Is Your Website
DPDP Compliant?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data privacy law governing how businesses collect, store, process, and share digital personal data of Indian citizens. It requires businesses to: (1) obtain explicit, informed consent before processing any personal data, (2) provide data principal rights including access, correction, and erasure within 7 days, (3) maintain audit-ready compliance records for 7 years, (4) notify data breaches to CERT-In within 6 hours, and (5) appoint a grievance officer. Full enforcement begins May 13, 2027, with no grace period. Penalties reach up to Rs 250 Crore per violation.

Every business that processes digital personal data of individuals in India must comply with the DPDP Act — regardless of company size, revenue, or industry. This includes e-commerce websites, SaaS platforms, mobile apps, service businesses, healthcare providers, educational institutions, and fintech companies. There are no small business exemptions for core obligations like consent management, privacy notices, breach notification, and data principal rights. Even foreign companies processing data of Indian residents must comply. The only exceptions are for personal/domestic use and publicly available data that the individual has made available voluntarily.

DPDP Act penalties are among the steepest in Asia: Rs 250 Crore (approx. $30M USD) for security failures leading to data breaches, Rs 200 Crore for failure to notify a breach within the required timeline, Rs 200 Crore for children's data violations, Rs 150 Crore for Significant Data Fiduciary obligation breaches, and Rs 50 Crore for any other non-compliance. Unlike GDPR, there is no percentage-of-revenue cap — these are absolute maximums per incident. The Data Protection Board of India (DPBI) can also issue remediation directions. Repeated violations can lead to cumulative penalties.

Yes, cookie consent banners are mandatory under the DPDP Act if your website uses any cookies that process personal data — including analytics cookies (Google Analytics), advertising pixels (Meta Pixel, Google Ads), social media widgets, and session tracking. Under DPDP, implied consent is invalid, pre-checked boxes are prohibited, and cookie walls (blocking access until consent) are not allowed. You must: (1) block all non-essential cookies until the user gives explicit consent, (2) provide a clear 'Reject All' option alongside 'Accept All', (3) allow granular category-level consent, and (4) make withdrawal as easy as giving consent. ZenoComply's cookie consent widget handles all of this automatically, with support for 22 Indian languages.

ZenoComply is purpose-built for DPDP Act compliance, while CookieYes and OneTrust are GDPR-first tools with DPDP added as an afterthought. Key differences: (1) Pricing — ZenoComply starts free, then Rs 499/mo (approx. $6/mo) vs CookieYes at $10-45/mo and OneTrust at $100-500+/mo. (2) Language support — ZenoComply supports all 22 scheduled Indian languages natively, not just English and Hindi. (3) India-hosted — all data stays on Indian infrastructure, meeting data residency expectations. (4) DPDP-specific scanner — our compliance scanner checks against DPDP-specific requirements like 7-day DSR response timelines and CERT-In breach notification rules, not generic GDPR checklists. (5) Infrastructure remediation — ZenoComply connects to ZenoCloud for fixing the actual compliance gaps, not just reporting them.

Yes, the ZenoComply DPDP readiness scanner is completely free with no signup required. Enter your website URL and get a compliance score (0-100) in under 60 seconds. The free scan checks 6 critical areas: cookie consent compliance, privacy notice completeness, third-party tracker detection, security header verification, data collection audit, and data principal rights mechanisms. You receive a detailed report showing exactly what passes, what fails, and specific steps to fix each issue. Paid plans (starting at Rs 499/mo) add ongoing monitoring, custom consent widgets, consent analytics, and weekly automated re-scans.

The DPDP Act enforcement deadline is May 13, 2027. The DPDP Rules 2025 were notified on November 13, 2025, starting an 18-month transition period. Key milestone dates: November 13, 2025 (Rules notified), November 13, 2026 (Consent Manager registration opens), and May 13, 2027 (full enforcement begins with penalties from Day 1). There is no grace period after May 13, 2027. The Data Protection Board of India (DPBI) can begin issuing penalties immediately. Businesses should aim to be fully compliant well before the deadline to allow time for testing, employee training, and vendor compliance verification.