DPDP Act for Startups: A Practical Compliance Guide for Indian Startups
No SMB exemptions exist in the DPDP Act. Learn the minimum viable compliance path, 90-day roadmap, and cost-effective strategies for startups in India.
If you are building a startup in India, the Digital Personal Data Protection Act, 2023 (DPDP Act) applies to you. There is no startup exemption. No small business carve-out. No “we’re too small to matter” defense.
The moment you collect a user’s email address, store a phone number, process a payment, or drop an analytics cookie, you are processing digital personal data and the full weight of the DPDP Act — including penalties up to Rs 250 Crore — applies to you.
The good news: compliance does not require a six-figure budget or a dedicated legal team. This guide gives you the minimum viable compliance path, a 90-day roadmap, and practical strategies to get compliant without slowing down your growth.
Why Startups Cannot Ignore the DPDP Act
There Are No Small Business Exemptions
Let us be clear about what the DPDP Act does and does not exempt.
Exempted from the DPDP Act:
- Personal data processed for personal or domestic purposes
- Data made publicly available by the Data Principal themselves
- Processing required for the State in the interest of sovereignty, security, or public order
Not exempted:
- Small businesses
- Early-stage startups
- Companies below a revenue threshold
- Pre-revenue companies
- Companies with fewer than X employees
- B2B companies (if you process any personal data of individuals)
Compare this to other regulations:
| Regulation | Small Business Exemption? | Details |
|---|---|---|
| DPDP Act (India) | No | All entities processing digital personal data must comply |
| GDPR (EU) | Partial | SMEs with fewer than 250 employees have reduced record-keeping obligations |
| CCPA (California) | Yes | Applies only to businesses with annual revenue over USD 25M, or 50,000+ consumers, or 50%+ revenue from selling data |
| LGPD (Brazil) | Partial | Simplified requirements for small businesses |
India chose the strictest approach. Every business that processes digital personal data of individuals in India must comply, regardless of size.
The Penalty Math Is Terrifying for Startups
For a large enterprise with Rs 10,000 Crore in revenue, a Rs 250 Crore penalty is painful but survivable — it is 2.5% of revenue.
For a startup with Rs 2 Crore in annual revenue, a Rs 250 Crore penalty is 125 times your revenue. It is an extinction event.
Even the lowest specific penalty category — Rs 50 Crore for “any other provision” — would be 25 times that startup’s revenue.
The DPDP Act does not scale penalties to revenue. The Data Protection Board of India (DPBI) has discretion to set the amount within the ceiling, and they will likely consider your size and revenue. But there is no guarantee, and the legal exposure remains.
Investors and Customers Will Ask
Beyond regulatory risk, DPDP compliance is becoming a business requirement:
- Series A+ investors are adding data protection compliance to their due diligence checklists
- Enterprise customers are asking vendors about DPDP compliance before signing contracts
- Government contracts will likely require demonstrated compliance
- Insurance providers may factor compliance status into cyber liability premiums
A startup that can demonstrate DPDP compliance has a competitive advantage over one that cannot.
Common Startup Data: What You Are Already Collecting
Most startups underestimate how much personal data they process. Here is what a typical startup collects across common functions.
User Accounts
| Data Point | Personal Data? | Consent Required? |
|---|---|---|
| Email address | Yes | Yes |
| Full name | Yes | Yes |
| Phone number | Yes | Yes |
| Password (hashed) | Derived from personal data | Covered under account creation consent |
| Profile picture | Yes (biometric if facial recognition used) | Yes |
| Date of birth | Yes | Yes (extra obligations if under 18) |
| User preferences | Yes, if linked to identifiable user | Yes |
Analytics and Tracking
| Data Point | Personal Data? | Consent Required? |
|---|---|---|
| Google Analytics user ID | Yes | Yes |
| IP address | Yes | Yes |
| Device fingerprint | Yes | Yes |
| Browser/OS information | Yes, when combined with other data | Yes |
| Page views and click behavior | Yes, when tied to user | Yes |
| Heatmaps and session recordings | Yes | Yes |
| UTM parameters linked to user | Yes, if tied to identifiable user | Yes |
Payment Processing
| Data Point | Personal Data? | Consent Required? |
|---|---|---|
| Billing name | Yes | Yes |
| Billing address | Yes | Yes |
| Payment method (last 4 digits) | Yes | Yes |
| Transaction history | Yes | Yes |
| GST number | Yes (if sole proprietor) | Yes |
| UPI ID | Yes | Yes |
Marketing
| Data Point | Personal Data? | Consent Required? |
|---|---|---|
| Email lists | Yes | Yes (explicit opt-in) |
| WhatsApp contacts for marketing | Yes | Yes |
| Retargeting cookies | Yes | Yes |
| Social media pixels | Yes | Yes |
| Referral program data (referrer/referee) | Yes | Yes |
| Event registration data | Yes | Yes |
Customer Support
| Data Point | Personal Data? | Consent Required? |
|---|---|---|
| Support tickets (name, email, issue) | Yes | Yes |
| Chat transcripts | Yes | Yes |
| Call recordings | Yes | Yes (explicit notice) |
| Screen sharing recordings | Yes | Yes |
HR and Team Data (Even for Small Teams)
| Data Point | Personal Data? | Consent Required? |
|---|---|---|
| Employee PAN, Aadhaar | Yes (sensitive) | Yes, or covered under employment legitimate use |
| Salary information | Yes | Yes, or covered under employment legitimate use |
| Attendance and location tracking | Yes | Yes |
| Performance reviews | Yes | Yes, or covered under employment legitimate use |
| Contractor details | Yes | Yes |
Total: A typical startup with 50 users is already processing 20-30 categories of personal data across 5-10 systems.
