DPDPA Compliance
Configure your forms for India's Digital Personal Data Protection Act.
What is the DPDPA?
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection law. It was signed into law in August 2023 by the Indian Parliament. The Ministry of Electronics and Information Technology (MeitY) oversees the framework, and enforcement will be carried out by the Data Protection Board of India once it is constituted.
The DPDPA is notable for its simplicity. At only 30 sections, it is significantly shorter and more straightforward than the GDPR (99 articles) or even India's earlier draft bills. It avoids heavy regulatory jargon in favor of plain-language obligations.
The law applies to the processing of digital personal data:
- Within India — any data collected digitally in India, whether online or digitized from offline sources.
- Outside India — if the processing involves offering goods or services to individuals in India.
If your web form collects data from people in India — even if your business is based elsewhere — the DPDPA likely applies to you.
The consent model — "notice and consent"
The DPDPA uses a straightforward consent mechanism that centers on two steps: give notice, then obtain consent.
Before collecting any personal data, you must provide a clear notice that describes:
- What personal data you will collect.
- The specific purpose for collecting it.
- How the individual can withdraw their consent.
The notice must be in plain language — the DPDPA explicitly requires that it be understandable to an ordinary person. It should also be available in English and, where practical, in local Indian languages. Critically, the notice must be standalone — not buried inside a lengthy privacy policy or terms of service.
For web forms, this means the consent checkbox message should be specific and self-contained. Instead of "I agree to the privacy policy," use something like:
I consent to ZNX Ltd collecting and storing this form data to respond to my inquiry. I can withdraw consent at any time by emailing privacy@example.com.
Consent must be free, specific, informed, and unconditional. You cannot bundle consent for unrelated purposes (e.g., marketing) into the same checkbox as the form submission consent.
What the DPDPA preset configures
| Setting | Value | Why |
|---|---|---|
| Consent checkbox | Required | The DPDPA mandates informed consent before processing personal data. The checkbox serves as the consent mechanism for web forms. |
| IP storage | Full IP stored | The DPDPA does not specifically require IP anonymization. Full IPs are retained for security and fraud detection purposes. |
| User-agent storage | Enabled | Browser information is useful for troubleshooting and is not singled out for special treatment under the DPDPA. |
| Data retention | 365 days | The DPDPA requires deletion once the purpose is fulfilled. One year is a reasonable default for form submissions; adjust to match your actual need. |
| Privacy policy URL | Required | The DPDPA requires a clear notice about data processing. Linking your privacy policy from the form provides the necessary transparency. |
Set up the DPDPA preset
Account level
- Go to Account Settings in the sidebar.
- Scroll to Compliance.
- Select DPDPA (India) from the dropdown.
- Click Save.
Per form
- Open the form in your dashboard.
- Go to the Compliance tab.
- Select DPDPA (India) from the preset buttons or region dropdown.
- Click Save.
Data Fiduciary obligations
The DPDPA introduces the term "Data Fiduciary" instead of the GDPR's "data controller." The choice of word is deliberate — it frames data handling as a matter of trust. As a Data Fiduciary (anyone who determines the purpose and means of processing personal data), you have these core obligations:
- Purpose limitation — collect only the data that is necessary for the specific purpose stated in your notice. Do not add unnecessary fields to your forms.
- Accuracy — make reasonable efforts to ensure that the personal data you hold is accurate and up to date.
- Storage limitation — delete personal data once the purpose for which it was collected has been fulfilled, or when the individual withdraws consent. This is not optional — you must delete proactively, even without a request.
- Security safeguards — implement reasonable security measures to protect personal data from breaches. FormBlade encrypts data in transit (TLS) and at rest, but you should also secure access to your dashboard account.
Children's data — strict rules
The DPDPA has some of the strongest protections for children's data of any privacy law worldwide. A child is defined as anyone under 18 years old — higher than the GDPR threshold (16, or as low as 13 in some EU member states).
