DPDP Act Penalties: How Much Can Your Business Actually Be Fined?
The Number
₹250 crore. Maximum penalty for a single violation under the DPDP Act, 2023.
That is approximately $30 million USD. Imposed by a regulator with the power to initiate inquiries without waiting for a complaint to be filed.
This is the law as it currently stands.
The Full Penalty Schedule
| Violation | Maximum Penalty |
|---|---|
| Failure to implement adequate security safeguards | ₹250 crore |
| Failure to notify a data breach | ₹200 crore |
| Non-fulfilment of obligations for children's data | ₹200 crore |
| Failure to comply as a Significant Data Fiduciary | ₹150 crore |
| Any other non-compliance with the Act | ₹50 crore |
Read that last row carefully. Non-compliance with any provision of the Act — invalid consent flows, missing data retention policies, inadequate rights request processes — carries a maximum penalty of ₹50 crore. For most mid-sized Indian businesses, that is an existential number.
Who Imposes Them
The Data Protection Board of India is the adjudicating authority. It has the power to initiate inquiries on its own motion — without waiting for a complaint from an affected individual. It can investigate, issue notices, conduct hearings, and impose penalties.
It is not a passive body that waits for complaints to land on its desk. It is designed as an active enforcement authority.
How Penalties Are Calculated
Nature and gravity of the breach. Systemic failure across millions of users is treated differently from an isolated incident. Sensitive data — health, financial, biometric — attracts more serious treatment than basic contact information.
Repetition. A second breach from the same vulnerability is treated significantly more seriously than a first.
Whether harm occurred. Financial loss, identity theft, reputational damage to affected individuals — these are aggravating factors. A breach with no demonstrable harm to individuals is treated more leniently.
Mitigating action. Rapid containment, proactive notification, genuine remediation — the Board must consider these. They do not eliminate liability. But they reduce it.
Degree of cooperation. Businesses that obstruct or delay investigations fare considerably worse than those that engage transparently from the start.
The Breach Notification Trap
The most underestimated penalty exposure in the Act is not for suffering a breach. It is for failing to report one.
A ₹200 crore penalty sits on concealing a breach or delaying notification — not on the breach itself. Businesses that discover a data incident and attempt to manage it quietly, without notifying the Board and affected individuals, are compounding a manageable problem into a catastrophic one.
Notification is not a reputational calculation. It is a legal obligation with a nine-figure penalty attached to getting it wrong.
Children's Data — The Hardest Line
The ₹200 crore penalty for children's data obligations is not accidental. It reflects where the legislature drew its firmest line.
If your platform can reasonably be accessed by individuals under 18 — and most consumer-facing platforms can — children's data obligations apply to you. Non-compliance in this area is treated as a serious violation, not an administrative oversight.
What This Means for Mid-Sized Businesses
Large enterprises have compliance teams, legal departments, and insurance structures that can absorb regulatory penalties. Mid-sized businesses do not.
For a mid-sized Indian business, a ₹50 crore penalty for general non-compliance is potentially company-ending. The Act contains no provision for lower penalties based on business size — though the Board must consider the scale and nature of the business when determining quantum.
The Economics Are Simple
Every component of a compliance programme — data mapping, consent rebuilds, security improvements, breach response protocols — costs a fraction of any penalty on the schedule above.
The businesses that end up before the Board are not, typically, the ones that tried to comply and fell short. They are the ones that made a deliberate decision not to begin.
The Bottom Line
The DPDP Act's penalties are large, real, and backed by a regulator with investigative powers. Ignorance of the law is not a mitigating factor. Size is not an exemption.
The question is not whether your business can afford to comply. It is whether it can afford what happens if it does not.