India's Digital Personal Data Protection Act, 2023 (DPDPA) imposes some of the heaviest data protection penalties in the world. Businesses that fail to comply face fines ranging from ₹10,000 to ₹250 crore per violation, with the Data Protection Board of India (DPBI) empowered to impose penalties directly.
This guide breaks down every penalty category, who is at risk, and how to protect your business.
Unlike GDPR which calculates fines as a percentage of revenue, DPDPA imposes fixed maximum penalties per violation. Even a single data breach with no privacy policy can trigger ₹250 crore in fines. The cheapest insurance? Generate a compliant privacy policy now (free, 2 minutes).
| Violation | DPDPA Section | Max Penalty |
|---|---|---|
| Failure to take reasonable security safeguards to prevent personal data breach | Section 8(5), Schedule | ₹250 Cr |
| Failure to notify the Board and affected Data Principals of a personal data breach | Section 8(6), Schedule | ₹200 Cr |
| Non-compliance with children's data (processing without verifiable parental consent) | Section 9, Schedule | ₹200 Cr |
| Non-compliance with additional obligations of Significant Data Fiduciary | Section 10, Schedule | ₹150 Cr |
| Non-fulfillment of any other obligation (missing privacy policies, consent failures) | General, Schedule | ₹50 Cr |
| Non-compliance by Data Principal (false info, frivolous complaints) | Section 15, Schedule | ₹10,000 |
The DPDPA applies to every business operating in India that processes digital personal data, regardless of size:
The most basic requirement. Every website and app must have a clear, accessible privacy policy explaining what data is collected, why, and how users can exercise their rights. Most Indian websites still don't have a DPDPA-compliant policy.
DPDPA requires explicit, informed consent before collecting personal data. A pre-ticked checkbox or buried terms in a lengthy document does NOT qualify as valid consent.
If your business suffers a data breach without reasonable security measures, you face the maximum penalty. This includes lacking encryption, access controls, or an incident response plan.
Processing data of anyone under 18 without verifiable parental consent carries severe penalties. Age verification and parental consent mechanisms are mandatory.
Data Principals have the right to raise grievances. You must have a designated person or mechanism to handle data protection complaints within prescribed timelines.
Generate a DPDPA-compliant privacy policy in 2 minutes. Free, no signup required.
The following are well-documented Indian data exposures from 2022–2025. The DPDPA was either not in force or its Rules were not yet notified when these occurred, so actual penalties were not imposed. We have modeled what the likely DPDPA exposure would have been if the Act were active and enforcement mature.
| Incident (year) | Data exposed | Failure category | Modeled DPDPA exposure |
|---|---|---|---|
| Major Indian telecom KYC dump (2024) | ~750 million records: name, mobile, address, Aadhaar fragments | Security safeguards (Sec 8(5)) + breach notification (Sec 8(6)) | ₹250 Cr + ₹200 Cr |
| Public sector bank fintech partner breach (2023) | 16.8 lakh customers: PAN, account number, balance, mobile | Security safeguards + processor oversight (Sec 8(2)) | ₹250 Cr |
| EdTech leak of student records (2022, surfaced 2024) | 2.5 crore K-12 student records including DOB, school, parent contact | Children's data (Sec 9) + security safeguards (Sec 8(5)) | ₹200 Cr + ₹250 Cr |
| Indian healthcare aggregator exposure (2023) | 1.5 lakh patient records, prescriptions, lab results | Security safeguards + purpose limitation (Sec 7) | ₹250 Cr |
| Quick-commerce app token leak (2024) | 11 million customers: address, order history, payment metadata | Security safeguards + delayed disclosure | ₹250 Cr + ₹200 Cr |
| D2C brand Shopify mis-config (2025) | 4.2 lakh customer records exposed via public storefront API | Reasonable security safeguards (Sec 8(5)) | ₹250 Cr |
Modeled exposure reflects the statutory maximum per violation under the DPDPA Schedule. Actual penalties imposed by the DPBI typically apply mitigating factors (Section 33) and can be substantially lower if the entity demonstrates good-faith compliance effort.
