Privacy

Digital Personal Data Protection (DPDP) Act, 2023 – Data Privacy in India

  • November 29, 2025
  • Ashok JP
  • no responses.

There are platforms today identify users the moment they enter a website or app – sometimes even without logging in. For example, a major e-commerce whitelabelled site provider – when mobile number entered on one site might trigger automatic identification on a completely different brand’s website. This “silent identification” raises an important question: what does the Digital Personal Data Protection (DPDP) Act, 2023 say about it and what are our rights w.r.t our data?

DPDP Act aims to bring transparency and accountability into the digital ecosystem. While the DPDP act is pretty extensive in its definitions and rights to individuals, there are key takeaways every individual should know especially when new services have their identity is recognized without actively providing consent.

1. Consent must be specific to the purpose – not blanket

If a user shares their mobile number for one purchase, the purpose is limited to that transaction. The DPDP Act does not allow repurposing the same data across unrelated platforms or brands unless:

  • The individual has been informed, and has given clear, unambiguous consent.

Using personal data for a new purpose without consent violates the principles of purpose limitation and consent specificity.

2. “Pre-filled consent” and “silent tracking” are not valid consent

The Act recognizes that consent must be:

  • Explicit, informed, voluntary, and revocable

  • Not obtained through hidden patterns within privacy policy or implied assumptions

If a platform identifies you without a login and without seeking permission during that interaction, that is not valid consent under DPDP.

3. Individuals have the right to know where their data came from

The DPDP Act grants individuals the Right to Information, including:

  • What personal data is held

  • Where it was collected from

  • For what purpose it is being used

  • With whom it has been shared

So if a platform can identify a user without login, the user has the right to ask:

How did you get my data and why are you using it here?

A Data Fiduciary (the company) is obligated to respond.

4. Users have the right to request erasure – not just opt-out

The Act makes it mandatory to delete personal data:

  • When the purpose has been fulfilled, or

  • When the individual withdraws consent

Most importantly, deletion is not merely deactivation – the company must erase the data from its systems and notify processors/vendors to do the same. The user is entitled to a confirmation of deletion. This can be a deletion certificate, or a email confirmation with logs / screenshots confirming deletion.

5. Sharing personal data with another entity requires consent – not commercial arrangements

If a service provider integrates with multiple brands (e.g., a fast checkout system across e-commerce platforms), it cannot auto-identify users across brands unless the user has knowingly consented to cross-platform recognition.

Say you purchase a shirt in 1 website, gave your address, mobile number etc. and the moment you enter your mobile number in another website that you have never visited till date, your address is auto-populated.

The logic is simple:

Convenience cannot override consent.

6. The company must provide a grievance mechanism

If a user requests:

  • Explanation of how identification occurred

  • Correction or deletion

  • Withdrawal of consent

… the company must respond within a reasonable timeframe.
If not, the user may escalate to the Data Protection Board of India once it becomes fully operational.

7. Transparency is not optional – it is a legal obligation

Before processing personal data, companies must present a notice that clearly explains:

  • What data is being collected

  • Why it is being collected

  • How it will be used

  • How the user can withdraw consent and delete data

If this notice is missing, ambiguous, or hidden deep inside T&Cs, it fails the requirement of lawful processing.

DPDP Act Enforcement -Key Dates You Should Know

  • 11 Aug 2023 – DPDP Act passed in Parliament.

  • 13 Nov 2025 – Rules notified and Data Protection Board of India (DPBI) established – the law becomes officially operational.

  • Nov 2025 → May 2027Phased rollout period for companies to update consent notices, privacy policies, and data-handling practices.

  • By May 2027All user rights must be fully functional, including:

    • Right to know how your data is used

    • Right to access / correct your data

    • Right to withdraw consent and request deletion

    • Right to grievance redressal and breach notification

In short:  The law is already active from Nov 2025, but companies get time to comply. By May 2027, every platform must allow you to control your personal data — including consent, access, and deletion.


Related posts:

Share this:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.