Minimum Viable Compliance: What to Do First
You do not need to do everything at once. Here is the minimum viable compliance (MVC) approach, prioritized by risk.
Tier 1: Must-Have (Weeks 1-2)
These items address the highest-penalty risks and the most common violations.
1. Privacy Policy
Publish a DPDP-compliant privacy notice on your website. It must include:
- Your identity and contact details
- What personal data you collect
- Purpose of processing for each data type
- Who you share data with (third parties, processors)
- Data retention periods
- How users can exercise their rights (access, correction, erasure)
- Grievance officer contact details
- Available in English and Hindi at minimum
2. Cookie Consent Banner
If your website uses analytics, advertising, or any non-essential cookies:
- Deploy a consent banner that blocks non-essential cookies by default
- Offer Accept All, Reject All, and Manage Preferences options
- Store consent records
3. Legitimate Consent for User Signup
When users create accounts:
- Clearly state what data you are collecting and why
- Obtain explicit consent (checkbox, not pre-ticked)
- Separate marketing consent from account creation consent
- Store the consent record with timestamp
4. Grievance Officer
Designate a person (can be a founder in early stage) as your grievance officer and publish their contact details on your website.
Tier 2: Important (Weeks 3-6)
5. Data Inventory
Document every category of personal data you process:
- What data you collect
- Where it is stored (which systems, which servers)
- Why you collect it (purpose)
- Who has access to it
- How long you keep it
- Whether it goes to third parties
Use a simple spreadsheet. You do not need expensive tools at this stage.
6. Third-Party Audit
List every third-party service that processes your users’ data:
| Service | Data Shared | Purpose | DPA in Place? |
|---|---|---|---|
| Google Analytics | User behavior, IP | Analytics | Check |
| Razorpay/Stripe | Payment data | Payment processing | Check |
| AWS/GCP/Azure | All data on their servers | Infrastructure | Check |
| Mailchimp/Sendinblue | Email addresses, names | Email marketing | Check |
| Freshdesk/Zendesk | Support data | Customer support | Check |
| Slack/Teams | Internal comms (may include user data) | Communication | Check |
For each service, ensure a Data Processing Agreement (DPA) is in place. Most major SaaS providers offer standard DPAs.
7. Data Security Basics
Implement reasonable security safeguards (this addresses the Rs 250 Crore risk):
- HTTPS everywhere (no exceptions)
- Passwords hashed with bcrypt or argon2 (never plain text, never MD5)
- Database access restricted by role
- Regular backups with encryption
- Two-factor authentication for admin access
- Security headers configured (HSTS, CSP, X-Frame-Options)
8. Consent Withdrawal Mechanism
Allow users to:
- Delete their account
- Unsubscribe from marketing
- Change their cookie preferences
- Request data correction or erasure
Process these within 7 days (per Draft Rules).
Tier 3: Required Before Scale (Weeks 7-12)
9. Data Principal Rights Request Process
Set up a process to handle:
- Access requests (provide users with a summary of their data)
- Correction requests (update inaccurate data)
- Erasure requests (delete data when no longer needed)
- Nomination registration (for death/incapacity scenarios)
This does not need to be automated at small scale. A dedicated email address and an internal SLA works.