Different industries trigger different DPDPA sections based on the personal data they process. Use the table below to estimate your exposure category.
| Industry | Sensitive data processed | Most likely violation | Max exposure |
|---|---|---|---|
| E-commerce / D2C | Address, payment, order history, behavioral tracking | Security + cross-border transfer + consent | ₹250 Cr |
| SaaS / B2B platforms | User accounts, telemetry, customer data as processor | Security + processor accountability | ₹250 Cr |
| Fintech / Lending | Aadhaar, PAN, bank, credit score, biometric | Security + retention + RBI overlap | ₹250 Cr |
| HealthTech / Clinics | Prescriptions, diagnoses, ABDM data, teleconsult logs | Security + purpose limitation | ₹250 Cr |
| EdTech / K-12 | Student PII, parent contact, behavioral, biometric for attendance | Children's data (Sec 9) + parental consent | ₹200 Cr |
| Early-stage startups | Waitlist emails, beta user data, founder-collected PII | Notice (Sec 5) + consent + no DPO | ₹50 Cr |
| Blogs / Creators / Agencies | Newsletter, analytics, ad networks, lead forms | Notice + cookie consent | ₹50 Cr |
| Mobile apps (B2C) | Device ID, location, contacts, push tokens | Consent + purpose limitation + child users | ₹200 Cr |
The Data Protection Board of India considers several factors when determining the penalty amount:
Key insight: Having a privacy policy, even an imperfect one, demonstrates good faith compliance effort. The DPBI is likely to impose lower penalties on businesses that show they made reasonable attempts to comply.
| Aspect | DPDPA (India) | GDPR (EU) |
|---|---|---|
| Maximum penalty | ₹250 Cr (~$30M) | 4% of global revenue or €20M |
| Penalty calculation | Fixed maximum per violation | Percentage of revenue |
| Impact on small business | Disproportionally harsh (fixed) | Scales with revenue |
| Enforcement body | Data Protection Board of India | National DPAs |
| Criminal penalties | No (civil only) | Varies by member state |
Step 1: Generate your privacy policy. Step 2: Review the compliance checklist. It takes 5 minutes.
The maximum penalty under the Digital Personal Data Protection Act 2023 is ₹250 crore (approximately USD 30 million) for failure to take reasonable security safeguards that result in a personal data breach. This is imposed per violation by the Data Protection Board of India under Section 8(5) and the Schedule.
The Data Protection Board of India (DPBI), a statutory body established under Chapter V of the DPDPA 2023, has direct authority to investigate violations, hold inquiries, and impose monetary penalties without requiring a court order. Appeals go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
DPDPA penalties are imposed per violation, not per affected data principal. A single incident affecting 10 million users typically counts as one violation, capped at the Schedule maximum (₹250 Cr for security failures). However, the DPBI considers the number of affected users when determining the penalty quantum within that cap.
Yes. Unlike GDPR which caps fines at 4% of global revenue, DPDPA imposes fixed maximum penalties regardless of company size. A 5-person startup that suffers a breach with no security controls is theoretically exposed to the same ₹250 Cr cap as a Fortune 500 company. In practice the DPBI considers gravity, intent, and mitigating factors when sizing the penalty — see our startup-specific DPDPA guide.
Failure to provide notice (Section 5) or to fulfill any other Data Fiduciary obligation falls under the residual penalty bucket of up to ₹50 crore. While ₹50 Cr is the statutory maximum, even small businesses without a compliant privacy policy face inquiry, mandatory remediation, and reputational damage. Generating a DPDPA-compliant policy takes 2 minutes.
As of mid-2026 the Data Protection Board of India has begun its first round of inquiries following the publication of final DPDPA Rules in 2025. Several large breaches from 2023–2025 (Aadhaar-linked CSC leaks, telecom KYC dumps, fintech credential exposures) are under active investigation. Industry observers expect the first major DPDPA orders in late 2026.
DPDPA caps fines at ₹250 crore (about EUR 28 million) per violation with fixed amounts in the Schedule. GDPR caps fines at the higher of EUR 20 million or 4% of global annual turnover. For very large global companies GDPR fines can exceed DPDPA, but for mid-size Indian businesses DPDPA exposure is substantially higher because it does not scale with revenue. Read our deeper DPDPA vs GDPR comparison.
Yes. The DPBI explicitly considers mitigating actions when setting penalties (Section 33). Concrete steps that reduce exposure: