Back to Blog
LegalTech & IA

₹250 Crore Fine: Who’s Really on the Hook Under India’s DPDP Act?

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
June 12, 2026
10 min read
₹250 Crore Fine: Who’s Really on the Hook Under India’s DPDP Act?

What’s the Big Deal with ₹250 Crore?

Imagine getting a fine bigger than the budget of a Bollywood blockbuster—just for mishandling someone’s email address. That’s the reality under India’s Digital Personal Data Protection Act, 2023 (DPDP Act). The maximum penalty of ₹250 crore (about $30 million) has everyone from startups to Big Tech sweating. But here’s the twist: not everyone is equally at risk.

Who Actually Gets Hit?

The DPDP Act applies to any “data fiduciary” processing personal data in India, or processing data of Indian residents from abroad. That includes companies, government agencies, and even individuals if they process data for commercial purposes. But the ₹250 crore fine is reserved for the most serious breaches—like failing to protect sensitive data or ignoring a data breach notification duty.

Think of it like traffic rules: a minor speeding ticket might cost you a few hundred rupees, but reckless driving that causes an accident can land you in jail. Similarly, the DPDP Act has a tiered penalty structure. The maximum fine is for “significant” data fiduciaries—those handling large volumes of sensitive data or using advanced profiling techniques. The government will classify these entities later.

Who’s Off the Hook?

Small businesses and startups can breathe a little easier—for now. The Act exempts data fiduciaries processing data for “personal or domestic” purposes. Also, if you’re a tiny e-commerce site with a handful of customers, your risk is lower. But don’t get complacent: even small players must comply with basic principles like consent and data minimization. The penalty for minor violations is much smaller—maybe a few lakhs—but still painful.

Another big exemption: government agencies. Yes, the same government that passed the law exempts itself from most penalties when processing data for “prevention, detection, investigation, or prosecution” of offenses. Critics call this a loophole big enough to drive a truck through.

The ₹250 crore maximum penalty applies to “significant data fiduciaries” that commit serious breaches, such as failing to implement security safeguards or violating children’s data provisions. Ordinary businesses face lower fines, and individuals processing data for personal use are exempt.

What Should You Do Now?

If you run a business in India, start by mapping your data flows. Identify what personal data you collect, why, and how you protect it. Appoint a Data Protection Officer if you’re a significant fiduciary. And for heaven’s sake, update your privacy policy—reading it should be less painful than cleaning grout with a toothbrush.

The DPDP Act is still evolving, with rules expected soon. Stay tuned, but don’t wait. The fine might be ₹250 crore, but the cost of ignoring it could be your reputation.

FAQ

Does the ₹250 crore fine apply to all companies?

No. The maximum penalty is reserved for “significant data fiduciaries” and only for the most serious violations. Most companies face lower fines based on the nature and gravity of the breach.

Can an individual be fined under the DPDP Act?

Yes, if they process personal data for commercial purposes. But individuals processing data for personal or domestic use are exempt.

When will the DPDP Act be enforced?

The Act was passed in August 2023, but rules are still being drafted. Enforcement is expected in 2024-2025. However, compliance preparation should start now.

📊 Penalty Risk Meter

How likely is your entity to face the ₹250 crore fine? Check the bars below.

Big Tech / Significant Fiduciary
High Risk
Medium Business
Moderate Risk
Small Business / Individual
Low Risk

* Based on current draft rules. Actual risk depends on data volume, sensitivity, and compliance measures.

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.