10. Breach Response Plan
Create a documented plan covering:
- How breaches are detected
- Who is responsible for response
- CERT-In notification process (within 6 hours)
- DPBI notification process (within 72 hours)
- Data Principal notification process
- Post-incident review and improvement
11. Data Retention Policy
Define how long you keep each category of data and what happens when the retention period expires. Guidelines:
| Data Category | Suggested Retention | After Retention |
|---|---|---|
| Account data | Duration of account + 30 days | Delete |
| Transaction data | As required by financial regulations (typically 7-8 years for tax) | Archive securely, then delete |
| Analytics data | 26 months (aligns with GA default) | Anonymize or delete |
| Marketing data | Until consent withdrawal | Delete within 7 days of withdrawal |
| Support tickets | 2 years after resolution | Anonymize or delete |
| Employee data | Employment duration + statutory periods | Delete |
12. Age Verification
If your product could have users under 18 (which includes most consumer-facing products):
- Implement age verification at signup
- Build a parental consent flow for users under 18
- Disable behavioral tracking for minors
- Disable targeted advertising for minors
Cost-Effective Compliance Strategies
Use Free and Open-Source Tools
| Need | Free/Low-Cost Option | Paid Alternative |
|---|---|---|
| Cookie consent banner | Osano free tier, Cookiebot free tier | OneTrust, Cookiebot paid |
| Privacy policy generator | Free templates + legal review | Legal firm (Rs 50K-2L) |
| Data inventory | Google Sheets/Notion | OneTrust, BigID |
| DSAR handling | Shared inbox + tracking sheet | DataGrail, ZenoComply |
| Security scanning | OWASP ZAP, Snyk free tier | Burp Suite, Qualys |
| Website compliance scan | ZenoComply free scan | Continuous monitoring tools |
| Encryption | Let’s Encrypt (free TLS) | Already included in most cloud providers |
Build Compliance Into Your Product
Instead of bolting compliance on later, build it in from the start:
In your user signup flow:
- Add consent checkboxes with clear purpose descriptions
- Store consent records in your database from day one
- Make email marketing opt-in by default (not opt-out)
In your database schema:
- Add a
consent_recordstable from the start - Add
data_deletion_requested_atfields to user tables - Plan for soft deletes that allow data recovery requests to be honored
- Add
purposetags to data fields
In your codebase:
- Build a data export function early (for access requests)
- Build a user deletion function that cascades across all tables
- Log all data access for audit trail
- Encrypt personal data fields at the application level
In your infrastructure:
- Enable encryption at rest on your database
- Enable encryption in transit (TLS everywhere)
- Set up access logging on data stores
- Use environment variables for secrets (never hardcode)
Leverage Your Tech Stack
Most modern frameworks and cloud providers include compliance-relevant features:
- Auth0/Clerk/Firebase Auth: Built-in consent management, user data export, user deletion
- Stripe/Razorpay: PCI compliance handled for you, DPAs available
- AWS/GCP/Azure: Encryption at rest enabled by default, compliance certifications, data residency options
- Vercel/Netlify: HTTPS by default, security headers configuration
- Supabase/PlanetScale: Row-level security, audit logging, encryption
90-Day Compliance Roadmap for Startups
Phase 1: Foundation (Days 1-30)
Week 1: Audit
- Complete a data inventory (what data, where stored, why, who has access)
- Audit website cookies and tracking technologies
- List all third-party services processing user data
- Identify data flows: where does personal data enter, move, and leave your systems?
Week 2: Core Documents
- Draft and publish a DPDP-compliant privacy policy
- Draft a cookie policy
- Designate a grievance officer and publish contact details
- Create an internal data handling policy for your team
Week 3: Consent
- Deploy a cookie consent banner (block cookies before consent)
- Update signup flows with explicit, granular consent
- Add marketing consent as a separate opt-in
- Start storing consent records with timestamps
Week 4: Security Baseline
- Verify HTTPS is enforced on all pages and subdomains
- Verify passwords are properly hashed (bcrypt/argon2)
- Enable 2FA for all admin and production access
- Review and restrict database access to essential personnel only
- Set up basic monitoring and alerting
Phase 2: Process (Days 31-60)
Week 5: Rights Handling
- Set up a dedicated email for privacy requests (e.g., [email protected])
- Create a data access request workflow (who handles, SLA, response template)
- Build or test your user data export function
- Build or test your user account deletion function
Week 6: Third Parties
- Obtain DPAs from all third-party processors
- Review each third party’s security practices
- Ensure third-party data sharing aligns with your privacy notice
- Remove any third-party integrations you no longer use
Week 7: Breach Preparedness
- Write a breach response plan (detection, assessment, notification, remediation)
- Identify who is responsible for each step in a breach
- Prepare CERT-In notification template
- Prepare DPBI notification template
- Prepare Data Principal notification template
- Conduct a tabletop breach exercise
Week 8: Children’s Data
- Determine if your product can be used by individuals under 18
- If yes, implement age verification at signup
- If yes, build parental consent workflow
- Disable behavioral tracking and targeted ads for minors
- If no, document your age restriction and enforcement mechanism
Phase 3: Maturity (Days 61-90)
Week 9: Data Retention
- Define retention periods for each data category
- Implement automated data deletion for expired data
- Set up alerts for data approaching retention limits
- Document your retention policy
Week 10: Team Training
- Train your development team on secure data handling
- Train customer-facing team on handling privacy requests
- Train marketing team on consent requirements for campaigns
- Document data handling dos and don’ts
Week 11: Testing
- Test the full consent flow (give consent, use site, withdraw consent)
- Test data access request processing end to end
- Test account deletion and verify data is properly removed
- Test breach notification process
- Run a website compliance scan and fix any remaining issues
Week 12: Review and Maintain
- Review all documents for accuracy and completeness
- Set quarterly calendar reminders for:
- Privacy policy review
- Cookie audit
- Third-party DPA review
- Security assessment
- Breach plan review
- Document your compliance posture for investors and partners
What Changes as You Scale
Your compliance needs will grow with your company. Here is what to expect.
