Last reviewed by checkDPDP editorial ·
The short version
You are a Data Fiduciary under the DPDP Act 2023. So is Paytm. The law makes no concession for stage, revenue or team size — if your Indian website collects an email, a name or a phone number, you are in scope, and you have until 13 May 2027 to be compliant.
The good news: the obligations that actually apply to a pre-Series-A startup are a short list, the engineering work is measured in days not months, and every tool you need is already free on this site. The bad news: the Schedule penalties scale to ₹250 crore per violation — large enough that even a 1% probability of enforcement is expected-value-positive to fix now.
The 5 things every Indian startup must do
In order of urgency. If you do these five, you have closed the practical enforcement risk for an early-stage Data Fiduciary. The order matters — pick them off one per sprint.
- 1
Publish a Section 5 consent notice on every form
Plain-English notice listing the categories of data you collect, the purpose, retention period, withdrawal mechanism and your Grievance Officer contact. Required at the moment of collection — not buried in a 30-page privacy policy.
Free privacy notice generator → - 2
Ship a DPDP-compliant cookie consent banner
Granular categories (marketing, analytics, functional, strictly necessary), equal-weight Accept and Reject, no pre-ticked boxes, no dark patterns. Nothing non-essential fires before consent.
Free banner builder · 10-minute embed → - 3
Name a Grievance Officer and publish the contact
Section 8(10) requires every Data Fiduciary — yes, including a 2-person startup — to publish a Grievance Officer with an SLA. Use a brand-domain email (grievance@yourdomain.in), not a Gmail.
Grievance Officer directory & templates → - 4
Wire a Data Principal rights flow
Users must be able to access, correct, erase and nominate. One linked page with a form is enough — what matters is that the link exists, the form works, and you respond within the Rule-3 timelines.
Data Principal rights templates → - 5
Meet "reasonable security safeguards" (Section 8(5))
HTTPS everywhere, HSTS preload, modern security headers (CSP, X-Content-Type-Options, Referrer-Policy), encrypted storage of sensitive fields, principle-of-least-privilege access. This is the ₹250 cr penalty band — the highest.
Free 60-second security scan →
What you can safely ignore until you scale
DPDP discussions on LinkedIn often treat every clause as equally urgent. They are not. For a startup at the seed or pre-seed stage, the following are real obligations under the Act but are not binding on you today — and treating them as binding will waste engineering time you do not have.
Significant Data Fiduciary (SDF) obligations
SDF designation is granted by the Central Government based on volume, sensitivity and risk. A pre-Series-A startup is not an SDF. Park the DPO-in-India, DPIA and independent-audit obligations until either you cross meaningful scale or you get a notification.
Verifiable parental consent via DigiLocker (Section 9)
Required only if you knowingly process data of users under 18. If you have an age-gate and a "must be 18+" terms checkbox, you are fine. Edtech, gaming and social products targeting under-18s — this one is unavoidable.
A formal Data Protection Impact Assessment
Rule 12 makes DPIAs mandatory for SDFs. For an early-stage startup, a one-page data-flow map (what you collect → where it goes → why) is enough. Save the formal DPIA for when you scale or get SDF-designated.
Sectoral DPO certifications and external audits
You do not need a CISA-certified DPO on day one. A technical co-founder or senior engineer with read access to the privacy notice, consent records and Grievance Officer mailbox is sufficient for sub-Series-A.
Re-evaluate the moment you (a) cross 10 lakh active users, (b) start processing sensitive categories (financial PII, health, biometric, children's data), or (c) receive any communication from the Data Protection Board.
DPDP for specific startup types
Every sector has its own DPDP risk profile — and a corresponding sectoral regulator whose rules usually stack on top of the Act. Skim the right one for your stack:
- SaaS & B2B — DPA-with-processors is your primary obligation; data-export rights matter for enterprise sales diligence.
- E-commerce & D2C — purchase history, address books and behavioural tracking pull you into the higher penalty bands.
- Edtech — Section 9 children's-data obligations make verifiable parental consent unavoidable, even at small scale.
- BFSI & Fintech — RBI/SEBI rules already exceed DPDP for payment data; do not loosen them on the back of DPDP's permissive default.
- Healthtech & Diagnostics — health data is the highest-sensitivity category; Section 8 security safeguards are the first thing the Board will test.
Common questions from founders
Is the DPDP Act applicable to my early-stage startup?
Yes. The DPDP Act 2023 applies to every Data Fiduciary — anyone who decides the purpose and means of processing personal data. Revenue, team size, funding stage and incorporation type do not affect applicability. If your Indian website collects an email, a name or any PII, you are in scope. The compliance deadline is 13 May 2027 for everyone.
How much does DPDP compliance cost a 2-person startup?
If you use the free checkDPDP toolkit (scanner, banner builder, privacy notice generator, DPA generator, grievance directory), the direct software cost is ₹0. The remaining cost is ~6–12 engineer-hours to ship the banner, wire the rights flow and publish the notice. Most pre-Series-A startups can baseline DPDP for under ₹50,000 all-in.
Do I need to register as a Consent Manager with the Data Protection Board?
No. Consent Manager registration is a separate, optional role for entities that want to operate a multi-Fiduciary consent dashboard for Data Principals. Standard startups are Data Fiduciaries, not Consent Managers — you do not register with the Board, you just publish your Grievance Officer and meet the Section 5–8 obligations.
What happens if I miss the 13 May 2027 deadline?
The Data Protection Board can issue monetary penalties under the Schedule — up to ₹250 crore for security failures, ₹200 crore for breach-notification failures, ₹50 crore catch-all for "other contraventions" (which is where most startup-scale violations would land). The Board can also direct corrective action and publish enforcement orders, which are reputationally damaging in fundraising diligence.
Can I use the same privacy policy I copied from another startup?
No — and you do not need to. The DPDP "consent notice" (Section 5) is a different artefact from a generic privacy policy. It must be served at the point of collection, must itemise the data categories and purposes, must name your Grievance Officer and must use plain language. The free checkDPDP Privacy Notice Generator produces one in 2 minutes from a 5-minute questionnaire.
What is the cheapest way to get DPDP-ready in 90 days?
Run the free scanner on your homepage and main signup flow → fix every red category using the linked free tool → publish the Section 5 notice → add a Grievance Officer contact in your footer → ship the cookie banner → wire a one-page rights-request form. That sequence baselines a typical SaaS or e-commerce startup in 1–2 sprints. Then apply for the checkDPDP-Verified certificate to make compliance visible in your sales conversations.
Note. This page is guidance for early-stage Indian startups, not legal advice. Once you cross meaningful scale, raise institutional capital or process sensitive categories, consult a qualified data-protection lawyer before relying on any of the "skip for now" calls above.