If your form might collect data from minors:
- Verifiable parental consent is required before processing any personal data from children. A simple checkbox is not sufficient — you need a mechanism to verify that a parent or guardian has actually given consent.
- Tracking and behavioral monitoring of children is banned entirely. You cannot use children's form data for profiling, targeted advertising, or any form of behavioral analysis.
- No detrimental processing — you cannot process children's data in any way that could cause them harm.
If your form is aimed at adults only (e.g., business inquiries, job applications), these rules are less likely to apply. But if there is any chance minors will use your form — such as event registrations, educational surveys, or general contact forms on youth-oriented sites — you need to implement additional safeguards beyond what FormBlade's compliance preset provides.
Right to erasure and purpose limitation
The DPDPA's approach to data deletion has a key distinction from the GDPR: deletion is not only a right that individuals can exercise — it is an obligation that triggers automatically.
Once the purpose for which personal data was collected has been fulfilled, the Data Fiduciary must delete it. There is no need to wait for a deletion request. For form submissions, this means:
- If you collected data to respond to an inquiry, delete it once you have responded and any reasonable follow-up period has passed.
- If you collected data for an event registration, delete it after the event.
- Set your FormBlade retention period to reflect the actual timeframe you need the data, not the maximum allowed.
Individuals also have the right to request erasure at any time by withdrawing their consent. When you receive such a request:
- Search for the individual's submissions in the dashboard by email or name.
- Delete all matching submissions.
- Confirm deletion to the individual.
Cross-border data transfers
The DPDPA takes a permissive approach to cross-border data transfers — the opposite of the GDPR. Instead of requiring an adequacy decision or specific safeguards for each transfer destination (whitelist model), the DPDPA allows transfers to any country unless the Indian government specifically restricts it (blacklist model).
As of now, no countries have been restricted. This means you can process Indian users' form data on servers located anywhere in the world without additional legal mechanisms. If the government publishes a restricted list in the future, you would need to ensure your data does not flow to those jurisdictions.
No right to data portability
Unlike the GDPR, the DPDPA does not include a right to data portability. Individuals can request access to their data (right to information) and request deletion, but they cannot demand that you provide their data in a structured, machine-readable format for transfer to another service.
That said, providing data exports when requested is still good practice. You can export submissions as CSV from the FormBlade dashboard to fulfill access requests, even though you are not legally required to provide a machine-readable format.
Penalties
The DPDPA's penalty framework is significant but straightforward:
- Maximum penalty: up to ₹250 crore (approximately $30 million USD) per violation.
- Penalties are purely financial — no criminal liability is imposed under the DPDPA.
- Specific penalty amounts are defined for different types of violations (e.g., failure to notify of a breach: up to ₹200 crore; non-compliance with children's data rules: up to ₹200 crore; general non-compliance: up to ₹250 crore).
Penalties are assessed by the Data Protection Board of India, which has adjudicatory powers similar to a civil court.
Current status and recommendations
The DPDPA was passed by Parliament in August 2023 and received Presidential assent. However, the detailed rules that specify how the law will be implemented in practice — including the constitution of the Data Protection Board, the mechanics of consent managers, and specifics around children's consent verification — are still being finalized by MeitY.
Even though enforcement has not yet begun, we recommend implementing compliance proactively:
- Apply the DPDPA preset now. The consent and retention settings align with the law's clear requirements and will not need significant changes once rules are finalized.
- Write a clear, standalone notice. Draft your consent message in plain language that describes what data you collect and why. Do not rely on a link to a general privacy policy as your sole notice.
- Set a realistic retention period. The DPDPA's purpose limitation requirement means you should not store data longer than you need it. If 90 days is enough, use 90 days — not 365.
- Audit forms that minors might use. If there is any possibility children under 18 will submit your form, plan for verifiable parental consent requirements.
- Monitor the rules. Follow updates from MeitY's data protection framework page for final rules and the enforcement timeline.