Under the Digital Personal Data Protection Act, 2023 (DPDP Act), every Indian citizen has the right to know what personal data is being collected about them, the right to give or withdraw consent, the right to correct or erase their data, and the right to file complaints if their data is misused. The DPDP Act applies to all digital personal data processed in India, whether by Indian companies or foreign companies offering services to Indian users. Companies that violate your data rights face penalties of up to Rs 250 crore.
Why this matters
Every time you download an app, sign up for a service, shop online, or use social media, you share personal data — your name, phone number, email, location, browsing history, financial details, and health information. Until the DPDP Act, India had no comprehensive law governing how companies collect, use, store, and share this data. The Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017) declared privacy a fundamental right under Article 21 of the Constitution, and the DPDP Act translates that right into specific, enforceable protections for every citizen.
Your rights under the DPDP Act
1. Right to informed consent (Section 6)
No company can process your personal data without your consent. Before collecting your data, the company must give you a clear notice explaining:
- What personal data they will collect
- Why they need it (the specific purpose)
- How long they will keep it
- Whether they will share it with anyone else
Your consent must be "free, specific, informed, unconditional, and unambiguous" — a buried checkbox in a 50-page terms of service does not qualify.
In practice: When an app asks for permissions, read what it is asking for. If a torch app wants access to your contacts and camera, that is not a legitimate purpose. You have the right to refuse consent for any purpose you are not comfortable with.
2. Right to withdraw consent at any time (Section 6)
You can withdraw your consent at any point. Once you withdraw, the company must stop processing your data and delete it within a reasonable time. Withdrawal of consent must be as easy as giving consent — if you gave consent with one click, withdrawal should not require a 20-step process.
In practice: Look for "Delete Account" or "Withdraw Consent" options in the app settings. If you cannot find an easy way to withdraw consent, file a complaint with the company's Grievance Officer (every company must appoint one).
Important: Withdrawing consent does not affect the legality of processing that happened before withdrawal. But from the moment you withdraw, the company has no right to continue using your data for that purpose.
3. Right to access information about your data (Section 11)
You have the right to ask any company that holds your data:
- A summary of the personal data they hold about you
- The processing activities they have carried out on your data
- The identities of all other companies or persons with whom your data has been shared
- Any other information prescribed under the DPDP Rules
The company must respond within a reasonable period — the DPDP Rules, 2025 prescribe a maximum of 90 days.
In practice: Send a written request (email is sufficient) to the company's Data Protection Officer or Grievance Officer asking for this information. Cite Section 11 of the DPDP Act.
4. Right to correction and erasure (Section 12)
If your personal data held by a company is inaccurate or incomplete, you have the right to demand correction. If you no longer want the company to hold your data, you have the right to demand erasure (deletion). Once a correction or erasure request is made, the company must also direct all other entities with whom your data was shared to make the same correction or erasure.
In practice: This is particularly important for incorrect information in credit bureaus, medical records, or employment databases. Incorrect data can have real-world consequences — a wrong credit score entry, for example, can prevent you from getting a loan.
5. Right to nominate someone to exercise your rights (Section 13)
You can nominate another person to exercise your data rights on your behalf in the event of your death or incapacity. This ensures your digital privacy survives even when you cannot act for yourself.
In practice: Consider including a digital data nominee in your estate planning, just as you would nominate someone for your bank account or insurance.
6. Right to file a grievance and seek redress (Section 13)
If a company violates your data rights, you can:
- File a complaint with the company's Grievance Officer (every Data Fiduciary must appoint one)
- If not resolved within the prescribed time, escalate to the Data Protection Board of India
- The Data Protection Board can impose penalties of up to Rs 250 crore on the company
In practice: Keep records of all communications with the company. The Data Protection Board will look at whether the company followed proper consent procedures and responded to your requests in time.
Special protections for children
The DPDP Act provides enhanced protections for the personal data of children (persons under 18):
- Companies must obtain verifiable parental consent before processing a child's data
- Companies must verify the age and identity of the parent or guardian giving consent
- Behavioural monitoring and targeted advertising directed at children is banned
- Processing that could cause harm to a child is prohibited
In practice: If your child uses apps or online services, check whether the platform has age verification and parental consent mechanisms. Platforms that process children's data without proper consent face heavy penalties.
