India's Digital Personal Data Protection (DPDP) Act changes what your mobile app is legally required to do with user data. This is a practical, founder-level guide — not legal advice — to what compliance actually requires before you launch.
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy law, roughly comparable in spirit to Europe's GDPR but structured differently. For mobile app founders, it matters because almost every app collects personal data — phone numbers, location, device identifiers, payment details — and the DPDP Act creates specific legal obligations around how that data is collected, stored, used and deleted.
Under the DPDP Act, any Indian mobile app that collects personal data must obtain clear, specific consent before collecting it, state exactly why it needs the data, and allow users to withdraw consent and request deletion — non-compliance carries penalties of up to ₹250 crore per instance.
This guide explains what the DPDP Act requires in plain language, structured the way a founder actually needs it — before you brief a development agency, not after you get a legal notice. This is general guidance, not legal advice; consult a qualified data protection lawyer before launch, especially if you handle sensitive categories of data like health, financial or children's information.
What Is the DPDP Act, 2023?
DPDP Act — key facts every founder should know
- Passed in August 2023; rules and enforcement timelines have been rolling out through 2025–2026
- Enforced by the Data Protection Board of India (DPBI)
- Applies to any entity processing personal data of individuals in India — including apps built outside India that serve Indian users
- Introduces the terms "Data Fiduciary" (you, the app owner) and "Data Principal" (your user)
Who Does the DPDP Act Apply To?
If your mobile app collects any personal data from users in India — a phone number for OTP login, a name for a profile, location for delivery, or payment details for checkout — you are a "Data Fiduciary" under the Act and it applies to you, regardless of whether your company is registered in India or abroad. A "Significant Data Fiduciary" (apps processing data at large scale, or handling sensitive categories) faces additional obligations like appointing a Data Protection Officer and conducting periodic audits.
What Mobile Apps Must Do to Comply
- Obtain clear, informed, specific consent before collecting personal data — pre-ticked checkboxes and bundled "accept all" consent for unrelated purposes are not compliant
- Provide a plain-language notice explaining exactly what data is collected and why, before or at the time of collection
- Allow users to withdraw consent as easily as they gave it, and stop processing their data once withdrawn
- Implement "reasonable security safeguards" to prevent data breaches — encryption, access controls, and breach detection
- Notify the Data Protection Board and affected users in the event of a personal data breach
- Delete personal data once it is no longer needed for the purpose it was collected, or when the user withdraws consent
- Appoint a grievance officer or contact point for users to raise data-related complaints
Consent Requirements Under the DPDP Act
Consent under DPDP must be free, specific, informed, unconditional and unambiguous — meaning a single toggle to "accept terms" covering data collection, marketing emails and third-party sharing all at once is a compliance risk. Each distinct purpose should ideally have its own clear consent point, and your app must make withdrawing consent at least as easy as giving it.
Data Localisation and Cross-Border Transfer Rules
Unlike some earlier draft versions of Indian data law, the final DPDP Act does not impose blanket data localisation on all personal data. Cross-border data transfer is generally permitted unless the Central Government specifically restricts transfer to certain countries via notification. However, apps handling government-notified categories of sensitive personal data should plan for stricter localisation requirements and confirm current restrictions before launch, since this list can be updated.
