HyperTrust - Consent Management Platform
homearrowBlogarrowDPDP Act, 2023arrowpenalties under...

What Are The Penalties Under The DPDP Act?

Mounica S
February 17, 2025
What Are The Penalties Under The DPDP Act?

When big businesses have lax security, it is their customers who pay the price. 

Consider the example of the Air India breach in 2021. It exposed the details of over 4.5 million passengers, and no one other than the passengers was affected by it. Today, under India’s new Digital Personal Data Protection Act (DPDP Act), 2023, such a breach could cost the company crores in penalties. 

This landmark legislation was a much-needed step towards India’s data protection efforts, and this journey started back in 2017 when the Indian government formed the Srikrishna  committee. A year later, their findings helped shape the Personal Data Protection Bill, 2019. After critical review, the bill was withdrawn in 2022, and a draft was released for public feedback. By August 2023, the Digital Personal Data Protection Bill, 2023 became law.

The Digital Personal Data Protection Act, 2023 applies to any digital personal data collected within India—whether gathered online or offline and later digitized. It sets clear rules for mishandling personal data, with penalties based on the type and seriousness of the violation. Small breaches come with fines, while major security failures can lead to much larger penalties. 

In this article, we’ll discuss the penalties under the DPDP Act 2023 and what they mean for businesses.

DPDP Act 2023: breaking it down in simple terms

The DPDP Act is India’s effort to create a uniform framework for data privacy and data protection. The Act covers digital personal data collected within India or from outside if it involves offering goods or services to Indian citizens. However, it doesn’t apply to personal data processed for personal use or data made public by the individual.

The objectives of the DPDP Act are simple, and aim to:

  • Protect personal data from misuse
  • Give individuals control over how their data is used
  • Set clear rules for organizations handling personal data
  • Apply to all entities processing personal data in India
  • Cover businesses outside India if they serve Indian users

The DPDP Act introduces key roles and terms that clarify the responsibilities of entities involved in data processing and the rights of individuals whose data is being collected: 

  • Data fiduciary: This refers to any entity or person that determines how and why personal data is processed. They are responsible for ensuring that data is handled in compliance with the regulations. For example, a social media platform that decides what information to collect from users and how to use that data
  • Data principal: Essentially, the data principal is the individual whose personal data is being processed. This could be anyone providing their details on an online shopping platform, where their name, address, and other personal information are captured for transaction purposes
  • Personal data: This includes any information that can identify an individual, either directly or indirectly, and can range from basic details to more sensitive identifiers, such as their IP address or location

The law places full responsibility on data fiduciaries. They must define the purpose of data collection, decide how it is used, and manage compliance. Data processors, who handle data on behalf of data fiduciaries, do not have direct legal obligations. Instead, fiduciaries must set compliance rules through written contracts with processors.

A DPDP Act penalty applies if a company fails to meet compliance requirements. Fines for violations can reach INR 250 crore (about USD 30 million). 

Unlike the EU’s GDPR, which limits fines to 4% of a company’s global revenue, the DPDP Act allows multiple penalties for different violations.

Read More: Data Fiduciary vs Data Processor: Decoding Responsibilities Under India’s DPDPA

Who enforces the rules and how?

The Data Protection Board of India (DPBI) is responsible for enforcing the DPDP Act. It investigates violations, addresses complaints, and imposes fines on entities that fail to follow the law. If an organization misuses personal data or ignores compliance rules, the DPBI steps in.

Once a complaint is filed, the DPBI reviews the case to see if a full investigation is needed. It can summon witnesses, examine evidence, and analyze documents to determine the extent of the violation. If a breach is confirmed, penalties vary based on severity, with larger fines for more serious violations.

The DPDP Act applies to data fiduciaries, meaning businesses or individuals that process personal data. They must obtain consent from the data principal, the person whose data is being collected. Before collecting any data, data fiduciaries must provide a clear notice outlining what information will be gathered and how it will be used.

Data Principals can also appoint a consent manager. This person acts as a single point of contact to help with consent management. Consent managers must be registered under the DPDP Act and operate through a platform that is accessible and transparent. 

If a consent manager fails to act in the data principal’s best interest, the data principal has the right to file a complaint.

