Who Is Actually Exempt from DPDP Compliance? The Question Every Indian Business Asks

 Since the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 came into effect, one question has consistently surfaced across boardrooms, startups, and legal teams:

“Are we exempt from DPDP compliance?”

Most organizations approach this question with the mindset of financial regulation assuming there must be turnover limits, sector-based carve-outs, or size-based exemptions. But the DPDP Act is built on a very different foundation.

This law is not centred around the organization.
It is centred around the individual whose data is being processed.

To understand who is exempt, one must move beyond assumptions and examine how the Act itself is structured particularly Section 3 and Section 17.

1. The Legal Foundation: What the DPDP Act Regulates

The DPDP Act governs the processing of Digital Personal Data that is, any information relating to an identifiable individual, provided it is:

1. Collected in digital form; or
2. Collected offline and later digitised.

In practical terms, if your systems touch personal identifiers such as names, contact details, online identifiers, or behavioural data in digital form, the DPDP Act is triggered.

Only after establishing this baseline can exemptions even be evaluated.

2. Understanding the Structure of Exemptions in DPDP

The DPDP Act does not treat all exemptions equally. It creates two distinct legal mechanisms:

• Section 3 – Applicability and Exclusions
  Determines when the Act does not apply at all.
• Section 17 – Statutory Exemptions
  Applies where the Act does apply, but certain obligations may be relaxed.

In effect, all data processing falls into one of three categories:

Most businesses operate in the third category.

3. Personal or (Domestic) Processing

The DPDP Act does not apply where personal data is processed strictly for private or domestic purposes.

Typical examples:

• Storing contacts on a personal phone
• Managing personal email
• Sharing family photos
• Maintaining personal notes

Where the exemption ends:

• Freelancers handling client lists
• Influencers managing follower data
• Consultants storing customer records
• Any processing connected to income or professional services

Once data is used in a commercial or professional context, the activity becomes regulated.

4. Publicly Disclosed Personal Data

Another common misunderstanding is that publicly available data is “free to use”.

Under the DPDP Act, personal data that an individual has voluntarily made public falls outside the Act.

Examples:

• Public social media profiles
• Public blogs or posts
• Information intentionally shared for public viewing

However, this exclusion is narrow:

• It applies only to the specific data made public.
• It does not legalise unethical scraping, profiling, or misuse.
• Other laws may still impose liability even if DPDP does not.

In short, public does not mean unregulated it only means DPDP may not apply.

5. Research, Analytics and Statistical Use

The Act allows limited exemptions for research and statistical processing, provided:

• The data is not used to take decisions about individuals.
• Appropriate safeguards are implemented.
• Re-identification risks are controlled.

Most commercial “analytics” do not qualify as research under DPDP, especially if the data influences user profiling, targeting, or product behaviour.

Calling something “research” does not make it exempt.

6. Government and State Functions

The government may be exempted from certain obligations when performing functions authorised by law, such as:

• National security
• Law enforcement
• Public order
• Statutory administration

These exemptions are:

• Function-based, not institution-based.
• Limited to legally authorised activities.
• Not a blanket immunity for all government operations.

A government entity may be exempt for surveillance but not for running commercial services.

7. The Startup and SME Myth

Many startups expect a formal “startup exemption”. None exists.

Some classes of entities may receive relaxed compliance requirements (such as simplified notices), but:

Every entity must still:

• Process data lawfully
• Implement reasonable security safeguards
• Report personal data breaches

Startups are regulated just with proportional expectations.

8. No Turnover Threshold Under DPDP

Unlike tax or labour laws, DPDP has no minimum turnover or user base.

A one-clinic healthcare platform and a billion-user tech company are equally bound by:

• Security obligations
• Consent requirements
• Grievance redressal
• Breach notification

Enforcement may be proportional, but legal applicability is universal.

9. Foreign Companies Are Also Covered

The DPDP Act applies outside India if:

• Goods or services are offered to individuals in India, and
• Their personal data is processed digitally.

This includes:

• SaaS tools
• Mobile apps
• Online platforms
• Ed-tech, gaming, and fintech products

If you serve Indian users, you are inside the DPDP ecosystem.

10. So, Who Is Actually Exempt?

The practical reality is:

True exemptions are rare.
Partial exemptions are narrow.
Full compliance is the default.

Most so-called “exemptions” are actually conditional relaxations, not legal immunity.

11. Consequences of Getting It Wrong

The DPDP Act introduces serious financial penalties, including:

• Up to ₹250 crore for security failures
• Up to ₹200 crore for breach reporting failures
• Significant penalties for violations involving children’s data

These are not symbolic. They are enforceable regulatory sanctions.

Conclusion: The Wrong Question to Ask

The biggest mistake organizations make is asking:

“How do I avoid DPDP?”

The correct strategic question is:

“How do I design my systems to comply with DPDP intelligently?”

Because under India’s new privacy regime:

Compliance is not an option.
It is the operating cost of digital business.

Stay with us for updates on: DPDP Consultants Newsletter