Penalties for Non-Compliance
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards (leading to a breach) | Up to ₹250 crore |
| Failure to notify the Board/users of a data breach | Up to ₹200 crore |
| Non-fulfilment of additional obligations for children's data | Up to ₹200 crore |
| Non-fulfilment of Significant Data Fiduciary obligations | Up to ₹150 crore |
| Non-compliance with any other provision of the Act | Up to ₹50 crore |
DPDP Compliance Checklist for Founders
- 1Map every piece of personal data your app collects and the specific purpose for each — build this before writing your privacy policy, not after
- 2Design consent flows with granular, purpose-specific toggles rather than one bundled "accept all" screen
- 3Write a plain-language privacy notice — avoid dense legal text that does not actually inform the user
- 4Add a self-service option for users to withdraw consent and request data deletion inside the app
- 5Implement encryption at rest and in transit, and role-based access control on your backend
- 6Create a breach-response plan: who is notified, within what timeframe, and how users are informed
- 7Appoint a grievance contact (a person or team, with a published email/contact method) for data complaints
- 8If you process data on children under 18 or persons with disabilities, add verifiable parental/guardian consent flows — this category carries the highest penalties
How Nevatrix Builds DPDP-Compliant Apps
Every app Nevatrix builds includes purpose-specific consent flows, encrypted data storage, a built-in data deletion request flow, and a privacy policy template reviewed against DPDP Act requirements. We are a development agency, not a law firm — for apps handling sensitive data categories (health, finance, children), we recommend pairing our build with a qualified data protection lawyer's review before launch.
Related Articles & Services
Frequently Asked Questions
The Digital Personal Data Protection Act, 2023 is India's primary data privacy law. It applies to any app that processes personal data of individuals located in India, regardless of where the app's company is registered. If your app collects phone numbers, names, location, or payment details from Indian users, the DPDP Act applies to you.
Personal data is any data about an individual who is identifiable by or in relation to that data — names, phone numbers, email addresses, device IDs, location data, photos, payment information and behavioural data tied to an identifiable user all qualify. Fully anonymised, non-identifiable data generally falls outside the Act's core consent requirements.
For a straightforward business app collecting standard data (name, phone, email, location for delivery), a well-built consent flow and clear privacy policy following DPDP principles significantly reduces risk. For apps handling sensitive categories — health records, financial data, or any data from users under 18 — a qualified data protection lawyer's review before launch is strongly recommended given the higher penalty tiers for these categories.
The Data Fiduciary is the entity that determines the purpose and means of processing personal data — typically your company as the app owner. A Data Processor processes data on the Fiduciary's behalf, such as a cloud hosting provider or analytics vendor. The Data Fiduciary carries primary legal responsibility for compliance, even when processing is outsourced to vendors.
Generally yes — the DPDP Act does not impose blanket data localisation. Cross-border transfer is permitted unless the Central Government specifically restricts transfer to a particular country by notification. Always check the current restricted-country list before finalising cloud hosting or analytics vendors, since notifications can be updated.
You must notify the Data Protection Board of India and affected users of a personal data breach. Failure to notify carries penalties of up to ₹200 crore. Your app should have a documented breach-response plan — including notification timelines and user communication templates — in place before launch, not drafted reactively after an incident.
Yes. The DPDP Act applies extra-territorially to any processing of personal data of individuals in India, even if the app, company or servers are located outside India. If you serve Indian users, DPDP compliance applies regardless of where your business is incorporated.
Penalties scale by violation type and severity, up to ₹250 crore for failing to implement reasonable security safeguards that leads to a data breach, up to ₹200 crore for failing to notify a breach or for violations involving children's data, and up to ₹50 crore for other non-compliance. Penalties are assessed by the Data Protection Board of India per instance.
Yes. The DPDP Act requires verifiable parental or guardian consent before processing personal data of anyone under 18, and prohibits tracking, behavioural monitoring or targeted advertising directed at children. This category carries some of the highest penalty exposure under the Act — up to ₹200 crore — so apps with any under-18 user base need this designed in from day one.
Building purpose-specific consent flows, a data deletion request feature, and encrypted storage typically adds ₹15,000–₹40,000 to a standard app build, depending on data complexity. This is far cheaper than retrofitting compliance after launch or facing a penalty — Nevatrix includes baseline DPDP-aligned architecture in every app we build.
About the Author
Aditya Kumar is a Senior Mobile App Developer at Nevatrix Technologies, Warangal. With 6+ years building cross-platform mobile applications, he has delivered 50+ apps for startups and enterprises across India and internationally.