What is the DPDPA (Digital Personal Data Protection Act)?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data privacy law, enacted on 11 August 2023. The DPDP Rules, 2025 were notified on 14 November 2025, making the full framework operational. The Data Protection Board of India (DPBI) is now operational. The full compliance deadline is 13 May 2027.

What is the DPDPA compliance deadline?

The phased compliance timeline: 14 November 2025 — DPDP Rules notified, DPBI operational; 13 November 2026 — Consent Manager infrastructure required; 13 May 2027 — Full compliance deadline. Data breach reporting within 72 hours applies from Day 1.

What are the penalties for DPDPA violations?

The DPDPA prescribes penalties of up to ₹250 crore per violation for consent failures, security breaches, and data rights violations. The Data Protection Board of India can levy penalties per incident — a non-compliant website with multiple issues faces compounded exposure across each violation category.

What does the DPDPA Scanner check?

The DPDPA Scanner checks: consent banner presence and compliance, pre-consent cookie and tracker behaviour, third-party data sharing, browser fingerprinting, privacy policy completeness (15 DPDPA-specific checks), PII form collection, security headers (CSP, HSTS, X-Frame-Options), child protection signals, and Android APK permissions. Every finding is mapped to the exact DPDP Act section and penalty exposure.

Is the DPDPA Scanner free to use?

The scanner is free to run. You get an overall compliance score, grade (A–F), and category breakdown at no cost. The full report — with detailed findings, penalty exposure, legal citations, and a phased remediation plan — costs ₹4,499 + GST (one-time, permanent access).

Does the DPDPA apply to small businesses and startups in India?

Yes. The DPDPA has no size exemptions. Any organisation — startup, SME, or large enterprise — that collects personal data from Indian residents must comply. Even a simple contact form collecting email addresses brings you within scope.

How is the DPDPA compliance score calculated?

The score is weighted across five categories: Consent (30%), Tracking (25%), Privacy Notice (25%), Data Collection (10%), and Security (10%). Scores map to grades: 80+ = A, 60–79 = B, 40–59 = C, 20–39 = D, below 20 = F.

For any website or app with users in India

Is your website DPDPA compliant?

Scan your website for compliance with India's Digital Personal Data Protection Act, 2023. Get a scored report with findings and a remediation plan.

DPDP Scanner — Compliance Assessment

DPDP Readiness Report

Prepared for: Reference: Date:

About the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 was enacted on 11 August 2023 and fully operationalised when the DPDP Rules, 2025 were notified on 14 November 2025. The Rules establish the Data Protection Board of India (DPBI) as the independent regulatory and adjudicatory authority — it is now operational and empowered to receive complaints, conduct investigations, and levy financial penalties. The Act applies to every entity (Data Fiduciary) that collects or processes the personal data of Indian residents, whether operating within India or targeting Indian users from abroad.

The Rules introduce a phased compliance timeline: Consent Manager infrastructure must be implemented by 13 November 2026 (one year from notification), and full organisational compliance — covering all consent, notice, security, and rights-fulfilment obligations — is required by 13 May 2027 (18 months from notification). Data breaches must be reported to the DPBI within 72 hours of discovery. Significant Data Fiduciaries are additionally required to appoint a Data Protection Officer. The compliance deadline is firm — organisations that have not yet begun remediation face mounting risk as the May 2027 deadline approaches.

The Act grants individuals (Data Principals) enforceable rights: the right to know what personal data is collected and for what purpose, the right to correct or erase their data, the right to withdraw consent at any time with the same ease as giving it, and the right to grievance redressal. Failure to honour these rights, or to obtain valid prior consent before processing, constitutes a violation regardless of whether any harm results to the individual.

Maximum Penalty Schedule

Failure to obtain valid consent (Section 6)Up to ₹250 Crore Failure to implement security safeguards (Section 8)Up to ₹250 Crore Violation of Data Principal rights (Section 11)Up to ₹250 Crore Cross-border transfer violations (Section 16)Up to ₹250 Crore Failure to provide adequate notice (Section 5)Up to ₹200 Crore Failure to notify a personal data breach (Section 8(6))Up to ₹200 Crore Failure to protect children's personal data (Section 9)Up to ₹200 Crore

Automated external scan only — not legal advice. Methodology & limitations: /methodology.html
Penalty amounts shown are statutory maxima under the DPDP Act; the Data Protection Board has discretion on actual penalties.

India's DPDP Act is now in full force — is your website compliant?