When consent is not required
The DPDP Act recognises certain situations where companies can process data without your consent ("legitimate uses" under Section 7):
- When you voluntarily provide data for a specific purpose (e.g., filling a form to request a service)
- Government provision of benefits, subsidies, or services
- Medical emergency involving a threat to life
- Employment-related processing (salary, taxes, attendance)
- Court or statutory orders
- Reasonable purposes prescribed by the government
In practice: Even in these cases, the company must process only the minimum data necessary and cannot use it for unrelated purposes.
What if things go wrong
If a company ignores your data request
File a formal complaint in writing (email with delivery receipt) citing the specific section of the DPDP Act. Give the company 30 days to respond. If they still ignore you, escalate to the Data Protection Board of India.
If your data is leaked or breached
Under the DPDP Act, every Data Fiduciary must notify the Data Protection Board and affected individuals in the event of a data breach. If a company fails to notify you, file a complaint with the Data Protection Board. You may also file a police complaint under the IT Act if the breach caused financial loss.
If you receive unwanted marketing despite withdrawing consent
This is a violation of your withdrawal rights. Document the unwanted communications (screenshots with dates and times), send a formal objection to the company, and if they continue, escalate to the Data Protection Board.
Documents and resources you need
- DPDP Act, 2023 full text: Available on meity.gov.in
- DPDP Rules, 2025 full text: Published in the Gazette of India, available on meity.gov.in
- Data Protection Board of India: Will be set up for complaint redressal
- Company's Grievance Officer: Check the company's website under "Privacy Policy" or "Contact Us"
- Consent Managers: Registered entities that help you manage consent across platforms (operational from November 2026)
- CERT-In: https://cert-in.org.in — for reporting data security incidents
Common myths
Myth: The DPDP Act only applies to big tech companies. Reality: The Act applies to every entity that processes digital personal data — from a local e-commerce store to a multinational social media platform. Any business that collects your name, email, phone number, or address digitally is covered.
Myth: If I agreed to a privacy policy, I have given up all my rights. Reality: A blanket privacy policy acceptance does not override your DPDP Act rights. Consent must be specific to each purpose, and you can withdraw it anytime. Companies cannot use buried consent to justify unlimited data processing.
Myth: The government can access all my data under the DPDP Act. Reality: Government access to personal data is limited to specific legitimate uses defined in the Act. However, the Act does provide certain exemptions for the government in the interest of sovereignty, security, and public order.
Myth: I cannot do anything about old data that companies already have. Reality: You can exercise your right to erasure (Section 12) and ask companies to delete personal data they no longer need. The company must comply unless they have a legitimate legal basis to retain it.
The law behind this
| Right | DPDP Act Section | What It Means |
|---|---|---|
| Informed consent | Section 5 (Notice) + Section 6 (Consent) | Companies must tell you what data they collect and why |
| Withdraw consent | Section 6(4) | You can revoke permission at any time |
| Access your data | Section 11 | You can ask what data is held about you |
| Correct/erase data | Section 12 | You can demand correction or deletion |
| Nominate someone | Section 13 | Designate a person to exercise rights on your behalf |
| Grievance redressal | Section 13(1) | File complaints with Grievance Officer and Data Protection Board |
| Children's data protection | Section 9 | Verifiable parental consent required; no behavioural tracking |
| Data breach notification | Section 8(6) | Companies must inform you of data breaches |
Frequently asked questions
When does the DPDP Act come into full effect? The DPDP Act was enacted in August 2023 and the DPDP Rules were notified in November 2025. Consent Manager provisions take effect by November 2026, and all other substantive provisions by May 2027. Some provisions are already operational.
Does the DPDP Act apply to foreign companies? Yes. If a foreign company processes personal data of individuals in India or offers goods and services to people in India, it must comply with the DPDP Act.
What are the penalties for companies that violate the Act? Penalties range up to Rs 250 crore per violation, imposed by the Data Protection Board. Specific penalty amounts are prescribed for different types of violations — failure to protect children's data, failure to notify breaches, and so on.
Can I sue a company for data misuse? The DPDP Act does not provide for individual lawsuits. Redressal is through the Data Protection Board. However, if data misuse results in financial loss or other harm, you may have remedies under the IT Act, consumer protection law, or tort law.
What is a Consent Manager? A Consent Manager is a registered entity that provides a platform for you to give, manage, review, and withdraw consent across multiple companies. Think of it as a single dashboard for all your data permissions. Consent Managers must have a minimum net worth of Rs 2 crore and maintain audit trails for seven years.