DPDP Act VS DPDP Act 2023 vs IT Act 2000: Major Privacy Law Changes
Compare India's DPDP Act 2023 and the IT Act 2000. Learn how data scope and compliance requirements have evolved for Indian businesses.
Discuss this page with an LLM
What This Means In Practice
Use this table to brief your legal, product and marketing teams.
| Question | DPDP Direction | DPDP Act 2023 vs IT Act 2000: Major Privacy Law Changes Direction | Practical Impact |
|---|---|---|---|
| Can we process by default? | Often consent-first | Often depends on a different legal model | India flows may need earlier consent design. |
| Is a global privacy model enough? | No | Not always | Global privacy work does not map one-to-one to DPDP. |
| Are children protected differently? | Under 18 | Check local age thresholds | Indian child-user products need stricter review. |
| Is breach risk enough to trigger work? | Yes | Yes | Security, response and evidence matter in both systems. |
Three Questions To Ask Internally
- Are we copying a non-India privacy model into an Indian product?
- Do our consent flows work for Indian users?
- Which global privacy controls can be reused, and which must be redesigned for DPDP?
If you operate across India and another market, do not assume one privacy program covers both. Use the stricter flow where user trust and evidence matter most.
Shift from Sensitive to All Personal Data
The IT Act 2000 focused mostly on Sensitive Personal Data or Information (SPDI). This included passwords, financial details, and health records. The DPDP Act 2023 expands this to all digital personal data. This means basic identifiers like names, email addresses, and IP addresses now require the same level of protection as bank details. Companies can no longer limit their privacy efforts to a small subset of “sensitive” data points.
Enforcement via the Data Protection Board
Under the IT Act, data disputes were handled by Adjudicating Officers. These officers often lacked specialized technical knowledge about data privacy. The DPDP Act creates the Data Protection Board of India. This is a dedicated body with the power to investigate breaches and issue directions. The board functions as a specialized regulator, which means businesses will face more consistent oversight and faster inquiry processes.
Comparison of Key Frameworks
| Feature | IT Act 2000 (SPDI Rules) | DPDP Act 2023 |
|---|---|---|
| Data Scope | Only “Sensitive” personal data | All personal data in digital form |
| Consent Type | Written consent for sensitive data | Clear and affirmative consent |
| Children’s Data | No specific age-based requirements | Mandatory restrictions for those under 18 |
| Penalties | Civil compensation to individuals | Financial penalties paid to the Board |
| Storage Limitation | Only for period of purpose | Must delete data once purpose is served |
| Enforcement | Adjudicating Officers | Data Protection Board of India |
| Individual Rights | Access and Correction only | Access, Correction, and Erasure |
This week
Map every data field your software collects from users that was previously ignored because it was not “Sensitive” under SPDI rules. This includes phone numbers, device IDs, and location history.
FAQ
Q: Does the DPDP Act completely repeal the IT Act 2000? A: No, it only amends parts of the Information Technology Act. It specifically omits Section 43A and replaces the SPDI Rules with a new framework for digital personal data.
Q: Is my current SPDI-compliant privacy policy sufficient for DPDP? A: Likely not, because DPDP requires notices in multiple languages and covers all personal data. SPDI rules only focused on sensitive data like passwords and financial information.
Q: Does the DPDP Act cover physical paper records? A: The DPDP Act covers digital personal data and physical data that is later digitized. Purely physical records that stay on paper are not covered by this law.
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both DPDP Act 2023 vs IT Act 2000: Major Privacy Law Changes and DPDP requirements.
Book Strategy Call