Seed to Series A (1-20 employees, 100-10K users)
- Manual processes are fine (spreadsheets, shared inbox)
- One person can own compliance (usually CTO or a co-founder)
- Focus on the basics: privacy policy, consent, security, breach plan
- Budget: Rs 0-5L per year (mostly your time)
Series A to Series B (20-100 employees, 10K-100K users)
- Automate DSAR handling (manual becomes unsustainable)
- Deploy a consent management platform
- Hire or designate a part-time privacy lead
- Start formal security audits
- Consider cyber insurance
- Budget: Rs 5-20L per year
Series B+ (100+ employees, 100K+ users)
- Dedicated privacy/compliance team or outsourced DPO
- Enterprise CMP with multi-language support
- Automated data retention enforcement
- Regular DPIA-style assessments
- If designated as SDF: full DPO, independent auditor, periodic DPIAs
- Budget: Rs 20-50L+ per year
Mistakes Startups Commonly Make
1. “We’ll deal with compliance later.” Retrofitting compliance is 3-5 times more expensive than building it in. Data collected without proper consent may need to be deleted entirely.
2. “We’re B2B, so DPDP doesn’t apply.” If you store names, emails, or phone numbers of your clients’ employees, you are processing personal data. B2B does not exempt you.
3. “Our lawyers will handle it.” Lawyers draft the policies, but engineering implements the technical controls. Consent management, data deletion, encryption, and breach detection are technical problems.
4. “We use AWS/GCP, so security is handled.” Cloud providers operate on a shared responsibility model. They secure the infrastructure; you secure the data. Misconfigured S3 buckets, exposed databases, and weak access controls are your responsibility.
5. “We don’t have children using our product.” Unless you verify age at signup, you cannot make this claim with certainty. If a child can create an account on your platform, you need to address children’s data provisions.
6. “We only need a privacy policy.” A privacy policy is necessary but not sufficient. You also need consent mechanisms, security safeguards, rights handling processes, breach notification procedures, and data retention policies.
7. “We collected email addresses before DPDP, so existing consent is fine.” Consent collected before the DPDP Act may not meet the new requirements (freely given, specific, informed, unambiguous). You may need to re-obtain consent from existing users.
Frequently Asked Questions
What if we’re pre-revenue? The DPDP Act applies based on data processing, not revenue. If you are processing digital personal data of individuals in India, you must comply.
Can we just use a GDPR-compliant setup? GDPR compliance gets you approximately 60-70% of the way, but critical differences remain: no legitimate interest, children under 18, 7-day consent withdrawal, mandatory notification for all breaches. You need India-specific adjustments.
How much does basic compliance cost for a startup? Using free and open-source tools, the primary cost is your time. Budget 40-60 hours of engineering time for the initial setup, plus 5-10 hours per month for maintenance. If you engage a lawyer for policy review, expect Rs 50K-2L.
What if a user requests deletion of data we need for legal compliance (e.g., tax records)? You can retain data required by other laws (such as financial records under the Income Tax Act) even after a deletion request. Document the legal basis for retention and inform the user.
Do we need a Data Protection Officer? Only if you are designated as a Significant Data Fiduciary (SDF) by the government. Most early-stage startups will not be SDFs. However, you do need to designate a grievance officer.
How do we handle data stored with third-party SaaS tools? You are responsible for data processed by your third-party processors. Ensure DPAs are in place, verify their security practices, and include them in your data inventory.
Start With a Free Compliance Scan
You do not know what you do not know. A compliance scan shows you exactly where your website and data practices stand today, so you can prioritize what to fix first.
Scan Your Website for DPDP Compliance — Free, instant results. See every cookie, tracker, and consent gap. Built for startups that need to move fast.
Check your DPDP compliance now
Free scan. No signup. Results in 60 seconds.
Scan Your Website arrow_forward