Manage consent and avoid costly violations. Book a demo today!

What can get you penalized under the DPDP Act?

Breaking data protection rules can be expensive. The DPDP Act sets clear penalties based on the type of violation. Serious breaches—like failing to secure data, not reporting leaks, or mishandling children’s information—fall in the highest fine bracket. 

Even minor consent violations can cost up to ₹50 crore per instance.

Here’s the maximum penalty for different breaches:

maximum penalty for different breaches
  • Personal data breach: ₹250 crore
  • Failure to report a breach: ₹200 crore
  • Violating child data protection rules: ₹200 crore
  • Non-compliance by significant data fiduciaries: ₹150 crore
  • Breaching duties under Section 15: ₹10,000

A closer look at DPDP Act penalties

Violating data protection laws comes with massive financial risks. The DPDP Act categorizes penalties based on the severity and nature of the breach. Some fines go as high as ₹250 crores, while even minor non-compliance can be costly.  

Here’s how the penalties stack up:

Personal data breach

A personal data breach happens when an organization fails to protect user data from unauthorized access, leaks, or cyberattacks. This includes incidents like hacking, ransomware attacks, or internal mishandling of sensitive information.

When a bank’s customer database gets hacked, it exposes financial details and Aadhaar numbers. Since this qualifies as a major breach, the penalty could go up to ₹250 crores. 

For example, in May 2021, India’s Domino’s Pizza, operated by Jubilant FoodWorks, experienced a significant data breach where details from approximately 18 crore orders were leaked on the dark web, including customer order information, email addresses, phone numbers, and credit card details

Failure to notify a data breach

Organizations must report data breaches to the Data Protection Board and affected individuals within a specified timeframe. Delayed reporting can worsen the damage, leading to identity theft or fraud. Facebook’s 2021 data leak, which exposed 530 million user records, was heavily criticized because the company failed to alert users. 

If such an event occurs in India and goes unreported, the company could face penalties of up to ₹200 Crores.

Processing children’s data

Companies handling children’s data must obtain verifiable parental consent and implement strict protection measures. Violations include tracking children’s online behaviour, profiling them for advertising, or failing to secure their data. 

In 2019, TikTok was fined $5.7 million in the U.S. for illegally collecting data from children under 13 without parental consent. Under the DPDP Act, similar violations in India could result in fines of up to ₹200 Crores.

Non-compliance by significant data fiduciaries

Significant Data Fiduciaries (SDFs) are organizations that process large volumes of sensitive data or have an impact on national security. They must conduct data protection impact assessments, appoint a data protection officer, and follow stricter compliance rules. 

If an SDF, such as a major bank or telecom provider, fails to meet these obligations, it could be fined up to ₹150 Crores.

Breach of duties of data principal under Section 15

Individuals (Data Principals) also have responsibilities. Filing false complaints, misusing consent mechanisms, or obstructing lawful data processing can lead to penalties. 

For example, if someone repeatedly withdraws consent for legitimate data processing just to disrupt a service, they could be fined up to ₹10,000.

Breach of voluntary undertakings accepted by the Board under Section 32

If an organization agrees to fix compliance issues through a voluntary undertaking but fails to follow through, the DPB can impose penalties. The fine amount depends on the nature and impact of the breach.

General non-compliance

This covers violations not specifically categorized—such as failing to implement proper data retention policies, neglecting consent requirements, or not appointing a data protection officer when required. 

Any business that neglects these legal obligations could face penalties of up to ₹50 Crores.

What decides the size of the penalty?

Fines under the DPDP Act depend on how serious the violation is, how long it lasted, and how many people were affected. Companies that take quick action may get lower penalties, while repeat offenders face harsher fines.

Here’s a closer look at what determines the final penalty amount:

Nature and gravity of the violation

The more serious the violation, the higher the penalty. A one-time failure to delete user data after consent withdrawal may be treated differently from a massive personal data breach that exposes millions of records. 

For example, if a healthcare provider accidentally shares a few anonymized records, the penalty may be lower than if they expose thousands of medical histories containing sensitive conditions. The DPDP Board evaluates intentional misconduct, negligence, and systemic failures before deciding the fine.

