DPDP Act penalties: every fine in the Schedule, explained
12 June 2026 · 7 min read
₹250 crore is the headline, but the Schedule has seven rows and the Board can stack them. What each fine attaches to, and what actually protects you.
The maximum fine for DPDP non-compliance is ₹250 crore for a single breach. Not annual revenue percentage, not a cap across violations. Per breach. And the Data Protection Board can find more than one breach in the same incident.
The amounts live in the Schedule to the Digital Personal Data Protection Act, 2023. Seven rows. Here is each one, what it attaches to, and what the Board weighs before writing a number.
The full penalty schedule
| Breach | Section | Maximum penalty |
|---|---|---|
| Failure to take reasonable security safeguards to prevent a personal data breach | 8(5) | ₹250 crore |
| Failure to notify the Board and affected users of a breach | 8(6) | ₹200 crore |
| Breach of obligations around children's data | 9 | ₹200 crore |
| Breach of Significant Data Fiduciary obligations | 10 | ₹150 crore |
| Breach of duties by a Data Principal | 15 | ₹10,000 |
| Breach of a voluntary undertaking accepted by the Board | 32 | Up to the amount for the underlying breach |
| Breach of any other provision of the Act or Rules | General | ₹50 crore |
Read the last row again. Consent taken wrong, notice missing, withdrawal buried, data rights ignored: each falls under "any other provision" at up to ₹50 crore. The everyday compliance failures are the ones most small teams are exposed to.
Fines stack
One incident can produce several breaches. Picture a leaked customer database: weak safeguards (Section 8(5), up to ₹250 crore), no notification to the Board within 72 hours (Section 8(6), up to ₹200 crore), and the investigation then finds consent was never properly taken (general provision, up to ₹50 crore). Three findings, three penalties, one bad week.
How the Board decides the amount
Section 33 of the Act tells the Board what to weigh:
- The nature, gravity, and duration of the breach
- The type and sensitivity of the personal data affected
- Whether the breach repeats
- Whether you gained from it or dodged a loss
- How you responded: mitigation, speed, cooperation
- Proportionality, and the likely impact of the penalty on you
Two of those are entirely in your control before anything goes wrong: how fast you respond, and what your records show. A team that produces timestamped consent receipts and a clean notification trail argues for the bottom of the range. A team with no records argues from memory.
The proof problem
When the Board asks how you obtained consent for a given user, a screenshot of your banner is not evidence. A tamper-evident record of who agreed, to what, when, against which notice version, is.
Will the Board really fine a small company ₹250 crore?
Probably not the maximum, because Section 33 requires proportionality. But "less than ₹250 crore" is cold comfort when even a few lakh stings, and the law has no small-business exemption for consent and notice. The realistic small-team risk is a customer complaint to the Board, an inquiry letter, and no records to answer it with.
There is also a quieter penalty nobody schedules: enterprise customers now send DPDP questionnaires before signing. No consent records, no deal.
When fines become real
The Data Protection Board exists now; the Rules establishing it took effect on 14 November 2025. The obligations most websites can breach, consent, notice, and data rights, become enforceable on 13 May 2027. The full sequence is in our DPDP compliance timeline. Consent records only count from the day you start keeping them, which is the argument for starting early.
The cheap insurance
Every fine in the Schedule traces back to items on a short list: safeguards, notification readiness, lawful consent, working data rights. That is the 12-point checklist, and the technical half of it takes about 30 minutes with the right tooling. Against a schedule that tops out at ₹250 crore, ₹999 a month is not a hard sum.
Not legal advice
Penalty exposure depends on your specific data practices. If you have had a breach or expect an inquiry, talk to counsel now, not after the Board writes.
Frequently asked questions
What is the maximum fine for DPDPA non-compliance?
₹250 crore per breach, the Schedule's top line, for failing to take reasonable security safeguards to prevent a personal data breach under Section 8(5). Other breaches carry maximums of ₹200 crore, ₹150 crore, and ₹50 crore.
What is the fine for not having a consent banner?
Collecting personal data without valid consent falls under the general provision: up to ₹50 crore per breach. The Board sets the actual amount using the Section 33 factors, including gravity, duration, and your response.
Can DPDP fines apply to small businesses and startups?
Yes. The Schedule does not distinguish by company size. Proportionality is one factor the Board weighs, but there is no exemption from liability for being small.
Who imposes DPDP penalties?
The Data Protection Board of India. It inquires into complaints and breaches, hears both sides, and imposes monetary penalties under Section 33. Appeals go to the Telecom Disputes Settlement and Appellate Tribunal.
Is there a penalty for individuals misusing the law?
Yes. A Data Principal who breaches their duties under Section 15, for example by filing a false complaint, faces a penalty of up to ₹10,000.
Find your exposure before the Board does
The free Skope scanner checks your site against the obligations behind these fines: consent, notice, trackers, withdrawal. 60 seconds, no signup.
Scan my website