🇮🇳 ToolsForIndia.com
All Tools Blog
Compliance ⏱️ 9 min read

Is Your Website Illegal Under DPDP? (Quick Self‑Check Guide)

By Chittaranjan Gopalrao Nivargi Apr 14, 2026 📊 Fact‑Checked: DPDP Compliance

The DPDP Act 2023 has turned every Indian website that processes personal data into a data fiduciary. Miss a single requirement and you could face penalties up to ₹250 crore. This guide lets you instantly test whether your site is at risk and shows you how to get compliant in three easy steps.

A Real‑World Wake‑Up Call

Rohit, founder of PulseHealth.in, a Delhi‑based tele‑health portal, thought a simple privacy‑policy footer was “good enough”. In August 2025 the Data Protection Authority (DPA) issued a show‑cause notice because:

  • No clear consent mechanism for collecting patient phone numbers.
  • Data stored on a public cloud without a Transfer Impact Assessment.
  • No appointed Data Protection Officer.

The provisional fine calculated by the DPA was ₹198 crore – a sum that would have bankrupted the startup. The incident made headlines: “Indian health‑tech app faces 200‑crore DPDP penalty”. The lesson? Every website that touches personal data is a regulator‑target, not an optional‑nice‑to‑have.

⚠️ This Is NOT an Isolated Case

Rohit’s case made headlines. But here’s the uncomfortable truth:

Thousands of Indian websites are currently non-compliant with DPDP — most without even realizing it.

If your website collects any user data — even a simple contact form — you are already inside DPDP scope.

Key takeaway

One missing compliance artifact can cost you millions. For example, a regional bank’s website was hacked; the breach was disclosed after 10 days, drawing a fine of ₹ 35 crore.

Download our breach‑notification template , assign a response owner, and rehearse the process quarterly.

If you answered “No” to three or more rows, you are at high compliance risk – a DPDP audit could trigger penalties that easily breach the ₹250 crore ceiling.

If Your Website Does ANY of This — You Are Already Under DPDP Scope

  • ✔ Contact form (name, phone, email)
  • ✔ Google Analytics / tracking cookies
  • ✔ WhatsApp chat widget
  • ✔ Newsletter signup
  • ✔ Login / account creation

If you checked even ONE of these — DPDP applies to you.

Most businesses assume they are compliant — until they see their actual risk score.

Don’t guess. Regulators won’t.

Run the Free 2‑Minute DPDP Risk Calculator

Want a quantified risk score? Our DPDP Compliance Risk Calculator asks the same seven questions, adds weighting, and spits out a colour‑coded risk level (Low / Medium / High) plus a tailor‑made remediation checklist.

Run DPDP Risk Calculator →

Free • 2 minutes • No signup required

AI‑Powered Process Intelligence – 60‑Second Audit

If you already have SOPs, policies, or flowcharts, upload them to our AI engine at app.toolsforindia.com. In under a minute you’ll receive:

  • Compliance score per DPDP clause.
  • Heat‑map of the highest‑risk documentation gaps.
  • Actionable recommendations you can copy‑paste into your policies.

Most companies rely on lawyers and consultants for compliance audits — which can take weeks and cost lakhs.

Our AI-powered engine gives you the same level of insight in under 60 seconds.

Run AI Process Audit →

Instant • No code required • Secure

5‑Step Action Plan to Make Your Site DPDP‑Compliant

  1. Map every personal‑data flow. List every form field, tracking pixel, and third‑party service that captures user data.
  2. Publish a DPDP‑compliant privacy policy. Include purpose, lawful basis, retention schedule, and data‑subject rights.
  3. Implement granular consent. Use a consent‑management tool or a simple checkbox with clear wording before any data capture.
  4. Appoint a DPO. Even if you’re a “small” fiduciary, having a point‑of‑contact reduces penalty severity.
  5. Set up breach‑notification SOP. Draft a template, assign ownership, and test the workflow twice a year.

Follow these five steps, run the risk calculator to verify, and you’ll stay comfortably below the ₹250 crore penalty threshold.

Frequently Asked Questions

Q: My website only uses Google Analytics. Do I need a privacy policy?

A: Yes. Any collection of IP addresses, cookies, or behavioural data is personal data under DPDP. A brief privacy notice that explains the analytics usage satisfies the requirement.

Q: Do I need a DPO if I have fewer than 10 crore records?

A: Only “significant data fiduciaries” must appoint a DPO. However, voluntarily designating one can reduce penalty severity and demonstrate good faith.

Q: How long is the breach‑notification window?

A: The regulator requires notification within 72 hours of becoming aware of a breach. Late notice can attract additional fines on top of any core penalty.

Final Reality Check

DPDP is not optional compliance. It is enforceable law.

  • → Penalties go up to ₹250 crore
  • → Even small businesses are covered
  • → Ignorance is not a defense

The question is not “Do I need compliance?” The question is: “How exposed am I right now?”

TI

ToolsForIndia Team

Data‑driven financial & compliance analysis for Indian businesses

We provide fact‑checked, actionable insights without click‑bait. All calculators are free, privacy‑first, and built for Indian investors and entrepreneurs.

📬 Stay Updated on Data‑Privacy & Compliance

Subscribe for instant alerts on DPDP updates, new calculators, and actionable guides. No spam, just value.

🔒 Privacy‑first • Unsubscribe anytime