Is My Personal Data Safe in India? What the Law Actually Says in 2026
Every time you download an app, book a ticket, visit a hospital, or apply for a job online — someone is collecting your personal data. Your name, phone number, Aadhaar number, location, browsing habit
Quick Summary
- →India's first dedicated data protection law — the Digital Personal Data Protection Act 2023 — came into force on November 13, 2025, giving every Indian citizen formal legal rights over their personal data for the first time
- →Companies must now get your clear, specific consent before collecting your data, tell you exactly what they will use it for, and delete it once that purpose is done
- →You have the right to access, correct, and erase your personal data from any company's records — and to complain to the Data Protection Board of India if your rights are violated
- →Companies that misuse or fail to protect your data can be fined up to ₹250 crore per breach under the new law — full enforcement begins May 13, 2027
Every time you download an app, book a ticket, visit a hospital, or apply for a job online — someone is collecting your personal data. Your name, phone number, Aadhaar number, location, browsing habits, health records, and financial details flow through dozens of companies every single day. Until recently, India had no dedicated law to govern how that data was handled, stored, shared, or protected.
That changed on November 13, 2025, when India's Digital Personal Data Protection Act 2023 officially came into force along with its implementing rules. India became the 19th G20 nation with a comprehensive data protection law. For the first time in India's history, you have legally enforceable rights over your own personal data — and companies have legally binding obligations to protect it. This article explains what the law actually says in plain English, what your rights are, and what you can do if a company violates them.
How the Scam Works
Before the DPDP Act came into force, India's data protection was governed by a patchwork of provisions under the Information Technology Act 2000 and the IT Rules 2011 — a framework that was widely considered inadequate for the scale and complexity of India's digital economy. Companies routinely collected far more data than they needed, kept it indefinitely, shared it with third parties without clear consent, and faced minimal consequences for breaches.
The DPDP Act 2023 received Presidential assent on August 11, 2023, and came into force on November 13, 2025 — marking India's first standalone framework for governing digital personal data. The DPDP Rules 2025, notified on November 13, 2025 by MeitY, provide the operational detail with full compliance expected by May 13, 2027, rolled out in three phased stages.
The law applies to every organisation — companies, public authorities, government departments, hospitals, schools, NGOs — that processes the personal data of people in India. It also applies to foreign companies that offer goods or services to Indian users, even if those companies are based outside India. There are no small business exemptions — the law covers virtually every entity that handles Indian citizens' personal data.
The Data Protection Board of India became operational in November 2025, with a digital complaint portal and mobile application launched simultaneously. This is the body responsible for investigating complaints and enforcing the law. It has the authority to investigate data breaches, hear complaints from citizens, and impose financial penalties on organisations that violate the Act.
Real-World Impact
What does this law actually mean for you in everyday life?
It means that the next time an app asks you to agree to its terms and conditions, those terms must clearly explain what data is being collected and why — not hide it in pages of legal language. It means that if a company shares your phone number or email address with third parties without your knowledge, that is now a legal violation you can report. It means that hospitals must protect your health records and cannot share them without your consent. It means that if you delete your account on any platform, they must actually delete your data.
It also means that data breaches — which used to go unreported in India for months or years — must now be disclosed within 72 hours. The Aadhaar data leaks, the Zomato breaches, the health app data exposures that used to emerge only through journalists — companies must now proactively inform both the government and affected users when these incidents occur.
Penalties range from ₹10,000 for Data Principals filing false complaints to ₹250 crore for security failures leading to breaches, with full enforcement of all substantive provisions beginning May 13, 2027. The maximum penalty of ₹250 crore per breach applies where a Data Fiduciary fails to implement reasonable security safeguards and a personal data breach occurs — and critically, the DPDP Act does not provide for a cure period, meaning organisations cannot fix violations after the fact to avoid penalties.
Step-by-step guide
Your Rights Under the DPDP Act — In Plain English:
Under the Digital Personal Data Protection Act 2023, you are called a Data Principal — meaning you are the person the data belongs to. Any company or organisation that collects and uses your data is called a Data Fiduciary — they hold your data in trust and have obligations toward you.
