Does the DPDP Act apply to small businesses? Yes. Here's what that means.

12 June 2026 · 6 min read

No revenue floor, no headcount floor. If you collect a name and an email from anyone in India, you are a Data Fiduciary. The carve-outs are narrower than founders hope.

Short answer: yes. The DPDP Act applies to anyone processing digital personal data in India, and it does not check your revenue first. Collecting even a name and an email makes you a Data Fiduciary, with a Data Fiduciary's obligations.

The longer answer involves one narrow carve-out that founders routinely overread. Here is where the line actually sits.

Why there is no small-business pass

GDPR-era laws often scale duties with size. DPDPA mostly does not. The drafters put the scaling elsewhere: heavier obligations stack onto Significant Data Fiduciaries at the top, while the core duties, consent, notice, security, breach reporting, and data rights, apply to every fiduciary from the first record.

If you run a Shopify store, a SaaS waitlist, a coaching newsletter, or a clinic booking page, you are in scope today. The only true exemptions are personal and domestic use, and data you process for purely journalistic or research purposes under conditions the Rules set.

The startup carve-out, read carefully

Section 17(3) lets the Central Government notify certain classes of Data Fiduciaries, including startups, as exempt from a few provisions: the notice requirement, some accuracy and erasure duties, and the right to access. Three things founders miss:

  1. It is not automatic. You are exempt only if the government notifies your class. No notification, no exemption. Being DPIIT-registered does not by itself change your DPDP duties.
  2. Consent is not on the exemptable list. Section 6 applies regardless. You still need valid, purpose-wise, withdrawable consent before processing.
  3. Security and breach duties stay. The ₹250 crore safeguard obligation and the 72-hour breach notification apply to exempted startups too.

Plan for the default

Build as if no exemption applies. If a notification later covers you, you have done slightly more than required. If you assumed one and it never came, you are non-compliant with records to prove it.

What a small team actually owes

DPDP obligations by company size
Obligation2-person startupSignificant Data Fiduciary
Purpose-wise consentYesYes
Itemized notice, 22 languagesYesYes
Easy withdrawalYesYes
Security safeguardsYesYes
Breach notification, 72 hoursYesYes
Data rights handlingYesYes
Data Protection Officer in IndiaNoYes
Annual audit and impact assessmentNoYes

The first six rows are the whole story for most small businesses. Nothing in them requires a legal team. All of them require actually doing the work.

"The Board will not come after companies like us"

Maybe not first. But enforcement is complaint-driven: any customer can file with the Data Protection Board, and an annoyed ex-customer with a screenshot of your consent-free signup form is a complete complaint. Penalties for the everyday breaches run up to ₹50 crore, with proportionality, not immunity, for small companies.

The nearer-term forcing function is commercial. Enterprise procurement now ships DPDP questionnaires, and "no consent records" ends deals before legal review starts. Your compliance deadline is your next big customer's security review, not the Board's first raid.

The proportionate response

The good news: at small-team scale this is a contained problem. One data inventory, one banner, one notice, one records ledger. The 12-point checklist is the map, and the technical items take about 30 minutes with a consent kit. The deadline for the core obligations is 13 May 2027; the records you keep between now and then are the asset.

Not legal advice

This covers the typical small business. If you handle health or financial data, lend money, or build for children, your obligations are heavier. Talk to counsel.

Frequently asked questions

Is there a turnover threshold below which DPDP does not apply?

No. The Act applies to processing of digital personal data regardless of company size or revenue. Obligations scale up for Significant Data Fiduciaries, but the core duties bind everyone.

Are startups exempt from the DPDP Act?

Only if the government specifically notifies a class of startups under Section 17(3), and even then only from a few provisions like notice and access. Consent, security, and breach notification obligations are not exemptable. No such blanket notification covers typical startups today.

Does DPDP apply to a small Shopify or WooCommerce store?

Yes. A checkout collects names, addresses, phone numbers, and payment details, all personal data. The store decides why it is collected, which makes it a Data Fiduciary with full consent, notice, and security duties.

Do freelancers and solo founders need DPDP compliance?

If you collect personal data from clients or visitors in the course of business, yes. Purely personal or domestic use is exempt; a client list and a newsletter are neither.

Small team, same law, easy fix

Skope was built for exactly this: one script tag, purpose-wise consent, notice in 22 languages, records kept. Free plan covers one site and 5,000 consents a month.

Start free

Keep reading

Explainer

What is the DPDP Act? India's data law, explained

India's first real data protection law, in plain English. Who it covers, what it asks, and why a two-person startup is on the hook the same as a bank.

12 Jun 2026 · 7 min read

Checklist

The DPDP compliance checklist for small teams (2026)

Twelve items between you and DPDP compliance. Work through them in order, tick them off, keep the proof. Print the page or save it as a PDF for your team.

12 Jun 2026 · 8 min read

Penalties

DPDP Act penalties: every fine in the Schedule, explained

₹250 crore is the headline, but the Schedule has seven rows and the Board can stack them. What each fine attaches to, and what actually protects you.

12 Jun 2026 · 7 min read