DPDPA Episode 1: The Privacy Reality Check: Why India’s DPDPA is Everyone’s Business (Not Just Banks and Hospitals) by Hiren Morzariya on July 6, 2026 14 views

For the better part of 15 years, my job as a software engineer has been to make data flow faster, store it cheaper, and analyse it deeper. Currently, at Tech Company, we tackle massive, complex architectures daily. When we design systems like Public Health Platform—a heavy-duty digital health platform—privacy isn’t just a feature; it is the entire foundation. When you handle patient records, you naturally build zero-trust networks and obsess over access controls.

But a dangerous misconception is quietly floating around tech circles, developer Slack channels, and boardrooms across the country: “We just run a lifestyle app. We don’t collect medical records or credit card numbers, so the DPDPA isn’t really for us.”

If you are building, managing, or marketing a mobile app in India today, you are likely sitting on a ticking compliance clock. The passing of the Digital Personal Data Protection Act (DPDPA), 2023, has fundamentally rewritten the rules of the internet in India.

Here is exactly why this misconception exists, what the law actually says, and how it forces a massive architectural refactor for the everyday apps we build and use.

🛑 The Big Misconception: The “Sensitive Data” Trap

Historically, global privacy conversations have been dominated by heavy-hitters like HIPAA (health data) or PCI-DSS (financial data). Because the stakes for a leaked medical history or a stolen credit card are so visibly high, many app developers assume privacy laws are exclusively designed to protect highly sensitive information.

Here is where the DPDPA changes the game: The Act defines “Personal Data” simply as any data about an individual who is identifiable by or in relation to such data. It does not matter if you aren’t asking for their bank balance. If your app collects a user’s name, phone number, email address, or even tracks their device IP to build a profile, you are processing personal data. You are officially a Data Fiduciary, and the user is the Data Principal.

To understand the massive operational and engineering shift this requires, let’s look at an everyday, seemingly harmless application.

☕ Meet Our Example: “BrewPoints”

Throughout this post, we will follow BrewPoints, a fictional loyalty and pre-order app for a local chain of indie coffee shops. Users download the app, create a profile (Name, Phone Number, Birthday), allow location access (to find the nearest cafe), and earn points for every latte they buy.

Pre-DPDPA, BrewPoints had a standard, unreadable 20-page Terms & Conditions document. Users clicked “I Agree,” and BrewPoints freely dumped everything into a data lake to send SMS marketing, track daily commute routes, and share user lists with a third-party digital ad agency to run Facebook ads.

Here is how the DPDPA forces BrewPoints—and practically every app on your phone—to radically change how they operate.

1️⃣ The Death of “Blind Consent” (Notice & Consent as a State Machine)

Under the DPDPA, hiding behind a wall of legal jargon is no longer acceptable. Consent must be free, specific, informed, unconditional, and unambiguous. From a frontend and database perspective, consent is now a complex state machine.

  • Before: A single “Agree and Continue” button at sign-up.
  • After DPDPA, BrewPoints must present an itemised Notice explaining exactly what data is being collected and why. It must say: “We need your Name and Phone Number to create your loyalty account. We need your Birthday to send you a free muffin coupon.” * The Catch: The user must be able to view this notice in English or any of the 22 languages specified in the Eighth Schedule of the Indian Constitution. Furthermore, if a user declines to give their Birthday, BrewPoints cannot deny them the core service (buying coffee), and the backend must respect that state.

2️⃣ Purpose Limitation (The End of “Just Dump it in the Database”)

As engineers, our default instinct is to collect data “just in case” the business needs it later. The DPDPA mandates that you only collect what is strictly necessary to fulfil the specific purpose the user agreed to.

  • Before: BrewPoints asked for “Always On” background location tracking. They used this to see where users worked so they could plan where to open their next coffee shop.
  • After DPDPA: This is a major violation. The user downloaded the app to buy coffee, not to act as a free market-research beacon. BrewPoints can only ask for location “While Using the App” to find the nearest store. Once the user closes the app, the tracking must stop. The days of the wildcard SELECT * The user data is over.

3️⃣ The Right to be Forgotten (Death to the “Soft Delete”)

Every developer knows the oldest trick in the book: when a user clicks “Delete Account,” we don’t actually drop the row from the database; we just update a flag (is_deleted = true). Under the DPDPA, a “soft delete” is non-compliant.

  • Before: If a user deleted the BrewPoints app, their phone number and purchase history lived on the company’s AWS servers forever, still receiving promotional texts months later.
  • After DPDPA, BrewPoints needs a literal “Delete My Account & Data” button. When a user withdraws their consent, you must actively purge their identifiable data from your active stores unless retention is required by another specific law (like tax compliance). This means cascading deletion webhooks to scrub the user from primary databases, cache servers, and marketing pipelines.

4️⃣ Vendor Management: Third-Party SDKs Are Now Third-Party Liabilities

Most modern apps are stitched together using third-party SDKs—analytics tools, crash reporters, marketing automation, and cloud hosting. Under the DPDPA, the Data Fiduciary (the app owner) is fully responsible for what these third-party Data Processors do with the data.

  • Before: BrewPoints shared its user list with a digital ad agency to run campaigns without a second thought.
  • After DPDPA, BrewPoints must have strict, legally binding contracts with the ad agency. If the ad agency suffers a data breach and leaks BrewPoints’ customer phone numbers, BrewPoints is the one held legally responsible and faces the regulatory fines. You have to map exactly where your data flows once it leaves your servers.

💸 The Cost of Ignorance

The government has made it clear that non-compliance is not a slap on the wrist. The penalty for failing to prevent a personal data breach, or failing to adhere to the obligations of a Data Fiduciary, can range up to ₹250 Crores (approx. $30 Million USD) per instance.

💡 The Bottom Line

The DPDPA is not a healthcare law, nor is it a banking regulation. It is a fundamental shift in how digital trust operates in India.

Whether you are building a complex fintech platform or a simple app that lets people order a cappuccino, personal data is personal data. You are no longer just a software developer or a product manager; you are a custodian of your users’ digital identities. Treating data privacy as an afterthought is no longer just bad practice—if you aren’t designing for privacy at the architectural level today, you are just writing tomorrow’s massive legal liability.

Coming Soon!!

DPDPA Episode 2: The Purpose Limitation Paradox: Why Your APIs Are Quietly Breaking India’s Data Protection Law

Enterprise Query Design with Built-In Authorization Guarantees

About Author

Hiren Morzariya

Group Director - Technology

Seasoned software professional with over a decade of experience in Java development and software architecture. Proven track record of leading complex projects from conception to delivery, leveraging expertise in Java frameworks, architectural design patterns, and agile methodologies. Adept at collaborating with cross-functional teams to deliver innovative solutions that drive business growth and exceed client expectations.