Here are the rights the law gives you:
Right 1 — The right to know what data is being collected and why.
Before any company collects your personal data, they must give you a clear notice explaining what data they are collecting, why they need it, and how they will use it. This notice must be in simple language — not buried in a 50-page legal document full of jargon. You must give your clear, specific, and informed consent before they can proceed. General or vague consent is not valid under this law.
Right 2 — The right to withdraw your consent at any time.
You can take back your consent at any time. If you decide you no longer want a company to use your data, you can withdraw consent and the company must stop processing it. Withdrawing consent must be as easy as giving it — companies cannot make it difficult or complicated for you to opt out.
Right 3 — The right to access your own data.
You can ask any company to tell you what personal data they hold about you, what they are using it for, and who they have shared it with. The company must respond to this request.
Right 4 — The right to correct and update your data.
If a company has incorrect information about you — wrong name, wrong address, outdated details — you have the right to ask them to correct it. They must do so.
Right 5 — The right to erase your data.
Once the purpose for which your data was collected is over, you can ask the company to delete your data. For example, if you delete an app account, the company must erase your data and not keep it indefinitely. Companies cannot hold your data forever just because they feel like it.
Right 6 — The right to complain to the Data Protection Board.
If a company violates your data rights — ignores your request, shares your data without consent, or fails to protect it — you can file a formal complaint with the Data Protection Board of India. The Board has enforcement powers and can impose financial penalties on companies that break the law.
Prevention Tips
- •Before accepting any app's terms and conditions, look for what data it is asking to collect and whether it explains why — if the explanation is vague or missing, that is a red flag
- •Regularly go through your installed apps and revoke permissions for apps that don't need access to your location, contacts, or camera — you can do this in your phone Settings → Apps → Permissions
- •If a company sends you a data breach notification email — take it seriously, change your password immediately, and check whether any sensitive information like your Aadhaar number or bank details was in their system
- •If you want to exercise your right to erase your data from a company's records, send a formal written request to their customer support email and keep a copy — if they do not respond within a reasonable time, you can complain to the Data Protection Board
- •For children in your household, check which apps they use and verify that those apps have parental consent mechanisms — any app that does not ask for parental consent before collecting a child's data is violating the DPDP Act
Frequently Asked Questions
The DPDP Act came into force in November 2025 — does it apply to data collected before that date?
The DPDP Act applies to personal data processing that occurs from November 13, 2025 onwards. However, if a company continues to hold and process your old data after that date, your rights under the Act apply to that data as well. Full enforcement of all provisions begins May 13, 2027, after which the Data Protection Board will have complete authority to investigate and penalise violations.
How do I file a complaint if a company misuses my data?
The Data Protection Board of India operates a digital complaint portal that was launched in November 2025 alongside the Act coming into force. You can file a complaint through this portal. Before filing with the Board, you must first raise the issue with the company directly through their grievance mechanism — if they do not resolve it satisfactorily, you can the
Does this law apply to government bodies and hospitals, or only private companies?
The DPDP Act applies to virtually every entity that processes digital personal data of Indian citizens — including private companies, government departments, public sector undertakings, hospitals, educational institutions, and NGOs. There are limited exemptions for national security and law enforcement, but the vast majority of organisations are covered.
Can a company still collect my data without consent in some situations?
Yes — the DPDP Act recognises certain situations where data can be processed without explicit consent, called "legitimate uses." These include processing by the State for providing government services and benefits, compliance with court orders, employment-related processing by employers, and processing in a medical emergency. However, these exemptions are specific and cannot be used as a blanket excuse to collect data without consent in everyday commercial situations.
My data was leaked in an app breach six months ago. Can I complain under this law?
If the breach occurred before November 13, 2025 — when the Act came into force — the DPDP Act does not apply retrospectively to that specific incident. However, if the company continues to inadequately protect your data after November 2025, or fails to notify you of ongoing risks from the breach, you can raise a complaint for their ongoing failure to comply with the Act's security and breach notification obligations.