauthorized access.
They are required to ensure the accuracy and completeness of data, particularly when it is likely to be used to make decisions that affect individuals.
In case of a data breach, both the affected individual and the Data Protection Board of India must be notified promptly.
Consent withdrawal by a user must be respected unless the data is required to meet legal obligations.
This marks a shift from “data-as-asset” to “data-with-responsibility” in how companies interact with user information.
Given that there are talks around a regulator which only be mostly only fine levying one, this role becomes the one with high amount of responsibility and probability of going rogue. There will be players who will emerge to solve for this.
Special Protections for Children
Children’s data receives heightened protection under the DPDP Act. Anyone under the age of 18 is considered a child, and processing their data requires verifiable parental consent.
Moreover, the law prohibits any data processing that may cause harm to children—including behavioral tracking and targeted advertising. This is particularly relevant in the era of social media platforms and gaming apps where children's data is routinely collected and monetized.
Cross-Border Data Transfers
Unlike the European GDPR which uses an “adequacy” framework, the DPDP Act adopts a more sovereign-centric approach. Cross-border data flows are permitted by default, unless the central government notifies specific countries where data transfers are restricted.
This selective restriction model is likely aimed at balancing data localization needs with India’s ambitions to remain globally integrated in digital services and trade.
The Data Protection Board of India
To ensure enforcement, the DPDP Act sets up the Data Protection Board of India, an independent authority that will:
Monitor and ensure compliance with the Act.
Investigate data breaches and handle grievances.
Levy financial penalties on defaulters—potentially in crores.
Appeals against the Board’s decisions can be made to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). This gives the framework a proper judicial backing, moving beyond mere policy intent.
Comparison with the GDPR – How is DPDP different?
While inspired by global norms, particularly the European Union's GDPR, the DPDP Act reflects a distinctly Indian approach. The table below lists out the important differences -
The Indian model prioritizes administrative control and simplified compliance, while retaining user protection features inspired by global best practices.
Opportunities for Innovation and Building in the space
With its stringent obligations and user-centric principles, the DPDP Act creates fertile ground for entrepreneurs, technology providers, and consultants. Here are some high-potential areas for innovation:
1. Consent Management Platforms
Startups and SaaS providers can build elegant, multi-lingual tools that enable businesses to collect, manage, and revoke user consent across digital touchpoints.
2. Data Governance & Compliance Consulting
As organisations scramble to become compliant, there’s a significant opportunity for firms offering services such as data audits, process documentation, and privacy impact assessments.
3. Security & Privacy Tech
There’s demand for tools that facilitate encryption, tokenization, pseudonymization, and zero-trust architectures. Privacy-enhancing technologies will likely see a surge.
4. Training & Certification
Enterprises will need to educate employees and customers about their data rights and responsibilities. Training programs, privacy certifications, and workshops will be valuable services.
5. RegTech and Legal Tech Tools
Automated software solutions that help firms manage grievances, track data flows, monitor compliance KPIs, and integrate legal obligations into operational workflows can be transformative.
Below are some of the players in the space at various stages of product/revenue growth.
What’s next?
The Digital Personal Data Protection Act, 2023, is more than a legislative milestone—it is India’s digital maturity statement to the world. It seeks to harmonize user privacy with innovation, individual rights with national interest, and digital empowerment with accountability.
As India’s digital economy continues to grow—expected to surpass $1 trillion in value by the end of the decade—the DPDP Act will serve as both a guardrail and an enabler. For entrepreneurs, enterprises, and citizens, the next few years will define how privacy transforms from a compliance checkbox to a competitive advantage.
For investors like us, figuring out where the combination of product + strong revenue model will lie will probably be the most challenging task of all. Deleting one’s digital footprint is not an easy thing to do engineering wise and there are still discussions around how long and what resources will it actually take for a firm to delete/forget everything. Then there’s the question of who will pay for these services. Some unknown variables here which needs to be ironed out before investors jump in.
Exciting times ahead for sure!
We are keenly exploring this space at UNLEASH and would love to talk to you or your known ones, if they are building in the space. Reach out to me at abhishek.kumar@unleashcp.com
Disclaimer – The views presented here are my own and doesn’t reflect views of my employer in any way and it shouldn’t be construed as that in any way whatsoever.