The Digital Personal Data Protection Act, 2023 was enacted on 11 August 2023 and fully operationalised when the DPDP Rules, 2025 were notified on 14 November 2025. The Data Protection Board of India is now operational. An 18-month phased compliance timeline is in effect — the full compliance deadline is 13 May 2027. If your organisation has not yet assessed its compliance posture, the window to act without urgency is closing.

Who does it apply to?

Every entity that collects or processes the personal data of Indian residents — including foreign companies targeting Indian users online. There are no exemptions for company size; a startup with a contact form is subject to the same obligations as a large enterprise.

Compliance timeline

14 Nov 2025 — Rules notified, DPBI operational.
13 Nov 2026 — Consent Manager infrastructure required.
13 May 2027 — Full compliance deadline. Data breaches must be reported within 72 hours from Day 1.

What does it require?

Prior, informed, specific consent before collecting personal data. A clear privacy notice in English and at least one Indian language. Reasonable security safeguards. A named grievance officer. The right for users to access, correct, or erase their data on request. Significant Data Fiduciaries must also appoint a Data Protection Officer.

Penalties

Up to ₹250 crore per violation for consent failures, security breaches, and rights violations. The DPBI can levy penalties per incident — a single non-compliant website with multiple issues faces compounded exposure across each violation category.

This scanner checks your website against the Act's technical requirements — consent mechanisms, cookie behaviour, privacy notice completeness, data collection practices, and security posture — and maps every finding to the specific DPDP section and penalty exposure. Scan your site above to get a scored compliance report.

Pricing

Run a scan free. Pay only when you need the full report.

One-time Report

₹4,499

+ GST · per report

✓ Full findings mapped to DPDP Act sections
✓ Penalty exposure per violation
✓ Phased remediation plan
✓ Legal citations & evidence
✓ Permanent access — no expiry

View sample report →

Coming soon

Monthly Monitoring

₹9,999

+ GST · per month

✓ Everything in One-time Report
✓ Weekly automated rescans
✓ Score history & trend tracking
✓ Email alerts on new violations
✓ Cancel anytime

Notify me when available

Free scan includes overall score, grade, and category breakdown. Full findings and remediation plan require a paid report. Refund policy

Frequently asked questions

What is the DPDPA?: The Digital Personal Data Protection Act, 2023 is India's comprehensive data privacy law, enacted on 11 August 2023. The DPDP Rules, 2025 were notified on 14 November 2025, activating the full compliance framework. The Data Protection Board of India (DPBI) is now operational and can levy penalties.
Who does the DPDPA apply to?: Every entity — startup, SME, or large enterprise — that collects or processes personal data of Indian residents, including foreign companies targeting Indian users. There are no size exemptions: a contact form collecting an email address puts you in scope.
What is the DPDPA compliance deadline?: 13 May 2027 is the full compliance deadline. Key milestones: 13 November 2026 — Consent Manager infrastructure required. Data breach reporting within 72 hours applies from Day 1.
What are the penalties for DPDPA violations?: Up to ₹250 crore per violation for consent failures, security breaches, and data rights violations. The DPBI levies penalties per incident — a non-compliant site with multiple issues faces compounded exposure across each violation category.
What does the DPDPA Scanner check?: Consent banner compliance, pre- and post-consent cookie behaviour, third-party tracker classification, browser fingerprinting, privacy policy completeness (15 DPDPA-specific checks), PII form detection, security headers (CSP, HSTS, X-Frame-Options), child protection signals, and Android APK permissions. Every finding is mapped to the exact DPDP Act section and penalty exposure.
Is the DPDPA Scanner free?: Yes — the scan itself is free. You get an overall compliance score, grade (A–F), and category breakdown at no cost. The full report with detailed findings, penalty exposure, legal citations, and a phased remediation plan costs ₹4,499 + GST (one-time, permanent access).
How is the compliance score calculated?: Findings are weighted across five categories: Consent (30%), Tracking (25%), Privacy Notice (25%), Data Collection (10%), Security (10%). Scores map to grades: 80+ = A, 60–79 = B, 40–59 = C, 20–39 = D, below 20 = F.
Does the scanner replace a compliance consultant?: No. It audits what is externally observable — your website's technical surface. Internal data flows, vendor DPAs, DPIAs, Records of Processing Activities (RoPA), and organisational policies require a human compliance consultant. See our methodology for full scope and limitations.

Sign in to get started

What domain do you want to scan?

India's DPDP Act is now in full force — is your website compliant?

Pricing

Frequently asked questions