⚠ Critical for All Indian Businesses

DPDPA Penalties:
Fines Up to ₹250 Crore

Updated: April 2026 Reading time: 8 min Source: DPDPA 2023, Schedule

India's Digital Personal Data Protection Act, 2023 (DPDPA) imposes some of the heaviest data protection penalties in the world. Businesses that fail to comply face fines ranging from ₹10,000 to ₹250 crore per violation, with the Data Protection Board of India (DPBI) empowered to impose penalties directly.

This guide breaks down every penalty category, who is at risk, and how to protect your business.

💡 Key Takeaway

Unlike GDPR which calculates fines as a percentage of revenue, DPDPA imposes fixed maximum penalties per violation. Even a single data breach with no privacy policy can trigger ₹250 crore in fines. The cheapest insurance? Generate a compliant privacy policy now (free, 2 minutes).

Penalty Schedule — Complete Breakdown

ViolationDPDPA SectionMax Penalty
Failure to take reasonable security safeguards to prevent personal data breach Section 8(5), Schedule ₹250 Cr
Failure to notify the Board and affected Data Principals of a personal data breach Section 8(6), Schedule ₹200 Cr
Non-compliance with children's data (processing without verifiable parental consent) Section 9, Schedule ₹200 Cr
Non-compliance with additional obligations of Significant Data Fiduciary Section 10, Schedule ₹150 Cr
Non-fulfillment of any other obligation (missing privacy policies, consent failures) General, Schedule ₹50 Cr
Non-compliance by Data Principal (false info, frivolous complaints) Section 15, Schedule ₹10,000

Who Is At Risk?

The DPDPA applies to every business operating in India that processes digital personal data, regardless of size:

Most Common Compliance Failures

1. No Privacy Policy — ₹50 Crore risk

The most basic requirement. Every website and app must have a clear, accessible privacy policy explaining what data is collected, why, and how users can exercise their rights. Most Indian websites still don't have a DPDPA-compliant policy.

2. No Consent Mechanism — ₹50 Crore risk

DPDPA requires explicit, informed consent before collecting personal data. A pre-ticked checkbox or buried terms in a lengthy document does NOT qualify as valid consent.

3. No Data Breach Response Plan — ₹250 Crore risk

If your business suffers a data breach without reasonable security measures, you face the maximum penalty. This includes lacking encryption, access controls, or an incident response plan.

4. Children's Data Without Parental Consent — ₹200 Crore risk

Processing data of anyone under 18 without verifiable parental consent carries severe penalties. Age verification and parental consent mechanisms are mandatory.

5. No Grievance Redressal — ₹50 Crore risk

Data Principals have the right to raise grievances. You must have a designated person or mechanism to handle data protection complaints within prescribed timelines.

Don't Risk ₹250 Crore in Fines

Generate a DPDPA-compliant privacy policy in 2 minutes. Free, no signup required.

Real Indian Data Breach Case Studies — Estimated DPDPA Exposure

The following are well-documented Indian data exposures from 2022–2025. The DPDPA was either not in force or its Rules were not yet notified when these occurred, so actual penalties were not imposed. We have modeled what the likely DPDPA exposure would have been if the Act were active and enforcement mature.

Incident (year)Data exposedFailure categoryModeled DPDPA exposure
Major Indian telecom KYC dump (2024) ~750 million records: name, mobile, address, Aadhaar fragments Security safeguards (Sec 8(5)) + breach notification (Sec 8(6)) ₹250 Cr + ₹200 Cr
Public sector bank fintech partner breach (2023) 16.8 lakh customers: PAN, account number, balance, mobile Security safeguards + processor oversight (Sec 8(2)) ₹250 Cr
EdTech leak of student records (2022, surfaced 2024) 2.5 crore K-12 student records including DOB, school, parent contact Children's data (Sec 9) + security safeguards (Sec 8(5)) ₹200 Cr + ₹250 Cr
Indian healthcare aggregator exposure (2023) 1.5 lakh patient records, prescriptions, lab results Security safeguards + purpose limitation (Sec 7) ₹250 Cr
Quick-commerce app token leak (2024) 11 million customers: address, order history, payment metadata Security safeguards + delayed disclosure ₹250 Cr + ₹200 Cr
D2C brand Shopify mis-config (2025) 4.2 lakh customer records exposed via public storefront API Reasonable security safeguards (Sec 8(5)) ₹250 Cr

Modeled exposure reflects the statutory maximum per violation under the DPDPA Schedule. Actual penalties imposed by the DPBI typically apply mitigating factors (Section 33) and can be substantially lower if the entity demonstrates good-faith compliance effort.

DPDPA Exposure by Industry — What Your Business Actually Risks

Different industries trigger different DPDPA sections based on the personal data they process. Use the table below to estimate your exposure category.

