DPDPsecured
Sign InSign Up Free
← All articles
DPDP in Practice · 4 min read

Does the DPDP Act Apply to Startups? The Honest Answer

The Question

You are early stage. Your to-do list is already longer than the day. A data protection law feels like a problem for later — for when you have a legal team, a compliance budget, and customers who care about this.

Here is the honest answer: the DPDP Act, 2023 applies to you now. What that means in practice, however, is more proportionate than the headline suggests.

There Is No Startup Exemption

The Act does not distinguish between a Series D company and a four-person founding team. It sets no revenue threshold, no employee minimum, no funding-stage carve-out.

If you collect digital personal data of individuals in India — and virtually every startup does, from day one — you are a Data Fiduciary under the Act. The obligations apply.

The Data Protection Board, when determining penalties, must consider the nature and scale of the business. A seed-stage startup faces different practical consequences from a penalty than a large enterprise. But the law applies equally.

Read alsoWho is a Data Fiduciary Under the DPDP Act?

What Actually Applies to You Right Now

Consent. If you are collecting email addresses, phone numbers, or any other personal data — through a waitlist, a sign-up form, or a beta onboarding flow — you need a valid consent mechanism. Not a pre-ticked box. A genuine, affirmative opt-in with a clear notice.

Purpose limitation. The email address you collected for product updates cannot be used for investor outreach, co-marketing, or anything else without separate consent.

Security safeguards. Reasonable measures are required. For an early-stage startup, reasonable looks different from a large enterprise — but it does mean encrypted storage, access controls, and not storing user data in unprotected spreadsheets.

Breach notification. If your user database is compromised, you must notify the Data Protection Board. Company size is not an exemption from this requirement.

Where Startups Are Most Exposed

The waitlist. Thousands of email addresses collected before you launched. What consent was obtained? What did you tell people their data would be used for? If the answer is "we had a coming soon page with an email field," there is a gap that needs to be addressed.

The pivot. You collected data for product version one, then pivoted to something different. That new use of existing data requires fresh consent if it is materially different from what people agreed to.

The investor data room. Customer data shared with potential investors during due diligence is a data transfer with regulatory implications. It needs to be handled carefully.

The third-party stack. Your CRM, your email tool, your analytics platform, your support software — every one of these receives user personal data. Each requires a data processing agreement.

What You Should Actually Do

You do not need a dedicated compliance team. At your stage, DPDP compliance is mostly about building the right habits before bad ones become embedded.

Fix your consent flows. Wherever you collect personal data, add a clear notice and a genuine opt-in. This is typically a morning's work for a developer.

Write an honest privacy policy. Not a template copied from a US SaaS company. One that accurately describes what data you collect, why you collect it, and what you do with it.

Sign data processing agreements with your vendors. Most major vendors — Google, HubSpot, Intercom, Mixpanel — have DPA templates available. Sign them.

Assign ownership. One person needs to own data protection. It does not need to be their full-time responsibility. It needs to be someone's named responsibility.

Read alsoDPDP Act Consent Requirements: What Valid Consent Looks Like in Practice

The Commercial Case for Getting This Right Early

DPDP compliance built into your product from the start is an advantage, not a burden.

Enterprise customers — particularly in BFSI, healthcare, and legal — are beginning to ask DPDP compliance questions during procurement. A startup that can answer those questions clearly is differentiated from one that cannot.

Compliance retrofitted into a mature product, with millions of users and years of legacy data practices baked in, is expensive and disruptive. Compliance built from the start is neither.

The Bottom Line

The DPDP Act applies to your startup. The regulator is unlikely to pursue a four-person founding team ahead of larger targets. But the law applies, the obligations are real, and the habits you build now will compound — for better or worse — as you scale.

The question worth asking is simpler: if someone looked at your data practices today, would they find a business that took its users' trust seriously? For most startups right now, the honest answer is no. It does not take much to change that.

Read alsoThe DPDP Act Compliance Checklist: 10 Things Your Business Needs to Have in Place
Published by DPDPsecured — compliance intelligence for Indian businesses.
Published by DPDPsecured — compliance intelligence for Indian businesses.