Why Your Personal Data in India Just Got a Lot More Protected

If you've filled out an Aadhaar-linked form, ordered food on an app, or signed up for a fintech wallet in the last few years, your data has probably passed through dozens of hands you never see. That's finally changing. India's data protection bill 2023 — now formally the DPDP Act — moved from paper to practice in November 2025, when the government notified the rules that actually make it work and set up a dedicated regulator, the Data Protection Board of India.

What does this mean for an ordinary person? A few concrete things: companies now have to ask for consent in plain language, one purpose at a time, instead of one giant "I agree" checkbox covering five different uses of your data. You can withdraw that consent as easily as you gave it. And if a company loses your data in a breach, they're on a strict 72-hour clock to tell the regulator.

It's not perfect yet — some of the finer details, like exact rules on sending Indian data abroad, are still being worked out. But the direction is clear: businesses that used to treat "we have your consent" as a formality are now being asked to prove it, continuously, with an actual paper trail. Companies that get ahead of this — instead of scrambling later — are already turning to platforms like RuleExpert, and there's a fuller breakdown of the phased timeline and penalty structure in this DPDP compliance guide if you want the regulatory detail. For everyday users, the short version is: you have more say over your data now than you did a year ago, and there's finally a body that can act on it.