India's DPDP Act in 2026: The Publisher and Advertiser Guide to Consent Managers, Cross-Border Transfers, and the Data Protection Board
India's Digital Personal Data Protection Act (DPDPA, 2023) was enacted in August 2023 and then spent most of 2024 and 2025 in a slow, staged rollout that kept many foreign publishers in a holding pattern. That period has ended. The DPDP Rules were notified in full during 2025, the Data Protection Board of India (DPBI) is now operational and hearing complaints, and the Consent Manager framework — India's distinctive architectural contribution to global privacy law — is live in production. For any publisher, advertiser, or platform processing the personal data of Indian users in 2026, the DPDPA is no longer a future-state concern. It is the current compliance baseline, and it differs from GDPR in ways that matter for how CMPs, cross-border flows, and data subject rights are engineered. This guide walks through the DPDPA in its rolled-out form, what Indian consent actually requires, how the Consent Manager ecosystem changes the CMP landscape, and what the DPBI's 2026 enforcement posture looks like in practice.
The Structure of the DPDPA in 2026
The DPDPA is a standalone data protection statute, distinct from India's sector-specific laws on banking, telecom, and health. Its rollout was deliberately staged so that the Consent Manager ecosystem, the DPBI, and the cross-border transfer regime could each come online in sequence.
The 2023 Passage and the 2024-2025 Rollout
The DPDPA passed Parliament in August 2023 and received presidential assent shortly thereafter. The Ministry of Electronics and Information Technology (MeitY) spent 2024 consulting on the implementation Rules, and the final Rules were notified across 2025 in several tranches: the Consent Manager registration framework first, then data subject rights procedures, then cross-border transfer notifications, then significant data fiduciary thresholds. By the start of 2026 the full framework was in force.
Who Is Regulated
The DPDPA applies to the processing of digital personal data of individuals within India. It also applies extraterritorially when processing is in connection with offering goods or services to data principals in India. A US-based publisher serving Indian users through a localized site, an Indian-language version, or programmatic inventory bought against Indian IP addresses is in scope. This extraterritorial reach is unambiguous in the statute and has been reinforced in early DPBI guidance.
The Terminology Gap
DPDPA uses its own vocabulary, which differs from the GDPR and from most of the newer Asian frameworks. A data fiduciary is what GDPR calls a controller. A data processor maps cleanly to GDPR's processor. A data principal is the data subject. A significant data fiduciary is a controller above size or sensitivity thresholds notified by the central government. Foreign publishers encountering DPDPA for the first time often mis-map these terms; getting the mapping right early saves confusion later.
What Counts as Personal Data
The DPDPA's personal data definition is broad and closely tracks international practice. Personal data is any data about an individual who is identifiable by or in relation to such data. The DPBI has indicated through early guidance that online identifiers — cookies, advertising IDs, IP addresses, device fingerprints, and behavioral profiles — are personal data when they can be tied to an identifiable individual directly or through reasonable means.
No Sensitive Category, But Significant Data Fiduciary Rules
Unlike the GDPR, LGPD, and the PIPA, the DPDPA does not formally define a category of sensitive personal data. Instead, the Act relies on the significant data fiduciary designation, which applies additional obligations to controllers processing data at scale, processing data of children, processing data that could affect electoral integrity, or processing data that could affect national security. The net result is similar to GDPR sensitive-category rules for the largest and most sensitive processors, but the architecture is different.
Why This Matters for Cookies
A cookie collecting a routine advertising identifier is personal data but is not subject to heightened obligations just because it feeds a sensitive-looking audience segment. But a publisher who reaches the significant-data-fiduciary threshold — for example a large platform with tens of millions of Indian users — picks up additional obligations including a mandatory Data Protection Officer, periodic audits, and Data Protection Impact Assessments. Size thresholds were notified in 2025; most global platforms are now in scope.
Consent Under the DPDPA
The DPDPA places consent at the center of its framework but defines it with a distinct set of requirements that do not map one-to-one onto GDPR consent.
