You buy a shirt online. Ten minutes later, you get an SMS offering a personal loan. By evening, your email has three offers for credit cards. This happens because companies sell your personal information. But this is finally changing. The government recently notified the DPDP Act final rules, and they are now officially dictating how companies handle your data in 2026. This law forces apps, websites, and offline stores to ask for your permission before taking your data.
For years, Indian consumers treated spam calls and data leaks as a normal part of life. We handed over our phone numbers at the supermarket checkout counter just to save ten rupees. Those days are ending. The new rules shift the control back to you.
What exactly is the DPDP Act?
The Digital Personal Data Protection Act is India's new privacy law. The core idea is simple. Your data belongs to you. Companies are just borrowing it. To understand how this works, you need to know two legal terms that the government uses.
You are the "Data Principal". This means you are the owner of your personal information. The company collecting your information is the "Data Fiduciary". They hold your data in trust.
For years, Indian users handed over their names, phone numbers, and Aadhaar details to any app that asked. We clicked "Accept" on long privacy policies because we had no choice. The new Digital Personal Data Protection Rules change the balance of power. If a food delivery app wants your location, they have to tell you exactly why they need it. They cannot use that location data to target you with unrelated ads later. Once your food is delivered, you have the right to ask them to delete your address.
The biggest changes for data privacy in India
The average internet user will notice specific changes in how apps behave this year.
Clear consent in simple languages
Apps can no longer hide behind confusing legal jargon. The rules demand that consent forms be available in English and 22 scheduled Indian languages. When a local hospital asks for your medical records, they must provide a plain-text notice. If you only speak Hindi or Marathi, the app must ask for permission in that specific language. You must actively say yes. Pre-ticked boxes are now illegal.
The right to erase your digital footprint
You now have the right to correct your data and the right to be forgotten. If you delete a shopping app, you can legally demand they wipe your personal details from their servers. If they refuse, they face massive fines. This applies to old accounts too. If you used a matrimonial site five years ago and found a partner, you can force that site to delete your old profile and photos permanently.
Strict protection for children's data
This is a massive shift for parents. Companies cannot track children under 18 or target them with personalized advertisements. Educational apps and online games now require verifiable parental consent before creating a profile for a child. This stops gaming companies from manipulating young users with targeted in-app purchases. Apps that process large amounts of children's data face heavy scrutiny from the government.
How the DPDP Act final rules affect Indian businesses
Many companies are struggling to adapt to this reality. A recent industry report showed that only 50 percent of consumer, retail, and e-commerce firms have actually started their DPDP Act adoption. The other half are running out of time and risking severe penalties.
Businesses can no longer hoard data just in case they might need it later. A shoe store cannot ask for your Aadhaar number or marital status to sell you sneakers. They can only collect what is strictly necessary for the transaction. If a business suffers a data breach, they can no longer hide it. The rules make it mandatory for companies to report any data leak to the government and to the affected users immediately.
"Companies that treat privacy as a mere compliance checklist will lose customers quickly. Users are starting to trust platforms that actively respect their personal data."
Small business owners need to update their websites and physical store practices immediately. You must add clear cookie banners, write readable privacy policies, and give users an easy way to opt out. If you run a local pharmacy and keep a WhatsApp broadcast list of your patients, you need proof that every single person actively agreed to receive your messages. You cannot just add phone numbers from your billing software into a marketing group.
The healthcare sector faces even stricter rules. Hospitals and diagnostic labs handle highly sensitive health data. They must upgrade their cybersecurity systems and ensure that patient records are not shared with third-party insurance agents without explicit written consent.
What happens when companies break the rules?
The days of companies getting away with a simple apology after a massive data leak are over. The DPDP Act introduces severe financial penalties that actually hurt corporate bottom lines. The Data Protection Board of India acts as the digital traffic police.
If a company fails to protect your data and a breach occurs, they can be fined up to INR 250 crore. If they fail to notify you and the government about the breach, they face an additional fine of INR 200 crore. These are not maximum caps reserved only for tech giants. Even mid-sized companies face proportional fines that could bankrupt them if they ignore basic cybersecurity practices.
However, there is a catch. The law does not currently force companies to pay compensation directly to the users whose data was stolen. The fines go to the government. If you suffer financial loss because a company leaked your PAN details, you still have to approach consumer courts for personal compensation.
The rise of Consent Managers
One of the most interesting additions in the 2026 framework is the concept of Consent Managers. Managing your privacy across fifty different apps is exhausting. The government recognized this problem.
Consent Managers are registered platforms that act as a bridge between you and the companies asking for your data. Think of them like the Account Aggregator system used in banking, or your UPI app. Instead of managing your money, they manage your permissions.
Through a single dashboard, you will be able to see which apps have access to your location, your contacts, or your financial history. If you see an app you no longer use, you can revoke its access with one tap. The Consent Manager will legally force the company to stop using your data. This system is still rolling out, but it will fundamentally change how Indians control their digital lives.
How to exercise your data privacy rights today
Knowing your rights is just the first step. You also need to know how to use them to protect yourself.
- Review your app permissions: Check the settings on your smartphone today. Revoke camera, microphone, and location access for apps that do not actually need them to function. A calculator app never needs your location.
- Demand data deletion: When you close an account with a bank, a telecom provider, or a shopping portal, send them an email explicitly asking them to erase your data under the DPDP Act. Keep a record of your request.
- Use temporary numbers: Until the full ecosystem matures, consider using virtual numbers or email aliases when signing up for one-time services.
- Report violations: If a company ignores your request, sends you unsolicited marketing after you opted out, or misuses your data, you can file a complaint with the Data Protection Board of India.
You can read our other explainers to understand more about your digital rights. We also have a dedicated section tracking common digital scams that exploit stolen personal data. Keeping your information private is the absolute best way to protect your bank account from fraud. If you want to secure your devices further, check out our recommended privacy tools for Indian users.
