Hint: it’s not just the Amazons and Flipkarts of the world. If you run any kind of business in India and touch a customer’s data digitally — read this.
One of the most common things we hear from business owners when we talk about the Digital Personal Data Protection (DPDP) Act 2023 is: “That’s for big tech companies, right? Not for us.”
And every single time, we have to gently break the news — no, it’s for you too.
The DPDP Act doesn’t work like a size filter. It doesn’t care whether you have 10 employees or 10,000. It applies the moment your business collects, stores, or processes the personal data of an Indian citizen in digital form. That’s it. That’s the threshold.
So let’s break this down properly — industry by industry, business type by business type — so you can stop guessing and start preparing.
First, what does “personal data” actually mean?
Before we get into who needs to comply, it helps to understand what data we’re talking about. Under the DPDP Act, personal data means any information that can identify a person — directly or indirectly. This includes names, phone numbers, email addresses, location data, device IDs, payment information, health records, photos, and even IP addresses.
If your business collects even a customer’s name and phone number through a Google Form, WhatsApp, website, or app — you are processing personal data, and DPDP applies to you.
Now, on to the big question.
Which industries and businesses must comply?
The short answer: virtually every sector that operates digitally. Here’s a sector-by-sector breakdown:
E-commerce & retail
Shopify stores, D2C brands, Amazon sellers, Meesho resellers
Healthcare & wellness
Clinics, hospitals, health apps, diagnostic labs, teleconsult platforms
Edtech& coaching
Online courses, coaching institutes, school management apps, tutoring platforms
Fintech & BFSI
NBFCs, lending apps, insurance portals, wealth management, UPI apps
HR & staffing
Recruitment platforms, HRMS tools, payroll software, job portals
Travel & hospitality
Hotels, booking platforms, travel agencies, OTAs, cab services
Real estate &proptech
Builders, brokers, property portals, co-working platforms
SaaS & tech companies
B2B tools, mobile apps, cloud platforms, API providers
And it doesn’t stop there. Logistics companies, marketing agencies, legal firms, CAs, NGOs, media houses, event companies — if you use a CRM, a contact form, or a mailing list, you’re in scope.
What about small businesses and freelancers?
This is where most people get it wrong. They assume the law is designed for big corporations with dedicated legal teams. But the DPDP Act has no minimum size exemption for most obligations. A freelance consultant who collects client emails, a local bakery running a WhatsApp order group, a yoga teacher using an online booking app — all of them are processing personal data.
Now, the Act does create a category called “Significant Data Fiduciaries” — these are larger organisations that handle exceptionally high volumes or sensitive categories of data. They face additional obligations like appointing a Data Protection Officer. But that doesn’t mean smaller businesses are off the hook for the core requirements.
Quick self-check — does DPDP apply to you?
Do you collect customer names, phone numbers, or emails through any digital channel?
Do you run a website, app, or social media page where users can enter their information?
Do you use a CRM, Google Sheets, or any tool to store customer or employee data?
Do you send marketing messages, emails, or WhatsApp broadcasts to users?
Do you use third-party tools like Google Analytics, Meta Pixel, or any ad platform?
If you said yes to even one of those — DPDP compliance is relevant for your business. Full stop.
What about foreign companies operating in India?
Here’s something most international businesses miss — the DPDP Act has extraterritorial reach. If a company based outside India processes the personal data of Indian citizens in connection with offering goods or services to them, the Act applies. So a US-based SaaS company with Indian customers, or a UK edtech platform with Indian students, both fall under its scope.
What happens if you ignore it?
The cost of non-compliance
Penalties under the DPDP Act go up to ₹250 crore per violation. The Data Protection Board has the authority to investigate complaints, conduct inquiries, and impose fines. Beyond fines, there is reputational damage — and in a world where customers increasingly care about data privacy, a single data breach or compliance scandal can cost you far more than any government penalty.
So what should you actually do right now?
The good news is that compliance doesn’t have to be overwhelming. Most businesses need to take five foundational steps to get themselves in a solid position:
- Data audit: Map out exactly what personal data you collect, where it’s stored, and who has access to it.
- Consent mechanism: Set up a clear, lawful consent process on every touchpoint — your website, app, forms, and WhatsApp.
- Privacy policy update: Rewrite your privacy policy in plain, simple language that actually explains what you collect and why.
- User rights process: Create a way for users to request access to, correction of, or deletion of their data.
- Breach response plan: Document what you’ll do if a data breach occurs — who you’ll notify, when, and how.
These five steps cover the majority of what most small and mid-size businesses need. The complexity scales up if you’re a larger organisation, handle sensitive data (health, financial, children’s data), or operate across multiple states or countries.
The bottom line
The DPDP Act 2023 is not a distant regulation still finding its feet. It is the law of the land, and enforcement is coming. The businesses that act now — before the notices start going out — will be the ones that come out stronger, more trusted, and better positioned in a market where data privacy is becoming a genuine competitive advantage.
Whether you’re a solo founder, a growing startup, or a mid-size enterprise, the question is no longer “does DPDP apply to me?” It does. The only question left is: how ready are you?
Not sure where to start? Consent Server has you covered. We provide A-to-Z DPDP compliance solutions for businesses of every size — pan India. From consent management to full compliance audits, we do it all so you don’t have to.