The Valid Consent Standard
Consent under the DPDPA must be:
- Free — not conditioned on provision of a service the user is otherwise entitled to, and not coerced
- Specific — tied to a clearly identified purpose, not a general umbrella consent
- Informed — the data principal understands what data is processed and for what purpose
- Unconditional — the consent is not tied to irrelevant conditions
- Unambiguous — expressed through a clear affirmative action, not inferred from silence or inactivity
The Itemized Notice Requirement
DPDPA requires a notice at or before the point of consent that describes the personal data to be processed, the purpose of the processing, the manner in which a data principal may exercise rights, and the manner in which the data principal may complain to the Board. The notice must be available in English and in any of the 22 scheduled languages of India that the data principal requests.
The Consent Manager Architecture
This is where the DPDPA diverges most sharply from other frameworks. The Act establishes a licensed role called the Consent Manager — a third-party entity registered with the DPBI that provides an interoperable consent dashboard allowing data principals to grant, review, manage, and withdraw consents across multiple data fiduciaries from a single interface. Consent Managers must be registered with the Board and must meet technical interoperability specifications. In practice, data fiduciaries can obtain consent either directly through their own CMP or through a registered Consent Manager, and in many cases data principals are choosing to centralize their consent through a Consent Manager rather than managing each site's banner separately.
What a Compliant CMP Looks Like
A CMP configured for Indian traffic in 2026 should present:
- A visible banner before any non-essential cookie or tracker fires, with Accept, Reject, and Customize actions at equal visual prominence
- Availability in English and in the user's preferred scheduled language where requested
- Granular consent toggles per purpose, including analytics, advertising, personalization, and cross-border transfer
- A clear link to the full itemized notice including rights and the DPBI complaint channel
- A persistent, easy-to-find mechanism to withdraw consent that is as easy as giving consent
- Technical interoperability with registered Consent Managers so that consent state can be synchronized with a data principal's chosen Consent Manager
Consent Records
Data fiduciaries must maintain records of consent, including who consented, when, through which interface, to which purpose, and any subsequent changes. The DPBI has cited inadequate consent logs in several of its early proceedings, and exportable, timestamped consent records are the baseline expectation.
Cross-Border Data Transfers
The DPDPA's cross-border transfer framework is one of the most distinctive elements of the Indian regime and differs meaningfully from the adequacy-plus-safeguards pattern used by the GDPR, PIPA, and the amended KVKK.
The Notification Framework
The DPDPA operates on a negative list approach: cross-border transfers are generally permitted unless the destination country appears on a list of restricted jurisdictions notified by the central government. This is the inverse of the GDPR adequacy model, which treats transfers as prohibited absent a positive adequacy decision or safeguards. The DPDPA's approach is more permissive on its face, but the negative list can be expanded at the government's discretion, and several jurisdictions have been placed on the list during 2025 for specific data categories.
What This Means Operationally
For most programmatic advertising flows in 2026, the answer is that cross-border transfers to major ad-tech destinations are permitted provided the destination country is not on the restricted list. Publishers need to check the current notified list, keep documentation of the transfer and its purpose, and be prepared to re-route or pause flows if a destination is added. This is meaningfully simpler than GDPR transfer mechanics for most flows, but the watchfulness requirement is real.
Sector-Specific Localization
Separately from the DPDPA, several Indian sectoral regulators — including the Reserve Bank of India for financial data and the Ministry of Health for health data — have their own localization requirements that sit on top of the DPDPA. A publisher serving Indian users in one of these regulated sectors needs to comply with both the DPDPA and the applicable sectoral rules.
Data Principal Rights
The DPDPA grants data principals a familiar but slightly narrower cluster of rights than the GDPR:
- Right to access personal data being processed, including categories and processors
- Right to correction, completion, and updating of personal data
- Right to erasure of personal data no longer necessary for the stated purpose
- Right to nominate another individual to exercise rights on the data principal's behalf in the event of death or incapacity
- Right of grievance redressal through the data fiduciary
- Right to complain to the Data Protection Board if grievance redressal is unsatisfactory
What Is Not In the Rights List
Notably, the DPDPA does not include a standalone right to portability, a general right to object to processing, or an explicit right against automated decision-making — though the significant-data-fiduciary regime and the consent-withdrawal mechanism cover much of the same ground indirectly.
