India has taken a landmark step in digital regulation by formally bringing into force the Digital Personal Data Protection Act, 2023 (DPDP Act), along with its implementing rules. This marks the nation’s first comprehensive law dedicated to protecting digital personal data, placing new obligations on firms operating in the crypto and artificial intelligence (AI) sectors and reshaping the privacy landscape.
Crypto sector implications: Although the law is not specifically limited to cryptocurrencies, the cross-border and data-intensive nature of crypto platforms means they must now carefully assess how they handle user data in India. Platforms offering services to Indian users, or processing Indian residents’ data even outside India, fall under the act’s jurisdiction.
Key areas: user identity data (KYC/AML), transaction metadata, and behavioural profiling (especially for algorithmic trading or recommendation engines) will now draw regulatory scrutiny.
AI and algorithmic systems: AI applications often rely on large datasets, behavioural tracking, and profiling. With India strengthening data-collection rules, AI firms will need to ensure their data pipelines comply with verifiable consent, the ability for users to opt out, and robust security safeguards. This also intersects with proposed rules on AI-generated content in India.
The law thus serves as a foundational piece for India’s broader digital ecosystem regulation, signalling that AI systems cannot operate outside of data-protection norms.
Q1: When exactly did India’s data-protection law come into effect?
The DPDP Act was passed in August 2023, and its rules (the DPDP Rules, 2025) were notified in November 2025, making many key provisions operative now.
Q2: Does this law apply to crypto exchanges and blockchain platforms?
Yes, any organisation processing digital personal data of individuals in India (or offering goods/services to them) falls under the law’s scope, which means crypto platforms must comply if they collect, store or process user data.
Q3: How does the law affect AI companies and data-heavy services?
AI and data-intensive services will need to ensure the data they collect is subject to verifiable consent, can be deleted/erased when required, and is secured. They should also monitor profiling practices, especially for children or vulnerable groups.
Q4: Are there heavy penalties for non-compliance?
Yes, although the rules are being phased in, the law allows for meaningful penalties, which may include significant fines and other regulatory actions.
Q5: What should a crypto or AI company operating in India do now?
Start by auditing data-flows (what data is collected and processed), consent-mechanisms, data-retention policies, breach-notification readiness, and localisation/cross-border transfer practices. Appoint a Data Protection Officer (if required), set up grievance-redress, and get legal guidance on classification as an SDF.
Internet Computer has moved to the top of Santiment's latest AI & Big Data blockchain…
Multisignature wallets remain one of the strongest defenses against private-key compromise. This guide compares ten…
The crypto market has delivered yet another reminder that "decentralized" doesn't always mean "secure." This…
The long-awaited Pump (PUMP) airdrop finally landed in eligible wallets, and many recipients did exactly…
The crypto industry has a remarkable talent for turning simple ideas into complicated acronyms. The…
The memecoin market is once again proving that crypto traders can generate a week of…
This website uses cookies.