The first question any business should ask about the DPDP Act is the most basic: does it apply to us? Getting the answer right determines whether you need a full programme or simply good housekeeping. For most organisations that touch the data of people in India, the answer is yes — which is why understanding scope is the foundation of dpdp compliance.
This guide breaks the Act's scope into its two dimensions — where it applies and what it applies to — and clears up the common edge cases.
The sections below work through each dimension of scope in turn, then deal with the edge cases — foreign businesses, small companies, children's data and exemptions — that cause the most confusion. The goal is to leave you able to state, with confidence and on paper, exactly why the Act does or does not apply to a given activity.
Territorial scope: inside and outside India
The DPDP Act applies to the processing of digital personal data within India. That much is straightforward. But the Act also reaches processing that takes place outside India where it is connected to offering goods or services to data principals located in India.
This extraterritorial reach is deliberate. A company based abroad with Indian customers can fall squarely within the Act, even with no office, server or staff in the country.
This matters because the internet does not respect borders. A business that has never set foot in India can still process the data of millions of Indian users, and the Act is written to reach exactly that situation. Assuming you are out of scope because you are headquartered elsewhere is a dangerous default.
Material scope: digital personal data
The Act covers personal data in digital form. That includes data collected digitally from the outset, and data collected on paper that is later digitised. Personal data is any data about an identifiable individual.
Purely offline, non-digitised records sit outside the Act, but in a modern business almost everything is digital eventually, so the practical scope is broad.
The digital qualifier rarely narrows things in practice because data tends to flow into digital systems quickly. The safer assumption for any modern organisation is that the personal data it handles is, or will become, digital and therefore in scope.
Who carries the obligations
The duties fall primarily on the data fiduciary — the entity that decides why and how personal data is processed. If your organisation determines the purpose of processing, you are a fiduciary and the Act's obligations apply to you.
Processors who handle data on a fiduciary's behalf have narrower, contract-driven duties, but the fiduciary remains accountable to the individual.
This is why a clear inventory of who decides the purpose of each processing activity is so valuable. In complex group structures or platform businesses, the same data may involve several parties, and pinning down who is the fiduciary determines who carries the duties.
Foreign businesses serving Indian users
Because of the extraterritorial reach, a SaaS company in Europe, an e-commerce platform in the United States, or an app developer anywhere that offers services to people in India is generally within scope for that Indian-facing processing.
Such businesses should not assume that complying with their home regime is enough; the DPDP Act has its own definitions, notice and consent requirements, and breach rules that must be mapped and met.
For such businesses, a practical first step is a focused scoping exercise on the Indian-facing parts of the operation: which products are offered to people in India, what data they collect, and which existing controls already partly satisfy the Act. That maps the delta you actually need to close.
What falls outside the Act
The Act excludes certain processing. Personal or domestic processing by an individual is outside scope, as is data that a person has voluntarily made publicly available, or that someone is required by law to publish.
There are also exemptions for specified purposes — such as certain State functions, legal claims and research — though these are defined and limited rather than open-ended.
Even where an exclusion applies, it pays to document why. If you treat data as out of scope because it is genuinely public or purely domestic, a short written rationale protects you if the position is ever questioned.
Size doesn't exempt you
A common misconception is that small businesses are exempt. The core obligations — notice, consent, security and rights — apply regardless of company size if you process the digital personal data of people in India.
The Government can provide lighter treatment for startups and certain classes of fiduciary through notified exemptions, but the baseline expectation is broad, and “we're too small” is not a defence.
The size misconception is worth dispelling forcefully because it leads small firms to do nothing until a customer or incident forces their hand. A right-sized programme — clear notices, basic safeguards, a deletion routine — is achievable for a small business and far cheaper than a reactive scramble.
Special cases: children and significant fiduciaries
Some organisations face heightened scope. Anyone processing the data of children (under 18) must obtain verifiable parental consent and avoid harmful tracking. And the Government can designate high-volume, high-risk organisations as significant data fiduciaries with extra obligations.
Knowing whether either applies to you shapes how heavy your programme needs to be.
Identifying these special cases early changes resourcing. A consumer app aimed partly at teenagers, or a large data-driven platform, should plan for the heavier obligations from day one rather than discovering them midway through a build.
Free resource
The Ultimate Guide to the DPDP Act
A practical, plain-English handbook to the DPDP Act & 2025 Rules — scope, roles, consent, safeguards and a readiness path.
How to confirm your status
The practical test is simple: do you process digital personal data of individuals in India, and do you decide why and how? If yes, you are an in-scope data fiduciary. From there, map your processing, identify any children's data or significant-fiduciary triggers, and check whether any narrow exemption genuinely applies.
Documenting that scoping analysis early gives you a defensible foundation and prevents nasty surprises later in the programme.
Re-run this scoping analysis whenever your business changes materially — a new product, a new market, a new data source — because scope is not static. A programme that revisits its own applicability stays accurate as the organisation evolves.
Documenting your scope decision
Whatever your conclusion, write it down. A short scoping memo — stating which processing is in scope, which exclusions or exemptions you rely on, and why — is one of the most valuable documents in a DPDP programme, because it shows deliberate, defensible decision-making.
Revisit that memo whenever the business changes materially. New products, markets and data sources can pull previously out-of-scope activities into the Act, and a programme that keeps its scoping current stays accurate while one that relies on a stale snapshot drifts into risk.
When in genuine doubt about a borderline activity, the prudent default is to assume the Act applies and build the basic controls anyway. The incremental cost of doing so is small, while the cost of wrongly assuming you are exempt — and being found out after a complaint or breach — can be severe and very public.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.