Response Timelines
Data fiduciaries must respond to data principal requests within the timelines specified in the notified Rules — which in most cases is within a reasonable period not exceeding the specified window, with the DPBI treating meaningful delay as a compliance failure. The grievance redressal system is the first step; only unresolved grievances escalate to the Board.
Significant Data Fiduciaries
The significant data fiduciary (SDF) designation triggers additional obligations beyond the baseline DPDPA requirements.
The Extra Obligations
- Appointment of a Data Protection Officer based in India
- Periodic Data Protection Impact Assessments for specified processing activities
- Periodic independent audits
- Additional transparency obligations about algorithmic processing
- Stricter breach notification and recordkeeping
Who Qualifies
Size, volume of personal data processed, sensitivity of the data, risk to data principals, potential impact on electoral democracy, security, and sovereignty, and potential impact on public order are all factors. The central government notifies SDFs either individually or by class. Most large global platforms serving India fall within notified classes in 2026.
Children's Data
The DPDPA defines a child as any individual under 18 years of age — a higher threshold than the GDPR's default of 16 and the various lower national thresholds. Processing personal data of children requires verifiable parental consent, and tracking, targeted advertising, and behavioral monitoring of children are restricted regardless of consent status. Publishers whose audiences include significant under-18 traffic need age-gating, parental consent flows, and restricted processing for the minor segment — all of which require real engineering work that few foreign publishers have completed by default.
Penalties and Enforcement
The DPDPA introduced a penalty regime that was higher than historical Indian administrative fines and meaningfully scaled to the severity of the breach.
Administrative Penalties
The DPDPA permits penalties of up to INR 250 crore (approximately USD 30 million) per violation for the most serious breaches. Lower-tier penalties apply for failures around consent, notice, security, breach notification, and grievance redressal. The DPBI has used the middle of the range several times in 2025 and early 2026, and the penalty structure is designed to escalate with systematic failure.
The DPBI's Enforcement Themes
Early DPBI decisions cluster around a small set of recurring issues: consent banners without a genuine Reject option, notices that do not describe DPBI complaint channels, cross-border flows to destinations on the restricted list, grievance redressal systems that do not actually respond, and Consent Manager interoperability failures. Foreign publishers have been cited in almost all of these categories.
Reputational Dimension
The DPBI publishes its decisions publicly, including the name of the fiduciary and a summary of the failure. In an Indian market where regulatory friction translates quickly into media coverage and political attention, the reputational cost of a published DPBI decision is meaningful on top of the financial penalty.
Audit Checklist for Indian Traffic in 2026
- CMP banner is served with Accept, Reject, and Customize at equal visual prominence
- Notice available in English and in the requested scheduled language of the data principal where applicable
- Notice explicitly describes DPBI complaint channel and data principal rights
- Consent purposes are granular, with cross-border transfer as a separate purpose
- Technical interoperability with at least one registered Consent Manager is in place
- Consent withdrawal is as easy as granting consent, and triggers downstream deletion and activation filtering
- Data principal rights workflow — access, correction, erasure, nomination — is staffed and documented
- Grievance redressal channel is staffed with response timelines tracked
- Cross-border transfer destinations are reviewed against the current restricted list and documented
- Significant data fiduciary obligations — DPO, DPIA, audit — are in place if the threshold is crossed
- Age-aware flow for under-18 users, with verifiable parental consent where applicable
- Sector-specific localization and processing rules are documented and complied with if the publisher operates in a regulated sector
The 2026 Outlook
India's privacy regime has gone from legislative abstraction to operating reality in the space of a little over two years. The DPDPA's architecture is distinctive — the Consent Manager ecosystem is the most visible global experiment in portable, interoperable consent, and the negative-list transfer approach is meaningfully different from the adequacy-plus-safeguards pattern that dominates other frameworks. For publishers already running a GDPR-grade consent stack, the gap to DPDPA compliance is operational rather than architectural: Consent Manager interoperability, scheduled-language notices, DPBI complaint disclosures, the under-18 threshold, and the negative-list transfer check. The gap can be closed in weeks if it is prioritized. The publishers who close it before the DPBI arrives on their doorstep will not notice the transition. The ones who wait will find 2026 and 2027 meaningfully more expensive than the years that came before.