IndustrySensitive data processedMost likely violationMax exposure
E-commerce / D2CAddress, payment, order history, behavioral trackingSecurity + cross-border transfer + consent₹250 Cr
SaaS / B2B platformsUser accounts, telemetry, customer data as processorSecurity + processor accountability₹250 Cr
Fintech / LendingAadhaar, PAN, bank, credit score, biometricSecurity + retention + RBI overlap₹250 Cr
HealthTech / ClinicsPrescriptions, diagnoses, ABDM data, teleconsult logsSecurity + purpose limitation₹250 Cr
EdTech / K-12Student PII, parent contact, behavioral, biometric for attendanceChildren's data (Sec 9) + parental consent₹200 Cr
Early-stage startupsWaitlist emails, beta user data, founder-collected PIINotice (Sec 5) + consent + no DPO₹50 Cr
Blogs / Creators / AgenciesNewsletter, analytics, ad networks, lead formsNotice + cookie consent₹50 Cr
Mobile apps (B2C)Device ID, location, contacts, push tokensConsent + purpose limitation + child users₹200 Cr

How Penalties Are Determined

The Data Protection Board of India considers several factors when determining the penalty amount:

  1. Nature, gravity, and duration of the violation
  2. Type and nature of personal data affected
  3. Whether the violation was repetitive
  4. Whether the entity made any gain or avoided any loss
  5. Whether the entity took mitigating actions (having a privacy policy counts!)
  6. Any prior violations by the entity

Key insight: Having a privacy policy, even an imperfect one, demonstrates good faith compliance effort. The DPBI is likely to impose lower penalties on businesses that show they made reasonable attempts to comply.

DPDPA vs GDPR Penalties

AspectDPDPA (India)GDPR (EU)
Maximum penalty₹250 Cr (~$30M)4% of global revenue or €20M
Penalty calculationFixed maximum per violationPercentage of revenue
Impact on small businessDisproportionally harsh (fixed)Scales with revenue
Enforcement bodyData Protection Board of IndiaNational DPAs
Criminal penaltiesNo (civil only)Varies by member state

How to Protect Your Business

  1. Create a DPDPA-compliant privacy policyUse our free generator
  2. Implement consent mechanisms — Clear opt-in for data collection
  3. Appoint a Data Protection Officer — Required for Significant Data Fiduciaries
  4. Review your data practicesUse our compliance checklist
  5. Implement security safeguards — Encryption, access controls, regular audits
  6. Create a breach response plan — Know what to do when (not if) a breach occurs
  7. Document everything — Demonstrate compliance efforts to reduce penalty risk

Start Your DPDPA Compliance Journey

Step 1: Generate your privacy policy. Step 2: Review the compliance checklist. It takes 5 minutes.

DPDPA Penalty FAQ

What is the maximum DPDPA penalty in India?

The maximum penalty under the Digital Personal Data Protection Act 2023 is ₹250 crore (approximately USD 30 million) for failure to take reasonable security safeguards that result in a personal data breach. This is imposed per violation by the Data Protection Board of India under Section 8(5) and the Schedule.

Who enforces DPDPA penalties?

The Data Protection Board of India (DPBI), a statutory body established under Chapter V of the DPDPA 2023, has direct authority to investigate violations, hold inquiries, and impose monetary penalties without requiring a court order. Appeals go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Are DPDPA fines applied per violation or per affected user?

DPDPA penalties are imposed per violation, not per affected data principal. A single incident affecting 10 million users typically counts as one violation, capped at the Schedule maximum (₹250 Cr for security failures). However, the DPBI considers the number of affected users when determining the penalty quantum within that cap.

Can small businesses or startups face ₹250 crore fines?

Yes. Unlike GDPR which caps fines at 4% of global revenue, DPDPA imposes fixed maximum penalties regardless of company size. A 5-person startup that suffers a breach with no security controls is theoretically exposed to the same ₹250 Cr cap as a Fortune 500 company. In practice the DPBI considers gravity, intent, and mitigating factors when sizing the penalty — see our startup-specific DPDPA guide.

What is the penalty for not having a privacy policy under DPDPA?

Failure to provide notice (Section 5) or to fulfill any other Data Fiduciary obligation falls under the residual penalty bucket of up to ₹50 crore. While ₹50 Cr is the statutory maximum, even small businesses without a compliant privacy policy face inquiry, mandatory remediation, and reputational damage. Generating a DPDPA-compliant policy takes 2 minutes.

Has anyone been fined under DPDPA yet?

As of mid-2026 the Data Protection Board of India has begun its first round of inquiries following the publication of final DPDPA Rules in 2025. Several large breaches from 2023–2025 (Aadhaar-linked CSC leaks, telecom KYC dumps, fintech credential exposures) are under active investigation. Industry observers expect the first major DPDPA orders in late 2026.

How do DPDPA penalties compare to GDPR?

DPDPA caps fines at ₹250 crore (about EUR 28 million) per violation with fixed amounts in the Schedule. GDPR caps fines at the higher of EUR 20 million or 4% of global annual turnover. For very large global companies GDPR fines can exceed DPDPA, but for mid-size Indian businesses DPDPA exposure is substantially higher because it does not scale with revenue. Read our deeper DPDPA vs GDPR comparison.

Can I reduce my DPDPA penalty exposure?

Yes. The DPBI explicitly considers mitigating actions when setting penalties (Section 33). Concrete steps that reduce exposure:

Related Resources