India's Digital Personal Data Protection Act 2023, usually shortened to the DPDP Act, is the country's dedicated data protection law. It was passed in 2023 and is being operationalised through rules, so details continue to firm up. This is a plain-English overview for website owners, not legal advice, and worth revisiting as the rules are finalised.
The DPDP Act is built around consent and notice. If your website collects personal data, you are a data fiduciary, the person whose data it is is the data principal, and you generally need clear consent backed by a plain-language notice explaining what you collect and why.
It also creates the Data Protection Board of India to handle complaints and enforcement, with significant penalties for serious lapses.
Consent should be free, specific, informed and unambiguous, and people must be able to withdraw it as easily as they gave it. Your notice needs to be clear and, in the Indian context, available in English and the languages listed in the law where relevant.
On a website, that means a readable privacy notice, honest consent at the point of collection, and a working way to withdraw consent and request deletion.
Because the supporting rules are still being put in place, treat your compliance as a living thing. Get the fundamentals right now, the notice, consent and security, and review your approach as the Data Protection Board and the rules clarify specifics like timelines and cross-border details.
HostBible includes SSL and daily backups on every plan, so the security groundwork for the DPDP Act is in place.
View Hosting Plans