1. The Quick Rule #
You own your data. Under the 2026 legal framework, companies are “Data Fiduciaries”—meaning they hold your data in trust. They do not own it. If a company leaks your data or uses it without your clear, specific consent, they face catastrophic fines of up to ₹250 Crore.
2. Your “Data Principal” Rights #
As a citizen (Data Principal), you have four “Super-Rights” that every app and website must respect:
- Right to Correction & Erasure: You can demand that a company fix wrong info or “forget” you entirely by deleting your data once the purpose is served.
- Right to Nominate: You can appoint someone to manage your data rights in case of your death or incapacity.
- Right to Withdraw Consent: Consent is not a one-way street. You can take it back as easily as you gave it.
- Right to Grievance Redressal: Every company must have a Data Protection Officer (DPO) to answer your privacy concerns.
3. The 2026 “Consent” Standard #
By April 2026, “Hidden Consent” is illegal. A company cannot hide a permission request in 50 pages of Terms & Conditions.
- The Notice: Before asking for data, the company must give you a notice in plain language (available in English or any of the 22 Indian scheduled languages).
- Itemized Consent: They must ask for permission for each specific use (e.g., separate boxes for “Delivery” and “Marketing”).
- No Pre-ticked Boxes: Pre-checked boxes are now a violation of the DPDP Rules.
4. Situation Checklist: If Your Data is Leaked #
If you receive a notification that your data has been compromised (e.g., a bank leak or an e-commerce hack):
- [ ] Step 1: The 72-Hour Clock. By law, the company must notify the Data Protection Board (DPB) and you within 72 hours of discovering a breach. If they hide it, the fine increases significantly.
- [ ] Step 2: Internal Grievance. Contact the company’s Data Protection Officer (DPO). Ask exactly what data was leaked (Aadhaar, Credit Card, Email?) and what “remedial measures” they have taken.
- [ ] Step 3: DPB Complaint. If the company’s response is unsatisfactory or they refuse to acknowledge the leak, file a complaint on the official DPB Portal (dpdpa-grievance.gov.in).
- [ ] Step 4: Secure Your Assets. Change your passwords immediately and enable Two-Factor Authentication (2FA). If financial data was leaked, use the “Freeze” feature on your banking app.
5. Special Protection: Children’s Data #
In 2026, the law is extra strict about anyone under 18 years old:
- Verifiable Consent: Companies must get “verifiable parental consent” before processing a child’s data.
- No Tracking: Any data processing that causes “detrimental effect” on a child’s well-being is strictly banned.
- No Targeted Ads: Companies are prohibited from tracking children’s behavior for targeted advertising.
6. The Official Proof (For Authority) #
Mandates that all data fiduciaries must implement “Reasonable Security Safeguards” to prevent breaches, failing which a penalty of up to ₹250 Crore can be imposed.
Digital Personal Data Protection Act, 2023 (Section 8):
“In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.”
DPDP Rules, 2025: Mandates that all data fiduciaries must implement “Reasonable Security Safeguards” to prevent breaches, failing which a penalty of up to ₹250 Crore can be imposed.
