DPDP Act VS IT Act 2000: What Changes?
India's IT Act 2000 has governed data protection for over two decades. The DPDP Act 2023 replaces Section 43A and creates a comprehensive framework. Here's what changes for businesses.
DPDP Replaces India’s Old Data Protection Regime
For over two decades, India’s data protection landscape was governed by the Information Technology Act 2000 and the SPDI Rules 2011. The DPDP Act 2023 replaces Section 43A of the IT Act, creating India’s first standalone data protection law.
What Changed: Side-by-Side
| Aspect | IT Act 2000 / SPDI Rules | DPDP Act 2023 |
|---|---|---|
| Scope | ”Sensitive personal data” (SPDI) only | All digital personal data |
| Consent | Implied consent acceptable in many cases | Explicit, informed, specific consent required |
| Penalties | â‚ą5 Crore max (per IT Act) | â‚ą250 Crore max per violation |
| Enforcement | Adjudicating Officers (minimal activity) | Data Protection Board (dedicated body) |
| Children’s data | No specific provisions | Comprehensive Section 9 protections |
| Breach notification | No mandatory notification | Mandatory notification to DPB and users |
| Cross-border | Restricted to “adequate” countries for SPDI | Blacklist approach via government notification |
| Data categories | 8 defined SPDI categories | All personal data (no categories yet) |
| Right to erasure | Not explicit | Explicit under Section 11 |
| Applicability | Body corporates + government | All Data Fiduciaries including government |
The 8 SPDI Categories Are Gone
The SPDI Rules defined 8 sensitive categories: passwords, financial info, health data, sexual orientation, medical records, biometric data, physical/mental/physiological conditions, and government IDs. Under DPDP, there’s no separate “sensitive” category (yet). All personal data gets baseline protection, with additional rules potentially coming through future regulations.
Consent: The Biggest Practical Change
Under the IT Act regime, consent could be implied — if a user continued using a service after seeing a privacy policy, that counted. Under DPDP:
- Consent must be a clear affirmative action
- Pre-ticked boxes don’t count
- Bundled consent isn’t valid
- Withdrawal must be equally easy
Enforcement Gets Real
The IT Act’s enforcement mechanism was largely inactive. The DPDP Act creates a dedicated Data Protection Board with the power to investigate, conduct hearings, and impose significant penalties. This transforms data protection from a paper exercise to a genuine compliance obligation.
What This Means for Businesses
If your company was “compliant” under the IT Act regime:
- Your privacy policy likely needs a complete rewrite — DPDP requires plain language, specific disclosures
- Your consent mechanisms need upgrading — Granular, specific consent required
- You need a breach response plan — Mandatory notification doesn’t exist under current IT Act
- Children’s data is a new obligation — No equivalent existed before
- Your penalties exposure increased 50x — From ₹5 Crore to ₹250 Crore maximum
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both IT Act 2000: What Changes? and DPDP requirements.
Book Strategy Call