India's DPDPA carries
INR 500 crore
in aggregate penalties.
The Digital Personal Data Protection Act, 2023 is India's comprehensive data protection law. The Data Protection Board is being constituted and enforcement rules are being finalized. The window to prepare is closing. FOCTTA is purpose-built for DPDPA.
DPDPA Penalty Schedule (Section 33)
Failure to take reasonable security safeguards (data breach)
Failure to notify Data Protection Board and affected persons of breach
Non-fulfillment of obligations related to children's data
Non-fulfillment of additional obligations by Significant Data Fiduciary
Breach of any other provision of the Act
Breach of terms/conditions of voluntary undertaking
Children's data under DPDPA:
solved end-to-end.
Section 9 requires verifiable parental consent, bans behavioural tracking of minors, and forbids advertising that targets them. Most privacy platforms stop at an age gate. FOCTTA ships the full lifecycle - guardian verification, guardian-filed DSARs, mandatory DPIA on minor-data ROPAs, auto-escalated breach workflow, and an auditor-ready Section 9 report.
Guardian-verifiable consent
Parent or lawful guardian identity verified via three methods: DigiLocker, uploaded government document, or a previously verified linked account. The verification method and guardian identifier are cryptographically bound to the Compliance Receipt.
Guardian-filed DSARs (S.10)
A parent or lawful guardian can file access, correction, or erasure requests on behalf of a minor. The guardian relationship is carried through every step - intake, verification, task orchestration, response.
Age-gate + guardian capture
The public consent widget ships with a built-in date-of-birth age gate. When a minor is detected, the flow transitions to guardian email capture and verification before any personal data is collected.
Child-directed cookie mode
The cookie banner supports a "child-directed site" mode. Any cookie flagged targets_minors=true is force-blocked. The SDK enforces it at load time via a single data-vc-child-directed="true" attribute - plus the mandatory S.9 disclaimer is rendered automatically.
No behavioural tracking
DSPM continuously scans every system that processes minor data for behavioural-advertising SDKs. Detections surface as a compliance finding with the S.9(3) citation attached.
DPIA mandatory on minor ROPAs
Every Record of Processing Activity with "minors" in the data-subject category is automatically flagged as DPIA-required. The ROPA cannot be moved to production until the two-person DPIA approval (DPO review + Legal sign-off) is complete.
Auto-escalated minor-data breach
Any breach flagged involvesMinorData=true is auto-promoted to severity: critical, kicks off the 72-hour Data Protection Board notification workflow, and attaches a pre-filled guardian notification template.
Hash-chained evidence
Every guardian consent, every guardian-filed DSAR, every minor-data breach, every erasure event carries a Compliance Receipt in the tamper-evident audit chain. Produced for the Data Protection Board on demand.
Section 9 Compliance Report
One click generates a PDF + CSV auditor-ready report: guardian verification rate by method, DPIA coverage for every minor-data ROPA, minor-data breach handling timeline, and every guardian-filed DSAR with its SLA status.
Compliance score dimension
"DPDPA Section 9 guardian coverage" is a weighted dimension in the overall compliance health score. Guardian verification gaps, DPIA gaps on minor ROPAs, and behavioural-tracking findings all move the number.
46 industry packs pre-seeded
EdTech, HealthTech, Gaming, Social and every other industry pack ships pre-seeded with S.9 and S.10 regulatory clauses plus the minor-data elements your DPO actually needs.
System templates ready day one
A "DPDPA S.9 - Minor + Guardian" Consent Profile and a "Minor DSAR - DPDPA Section 9" workflow template are available to every tenant. No workflow engineering required to be S.9-ready.
Public Trust Center statement
An auditor-facing public Trust Center statement documents the six Section 9 commitments FOCTTA makes to every minor and every guardian. Linkable from your own privacy notice.
Enforcement-ready today
DPDPA Section 9 penalties run up to INR 200 crore per violation. The window to build this is closing. FOCTTA has it shipping today - the only Indian privacy platform end-to-end on Section 9.
How FOCTTA addresses every DPDPA requirement
Consent must be free, specific, informed, unconditional, and unambiguous with clear affirmative action.
FOCTTA: Purpose-based consent collection with lawful basis tracking, clear consent language, and granular purpose selection.
Data Fiduciary must give notice in clear, plain language describing data and purpose.
FOCTTA: Multi-language notice management (22+ Indian languages) with version control and geo-aware serving.
Data Principal may withdraw consent at any time with ease of withdrawal comparable to ease of giving.
FOCTTA: One-click consent withdrawal via preference centre, API, or SDK with instant cache invalidation.
Reasonable security safeguards to protect personal data.
FOCTTA: Strong encryption, database-enforced tenant isolation, tamper-evident audit trail, and S3 WORM archival.
Data Principal has the right to grievance redressal.
FOCTTA: Full DSAR lifecycle: intake, identity verification, SLA tracking (90 days), task orchestration, and DPB escalation.
Data must be erased when consent is withdrawn or purpose is fulfilled.
FOCTTA: Multi-system erasure orchestration with legal hold checks, per-system tracking, and signed erasure certificates.
Verifiable parental consent, no behavioural tracking, no targeted advertising to minors.
FOCTTA: Age-gate widget, 3-method guardian verification (DigiLocker, document, linked account), guardian-filed DSARs, DPIA mandatory on minor ROPAs, child-directed cookie mode, auto-escalated minor-data breach workflow. See the Section 9 capability grid above.
Significant Data Fiduciaries must appoint DPO and conduct DPIAs.
FOCTTA: DPO role with full platform access, DPIA wizard with templates, and compliance health scoring.
DPDPA enforcement is here.
Are you ready?
The Data Protection Board is gearing up. Talk to us about getting your DPDPA compliance in order.
Get DPDPA Ready