DPDP Act VS DPDP 2023 vs PDPB 2019: What Changed in India’s Privacy Law?

DPDP vs PDPB 2019: From Complexity to Clarity

If you’ve been following the news about India’s privacy journey, you probably remember a massive, 100-page document called the Personal Data Protection Bill (PDPB) 2019. It was the talk of every boardroom and tech seminar for years. However, that bill was eventually scrapped, and in its place, we now have the Digital Personal Data Protection (DPDP) Act 2023.

For a business owner, the shift from the 2019 draft to the 2023 law is actually a bit of a relief. The 2019 version was “everything but the kitchen sink”—it tried to regulate everything from your personal photos to non-personal big data. The DPDP Act 2023 is much leaner, focusing strictly on personal data that is in digital form.

Let’s break down how the DPDP vs PDPB 2019 (Draft Bill) comparison looks for someone trying to run a business today.

Side-by-Side Comparison

Feature	PDPB 2019 (Draft Bill)	DPDP Act 2023 (Final Law)
Primary Scope	Personal, Sensitive, and even Non-Personal data	Only Personal Data in digital form
Data Categories	Divided into “Sensitive” and “Critical” data	No sub-categories; all personal data is treated equally
Consent	Complex; required specific formats for sensitive data	Simple; must be free, specific, informed, and unconditional
Data Localization	Strict rules; “Sensitive” data had to be stored in India	More relaxed; government will specify “restricted” countries
Right to Portability	Included (moving your data between services)	Removed (you don’t have to provide data porting)
Right to be Forgotten	Explicitly included	Included under “Right to Erasure”
Children’s Data	Under 18; required “Guardian Data Fiduciaries”	Under 18; requires verifiable parental consent
Penalties	Percentage of global turnover (like GDPR)	Fixed amounts per violation (up to ₹250 Crore)
Enforcement	Data Protection Authority (DPA)	Data Protection Board of India (DPB)
Data Processors	Heavily regulated directly by the law	Regulated indirectly through contracts with the Fiduciary

Key Philosophical Differences

When looking at India vs PDPB data protection history, there are three major shifts in how the government thinks about your data:

1. Simplicity over Specificity The 2019 Bill tried to define everything. It had special rules for “Sensitive Personal Data” (like health or finance info) and “Critical Personal Data.” The DPDP Act 2023 throws those categories out. Whether it’s a customer’s blood group or just their email address, if it’s personal data, the rules are the same. This makes it much easier for a Data Fiduciary (the company that decides to collect and use the data) to build their systems. You don’t have to build three different databases for three different types of data.

2. Digital-First Approach The 2019 draft tried to cover paper records too. The 2023 Act is strictly about Digital Personal Data. If you are a small Kirana store keeping a physical notebook of customer credits, the DPDP Act doesn’t apply to that notebook. It only kicks in if you digitize that list. This focus reflects India’s “Digital India” goals, focusing on where the most risk is: the internet.

3. Business-Friendly Global Transfers The old 2019 draft was very worried about data leaving India. It wanted a copy of “sensitive” data to stay here (data mirroring). The 2023 Act is much more modern. It assumes data can flow globally unless the government puts a country on a “negative list.” This is a huge win for startups using global cloud tools or serving international clients.

What are the “Key Players”?

To understand these laws, you need to know the cast of characters:

• Data Principal: This is the “smart friend” we talked about—the individual whose data is being collected.
• Data Fiduciary: This is you, the business. You define the “purpose” of why you need the data.
• Data Processor: Any third-party service you use (like a cloud provider or a payroll software) that handles data on your behalf.
• Data Protection Board (DPB): The “referee” who listens to complaints and hands out fines if you break the rules.

Practical Advice for the Transition

If you started preparing for the 2019 Bill and are now pivoting to the DPDP Act 2023, here is what you should do:

• Review your Consent Notices: The 2023 Act is very specific about “Notice.” Before you ask for consent, you must tell the user exactly what data you are taking and why. Check out our guide on consent notices to see how to write one.
• Update your Contracts: Since the new law says the Data Fiduciary is responsible for everything the Data Processor does, you need to ensure your contracts with vendors are airtight. You are on the hook for their mistakes!
• Simplify your Data Map: You no longer need to stress about whether a piece of data is “Sensitive” or “Normal.” If it can identify a person, treat it with high security. For more on how different sectors handle this, see our industry analysis for FinTech.
• Prepare for the Board: The Data Protection Board isn’t active yet, but it will be soon. Unlike the 2019 draft which had a lot of bureaucratic setup, the new Board is designed to be a digital-first, fast-moving adjudicator.
• Appoint a Point Person: Even if you aren’t a Significant Data Fiduciary (a status reserved for very large companies), you need a way for users to contact you with grievances. Make sure your “Contact Us” or “Privacy” email actually works. You can learn more about these roles in our DPO roles analysis.

The DPDP vs PDPB 2019 (Draft Bill) debate shows that India has moved toward a more “ease of doing business” model. While the penalties are high—up to ₹250 crore—the actual rules for compliance are much shorter and easier to read than the 2019 version. Focus on being transparent with your users, and you’ll be ahead of the curve.