Your data, your rules: Understanding India’s DPDP Act, 2025

Think of every time you typed your phone number on a website, allowed an app to track your location or clicked “I Agree” without reading anything. Now imagine all that information travelling across servers, companies, governments and algorithms, often without you knowing how it’s being used.

India finally decided to put brakes on this free-flowing, unregulated exchange of personal data. That is where the Digital Personal Data Protection (DPDP) Act, 2025 steps in, a law designed for a country where digital life is now everyday life.

This is not just a law for techies, bureaucrats or UPSC aspirants. It affects everyone who uses a smartphone, which means almost every Indian.

Why India needed this law

1. Too many data leaks, too little accountability

Over the years, countless leaks exposed personal details — phone numbers, Aadhaar data, financial information — floating across the internet. People lost money to scams; others had their identities misused. But companies rarely faced serious consequences.

2. Apps were taking ‘permission’ without asking

You downloaded a photo-editing app and suddenly it had access to your contacts, microphone and location. The old system allowed companies to hide behind long, unreadable consent forms.

3. Government programmes became data-heavy

Schemes like direct benefit transfer, digital land records and public health databases collect massive sensitive data. Without a proper law, there were no clear rules on how this would be stored, shared or protected.

4. India needed a global-standard privacy law

Countries around the world, especially those in Europe, already have strong data protection systems. A strong Indian framework boosts global trust in Indian companies and digital governance.

Salient features: What the DPDP Act actually does

1. “Say yes only if you really want to” — Stronger consent

Every app, website or organisation must clearly tell you:

• what data they want
• why they want it
• how long they will store it
• how you can withdraw consent
• No vague language, no sneaky permissions

Example: If a delivery app wants access to your gallery, you can simply refuse and it cannot deny service for that.

2. You own your data — not the app

• The law grants strong user rights:
• Right to access your data
• Right to correct wrong information
• Right to get your data deleted
• Right to stop data processing
• Right to nominate someone to exercise these rights if you cannot

Example: If a fintech app still holds your old address or Aadhaar number, you can demand correction or complete deletion.

3. Special care for children’s data

For anyone under 18:

• Parental consent is mandatory
• Apps cannot target ads at them
• Apps cannot track or profile them

Example: A gaming app cannot silently track a 12-year-old’s location or behaviour.

4. Data fiduciaries must act responsibly

Any organisation collecting your data must follow strict rules:

• robust security systems
• minimal data collection
• deletion once purpose is over
• breach notification within strict timelines

Big platforms handling millions of users become Significant Data Fiduciaries, facing even higher scrutiny.

5. Massive penalties for violations

Fines can go up to hundreds of crores if a platform misuses or leaks data. No gentle warnings — real money on the line.

Example: If a popular social media platform leaks user data due to lazy security, they face steep monetary penalties.

6. A new enforcer: The data protection board

This independent body handles:

• user complaints
• breach investigations
• penalties and compliance

Think of it as the traffic police of the digital world.

Timeline: How we got here

2017: Supreme Court declares privacy a fundamental right.

2018–2022: Multiple draft bills prepared and withdrawn.

2023: DPDP Act is finally passed by Parliament.

2025: Rules framed and operationalised, making the law implementable.

By 2027: Full-scale enforcement expected across sectors.

This journey took years of debate, court cases, and stakeholder consultations — reflecting how complex digital privacy is.

DPDP vs RTI Act: A battle between privacy and transparency

1. The conflict explained simply

• RTI enables citizens to seek information from the government to ensure transparency.
• DPDP protects personal information from unnecessary exposure.

The clash arises because:

• RTI gave access to personal information if public interest demanded it.
• DPDP tightens what counts as “personal information”

The earlier public-interest test is now weaker

2. What this means in real life

A citizen earlier could ask:

• How many government employees were penalised in a corruption case?
• What were the assets declared by a public servant?
• Now, authorities may deny this citing “personal data”.

3. The worry

Transparency activists fear officials might hide information under the label of “privacy”, reducing public accountability.

4. The government’s stand

They argue that privacy is a fundamental right and misuse of personal information must stop — even when requested under RTI.

The truth lies somewhere in between: India must protect privacy without shutting the doors of transparency.

Why this law matters to every Indian

• You get more control over what apps know about you
• You can demand deletion of data that companies keep forever
• Children get a safer digital environment
• Companies finally face real consequences for negligence
• But at the same time, citizens must stay alert so transparency under RTI doesn’t slowly erode

Whether you’re a student, worker, parent or business owner — this law touches your digital life daily.

Privacy wins, but democracy must not lose

The DPDP Act is a landmark shift in India’s digital journey. It gives ordinary citizens power over their personal data, something long overdue in a country where digital activity grows every day.

But it also raises a difficult question: Can we protect individual privacy without dimming the light that RTI shines on public accountability?

This balance will define the future of India’s digital democracy. The DPDP Act is a strong start, but how wisely we implement it will decide whether India becomes both a private and transparent nation in the years ahead.