Duration and recurrence of the violation

A violation that happens once is different from a long-term issue. A company that ignores consent rules for years faces heavier fines than one that fixes a mistake immediately. 

Repeat violations also lead to stricter penalties. If a business keeps collecting data without consent despite warnings, the fine increases each time.

Impact on data principals

The fine also depends on the damage caused to data principals. A breach that results in identity theft, financial fraud, or emotional distress attracts heavier fines. 

For example, if a banking app’s data leak exposes users’ financial details, leading to fraudulent transactions, the penalty will be far greater than if a fitness app mistakenly shares workout data. The Board assesses how many people were affected, how severe the consequences were, and whether the violation caused monetary or reputational harm.

Measures taken to mitigate damage

Did the organization act swiftly to contain the damage, notify affected users, and implement corrective measures? 

A company that proactively secures its systems, offers compensation, and cooperates with authorities might receive a lower fine than one that tries to cover up the violation.

For example, if a company immediately patches a vulnerability, alerts users, and offers free credit monitoring after a breach, the DPDP Board may consider reducing the penalty. However, delayed action or attempts to downplay the issue could lead to maximum fines.

Each of these factors plays a critical role in determining penalties under the DPDP Act. Companies that prioritize compliance, transparency, and quick response can minimize both legal and financial risks.

How to stay compliant and avoid heavy fines

Achieving DPDP compliance is no small feat. To avoid hefty penalties under the DPDP Act and maintain compliance, businesses must implement key strategies to safeguard personal data. 

These include:

  • Robust data protection measures: Implement data encryption, secure access controls, and data anonymization techniques to protect sensitive personal data from unauthorized access or breaches
  • Regular audits and assessments: Conduct regular internal and external audits to ensure adherence to the DPDP Act’s requirements. Periodic assessments help identify gaps and ensure continuous compliance
  • Employee training and awareness programs: Regularly train employees on data protection principles, privacy policies, and the legal responsibilities under the DPDP Act. Awareness at all levels is critical to prevent accidental non-compliance
  • Effective grievance redressal mechanisms: Set up clear processes for addressing data subject complaints and resolving issues promptly. This builds trust and helps avoid fines for mishandling grievances

Read More: The Future of Data Protection in India: Trends Post-DPDPA

The cost of non-compliance vs. the benefits of data protection

Complying with the DPDP Act helps your business avoid costly penalties and reputational damage. Non-compliance leads to hefty fines, potential customer loss, and operational setbacks. Embracing data protection measures not only reduces these risks but also builds trust and strengthens customer loyalty.

Encouraging a culture of data protection and transparency within your business ensures long-term growth. It builds accountability, improving both internal operations and your customer relationships.

HyperTrust simplifies data privacy compliance with an India-first approach, covering the DPDP Act as well as global frameworks like GDPR and CCPA. With HyperTrust, you get end-to-end consent management, seamless scalability, and audit-ready compliance, all while keeping your users in control.

Ready to stay compliant and secure? Book a demo today to know more!

Frequently asked questions

1. What are the penalties for DPDP?

Penalties under the DPDP Act vary based on the violation and can go up to ₹250 crores for serious breaches, such as failing to protect personal data or notify breaches. Even minor consent violations can result in fines of up to ₹50 crores.

2. What is the maximum penalty bracket for a violation under the DPDP Act 2023?

The highest penalty is ₹250 crores for personal data breaches. Other major violations, like failing to notify breaches or mishandling children’s data, can lead to fines of up to ₹200 crores.

3. Who decides the penalties and how does the process work?

The Data Protection Board of India (DPB) reviews violations, considers factors like severity and recurrence, and imposes penalties accordingly. Companies can present their case before a final decision is made.

4. What is a “Significant Data Fiduciary” and why do they have stricter rules?

A significant data fiduciary is a company handling large-scale sensitive personal data, impacting national security or public interest. They must follow stricter regulations, including independent audits and appointing a Data Protection Officer.

Related topics

Comparison Guides Industries

Written by

Mounica S

Recommended blogs

Try first. Subscribe later.

Boost your legal ops efficiency by 80%.

1 Schedule a call
2 Scope out challenges
3 Test with a custom PoC
Book a Demo