India’s Data Privacy Rules: Will DPDP Act Compliance Costs Crush Startups?

Two years after the Digital Personal Data Protection (DPDP) Act laid the foundation for India’s privacy framework, the government has now notified the DPDP Rules 2025. The rules which will govern the DPDP Act threaten to disrupt operations for a number of startups given the heavy compliance burden. 

Where the DPDP Act only introduced broad ideas such as consent, deletion, user rights and breach disclosures, the new rules turn each of these ideas into strict, time-bound requirements that must be executed exactly as written.

The changes are one of the biggest regulatory shifts yet for young startups and small and medium businesses. Many bemoan the higher burden of compliance.  

Mishi Choudhary, technology lawyer and founder of the Software Freedom Law Center (SFLC), says the problem is that implementation unduly adds cost to smaller companies, which usually tend to have fewer users and a lot less resources than tech giants.

“The rules are simple in words but will require investment in implementation. Large companies already have security and compliance teams but it’s going to require a lot of restructuring and investments by smaller players.” 

Case in point: any data breach must be reported within 48 hours under the new rules, even if the company is still figuring out what went wrong. Every business is also mandated to  maintain complete data logs for at least a year. 

The rules for the DPDP Act also calls for automated deletion systems that warn users 48 hours before any data is erased. Businesses also have to set up a public channel that lets users request corrections and withdrawals. These timelines can become even stricter, as per recent reports. 

The pressure becomes even heavier for companies that fall under the category of Significant Data Fiduciaries, such as an edtech platform or a fast-growing D2C brand. These businesses handle large volumes of user data or sensitive information. But the law does not relax penalties based on company size. 

A Lopsided Regulation?

Needless to emphasise, most early-stage startups and SMEs do not have the infrastructure or resources to meet these obligations. With smaller teams and limited budgets, startups can expect to incur heavy costs for compliance.

Especially, because the data protection maturity is being thrust on them. The rules expect them to follow audit-grade security standards and maintain detailed records. To do this, they will have to buy new tools, hire privacy and security experts, and rebuild parts of their tech stack.

Even something as basic as preparing a breach disclosure within 48 hours requires forensic tools and automated detection systems. In lieu of dedicated teams, early stage startups will have to partner (and pay) with other tech companies enabling compliance.  

Choudhary says that even one single breach requires access to extensive tools for reporting.  “The reporting timelines are aggressive and will require external tooling. Forensic disclosures cannot be made within the expected timelines.”

Pertinent to note that the DPDP Act has provisions for penalties of up to INR 250 Cr for failing to take reasonable security safeguards. 

Companies can also face fines of up to INR 200 Cr for not reporting a breach on time or for mishandling children’s data. Violations related to Significant Data Fiduciaries can attract penalties of up to INR 150 Cr, while general violations can go up to INR 50 Cr. 

Supreme Court advocate Khushbu Jain argues that because the broad penalties are the same for data fiduciaries and Significant Data Fiduciaries, smaller startups are exposed to costs and compliance processes that would typically be trivial for larger companies. 

“This creates legitimate concerns for small businesses, where even single lapses could result in penalties that threaten business continuity or its existence,” she adds.

Privacy Concerns Galore

Ironically, one of the bigger red flags around the DPDP Act is the fact that user privacy is under threat. 

Rule 23 under the act is perhaps the most contentious part of the law. This allows the government to request personal data from any company within a specified time period. The rule gives the state wide authority to demand information for reasons linked to national security or sovereignty, but legal experts reckon the language is broad and does not clearly define limits, safeguards or oversight. 

The government is not mandated to follow data-minimisation principles, nor does it have to notify individuals when authorities access their data. Can the government retain the data, when should it delete or destroy it and what specific protections apply to the datasets — these questions have no answers in the law at the moment. 

This lack of clarity expands state access to private datasets in ways not originally intended, especially because there is no dedicated appeals process for companies to challenge such requests. And this is why there’s been such a big pushback for the DPDP Act. 

Rule 23 also does not offer any procedural checks or independent review mechanisms, leaving companies with very little ground to refuse a request even if it appears excessive or disproportionate.

Aruna Sharma, former Secretary to the Government of India, told Inc42 that the rule sits uneasily against the constitutional protections laid down in the Supreme Court’s Puttaswamy judgement (archived link), which held that any intrusion into personal privacy by the state must meet strict tests of necessity and proportionality. 

Sharma says Rule 23 bypasses these requirements, especially if the government is allowed to operate without tightly defined procedures. She stresses that privacy cannot be compromised, and that any intrusion must come with rigorous logs, audits and justification before an agency is granted access. 

SFLC’s Choudhary echoes this concern, saying the rule vastly increases government access to private databases and raises both surveillance and business risks.

There are already early signs of how such powers can play out in practice. Earlier this year, the Karnataka High Court rejected PhonePe’s plea challenging a police notice under Section 91 of the Criminal Procedure Code, which required the company to share user transaction data for an investigation. 

The court held that individual privacy rights must give way when criminal investigations demand information, reinforcing a precedent in which the burden tends to fall on the company rather than the state to justify resistance. 

Although the case did not involve the DPDP framework, it shows how Indian courts have historically treated data-access demands and indicates how similar disputes might unfold under Rule 23. 

However, not all is lost, at least as of now. 

There is some relief in the phased rollout. The DPDP framework gives companies up to 18 months for many requirements to fully kick in. This gives smaller businesses time to map their data flows, train teams, build deletion and consent systems, and adopt privacy-by-design.

SC advocate Jain points out that smaller firms can meet these rules with structured, simple practices, and that global investors now expect strong privacy controls. Adopting these early, she says, can build credibility and open doors to enterprise partnerships.

Privacy Laws Are An Eventuality

While the DPDP Rules 2025 now place clear pressure on smaller companies, the government’s move was not made in a vacuum. 

Over the past two years, India has seen a sharp rise in serious data breaches across startups and SMEs, many of which exposed millions of users to fraud, phishing and identity theft. The WazirX incident alone wiped out nearly INR 1,960 Cr and created industry-wide panic about security gaps in crypto platforms. 

Meanwhile, Angel One’s breach, caused by a simple cloud misconfiguration, leaked data of almost 8 Mn users. Alongside these headline incidents, SMEs reportedly faced a 60% jump in cyberattacks in early 2025, with phishing, API abuse and ransomware becoming routine threats. 

With the average cost of a data breach touching INR 22 Cr, the country’s digital economy was dealing with a trust deficit that could no longer be ignored.

The DPDP framework, with its tight breach-reporting timelines and mandatory safeguards, is therefore also an attempt to force companies to take security seriously before damage occurs, not after.

At the policy level, the government was already under pressure to respond to this surge in cyber incidents. The last Union Budget sharply increased cybersecurity spending, new SIM and device blocks were rolled out to curb fraud, and the National Cybersecurity Policy 2025 began pushing for a more resilient digital infrastructure. 

All in all, the DPDP Rules signal a shift to a harsher reality: India’s digital economy can’t keep expanding on weak security foundations. But as with other regulations such as the AI labelling and even compliance related to grievances or takedown notices, the burden is heavier on smaller startups. And this greatly harms the ease of doing business. 

A tiered approach might be better suited for the Indian ecosystem rather than a one-size fits-all approach. And even startups acknowledge that the law will need to adapt to the needs of the ecosystem. But will these concerns reach the lawmakers before the DPDP Act threatens the survival of smaller startups?

Edited by Nikhil Subramaniam