If you use a smartphone in India — and 750 million of us do — your personal data has been collected, traded, and analysed for years with very little legal protection. That changed with the Digital Personal Data Protection Act, 2023 (commonly called the DPDP Act), which establishes the first comprehensive framework for how Indian companies and government bodies must handle your data.
Here is what you actually need to know.
What counts as “personal data”?
The Act defines personal data broadly: anything that can identify you. Your name, phone number, Aadhaar, email, location, photographs, biometric data, financial transactions, even your search history — all of it is protected.
The six rights you now have
The DPDP Act gives every Indian “Data Principal” (that’s you) six core rights:
1. Right to be informed. Companies must tell you, in plain language, what data they are collecting and why.
2. Right to access. You can ask any company to show you a summary of the personal data it holds about you.
3. Right to correction and erasure. If your data is wrong, you can demand it be corrected.
4. Right to nominate. You can appoint a person to exercise your rights if you die or become incapacitated.
5. Right to grievance redressal. Every company must have a Grievance Officer who must respond within a fixed time frame.
6. Right to withdraw consent. Consent given today can be withdrawn tomorrow, and the company must stop processing your data once you do.
What companies must now do
Any business that handles your personal data — called a “Data Fiduciary” — must take consent before collecting it, must collect only what it actually needs, and must delete it once the purpose is served. Penalties for violations are steep: up to ₹250 crore for failing to prevent a data breach.
Children’s data: a special category
Anyone under 18 is treated as a “child” under the Act. Companies cannot process a child’s data without verifiable parental consent, cannot track children, and cannot serve targeted advertising to them.
What you can do today
Three practical steps: First, when an app asks for permission to access your contacts, camera, or location, ask yourself: does this app actually need this to function? If not, deny. Second, periodically review what apps you have granted permission to in your phone’s privacy settings. Third, if a company refuses to delete your data, file a complaint with their Grievance Officer.
The DPDP Act is not perfect. But for the first time, Indian citizens have a legal handle to push back on the data economy. Use it.
Sources: Ministry of Electronics and Information Technology; full text of the DPDP Act, 2023.