DPDP Act VS IT Act 2000: What Changes?
India's IT Act 2000 has governed data protection for over two decades. Book a DPDP clarity call.
Discuss this page with an LLM
What This Means In Practice
Use this table to brief your legal, product and marketing teams.
| Question | DPDP Direction | IT Act 2000: What Changes? Direction | Practical Impact |
|---|---|---|---|
| Can we process by default? | Often consent-first | Often depends on a different legal model | India flows may need earlier consent design. |
| Is a global privacy model enough? | No | Not always | Global privacy work does not map one-to-one to DPDP. |
| Are children protected differently? | Under 18 | Check local age thresholds | Indian child-user products need stricter review. |
| Is breach risk enough to trigger work? | Yes | Yes | Security, response and evidence matter in both systems. |
Three Questions To Ask Internally
- Are we copying a non-India privacy model into an Indian product?
- Do our consent flows work for Indian users?
- Which global privacy controls can be reused, and which must be redesigned for DPDP?
If you operate across India and another market, do not assume one privacy program covers both. Use the stricter flow where user trust and evidence matter most.
DPDP Replaces India’s Old Data Protection Regime
For over two decades, India’s data protection landscape was governed by the Information Technology Act 2000 and the SPDI Rules 2011. The DPDP Act 2023 replaces Section 43A of the IT Act, creating India’s first standalone data protection law.
What Changed: Side-by-Side
| Aspect | IT Act 2000 / SPDI Rules | DPDP Act 2023 |
|---|---|---|
| Scope | ”Sensitive personal data” (SPDI) only | All digital personal data |
| Consent | Implied consent acceptable in many cases | Explicit, informed, specific consent required |
| Penalties | â‚ą5 Crore max (per IT Act) | â‚ą250 Crore max per violation |
| Enforcement | Adjudicating Officers (minimal activity) | Data Protection Board (dedicated body) |
| Children’s data | No specific provisions | Comprehensive Section 9 protections |
| Breach notification | No mandatory notification | Mandatory notification to DPB and users |
| Cross-border | Restricted to “adequate” countries for SPDI | Blacklist approach via government notification |
| Data categories | 8 defined SPDI categories | All personal data (no categories yet) |
| Right to erasure | Not explicit | Explicit under Section 11 |
| Applicability | Body corporates + government | All Data Fiduciaries including government |
The 8 SPDI Categories Are Gone
The SPDI Rules defined 8 sensitive categories: passwords, financial info, health data, sexual orientation, medical records, biometric data, physical/mental/physiological conditions, and government IDs. Under DPDP, there’s no separate “sensitive” category (yet). All personal data gets baseline protection, with additional rules potentially coming through future regulations.
Consent: The Biggest Practical Change
Under the IT Act regime, consent could be implied — if a user continued using a service after seeing a privacy policy, that counted. Under DPDP:
- Consent must be a clear affirmative action
- Pre-ticked boxes don’t count
- Bundled consent isn’t valid
- Withdrawal must be equally easy
Enforcement Gets Real
The IT Act’s enforcement mechanism was largely inactive. The DPDP Act creates a dedicated Data Protection Board with the power to investigate, conduct hearings, and impose significant penalties. This transforms data protection from a paper exercise to a genuine compliance obligation.
What This Means for Businesses
If your company was “compliant” under the IT Act regime:
- Your privacy policy likely needs a complete rewrite — DPDP requires plain language, specific disclosures
- Your consent mechanisms need upgrading — Granular, specific consent required
- You need a breach response plan — Mandatory notification doesn’t exist under current IT Act
- Children’s data is a new obligation — No equivalent existed before
- Your penalties exposure increased 50x — From ₹5 Crore to ₹250 Crore maximum
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both IT Act 2000: What Changes? and DPDP requirements.
Book Strategy Call