DPDP Act

The DPDP Act is India’s primary data protection legislation, passed in 2023. It applies to the processing of digital personal data collected within India or collected outside India if the processing relates to offering goods or services to individuals in India.

The law designates organizations that determine the purpose and means of processing as Data Fiduciaries. It grants Data Principals (individuals) rights to access, correct, and erase their personal data, and to nominate someone to exercise those rights on their behalf. Consent must be free, specific, informed, unconditional, and unambiguous, and it must be obtained for each stated purpose.

The Act introduces the concept of Significant Data Fiduciaries, large-scale processors subject to additional obligations including data protection impact assessments and periodic audits. It also contains specific provisions for processing children’s data, requiring verifiable parental consent.

For CIAM, the DPDP Act shapes consent management, age verification, and data rights workflows for platforms serving Indian users, adding to the global patchwork of privacy regulations that identity systems must support.