---
title: "India DPDP Act 2026 — Phased Rollout, Consent Managers, and AI Voice"
description: "India notified the DPDP Rules in November 2025. Phase 1 set up the Data Protection Board immediately; Phase 2 brings consent managers in November 2026; Phase 3 turns on substantive obligations in May 2027. AI voice plans now."
canonical: https://callsphere.ai/blog/vw6f-india-dpdp-2026-implementation-rules
category: "AI Strategy"
tags: ["DPDP", "India", "Consent Manager", "AI Voice", "DPB"]
author: "CallSphere Team"
published: 2026-04-04T00:00:00.000Z
updated: 2026-05-07T16:46:08.358Z
---

# India DPDP Act 2026 — Phased Rollout, Consent Managers, and AI Voice

> India notified the DPDP Rules in November 2025. Phase 1 set up the Data Protection Board immediately; Phase 2 brings consent managers in November 2026; Phase 3 turns on substantive obligations in May 2027. AI voice plans now.

> India's DPDP Act 2023 sat unimplemented for two years. The November 2025 Rules unlocked a phased rollout that culminates in May 2027 — but the consent-manager framework lights up first, on 13 November 2026.

## What the law says

The Digital Personal Data Protection Act, 2023 (DPDP Act) applies to processing of digital personal data within India and to processing outside India when in connection with goods or services offered to data principals in India. The DPDP Rules, 2025 were notified on 13 November 2025. Phase 1 took effect immediately and stood up the Data Protection Board of India. Phase 2, effective 13 November 2026, activates the consent-manager framework — registered intermediaries that capture, store, and revoke consent on behalf of data principals. Phase 3, effective 13 May 2027, turns on substantive obligations: notice, consent, data principal rights, breach notification, children's data, Significant Data Fiduciary obligations, and cross-border transfer controls.

Consent must be free, specific, informed, unconditional, unambiguous, and given by clear affirmative action. Data fiduciaries must give a notice in plain language listing data items, purposes, rights, and the consent-manager option. Children's data (under 18) requires verifiable parental consent and a ban on tracking and behavioural monitoring. Significant Data Fiduciaries (designated by the Board based on volume, sensitivity, and risk) must appoint an India-based DPO, conduct DPIAs, and undergo independent audits. Penalties reach INR 250 crore per breach.

## What AI voice/chat must do

From November 2026, voice and chat operators serving India should support the consent-manager flow — accept consent tokens issued by registered consent managers, expose revocation hooks, and route notices through the manager when the user opts in. From May 2027 the substantive notice, rights, and breach obligations bite. AI voice that processes children's data requires verifiable parental consent and a hard ban on behavioural monitoring. Significant Data Fiduciary status triggers DPIA, audit, and DPO requirements; large consumer-AI deployments will likely qualify. Cross-border transfers default to permitted unless the government issues a negative list — monitor the list.

## CallSphere posture

CallSphere — 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses, 4.8/5, HIPAA and SOC 2 aligned — provides a DPDP-aware Indian tenant configuration: a consent-manager integration scaffold (ready for the November 2026 launch), a Hindi/English/regional notice generator, a children's-data flag with hard restrictions, an SDF readiness template (DPIA, audit log, DPO appointment), and a breach-notification workflow that meets the 72-hour expectation. Pricing $149 / $499 / $1,499; [14-day trial](/trial); 22% [affiliate](/affiliate); see [/pricing](/pricing) and [/contact](/contact); about us at [/about](/about).

```mermaid
flowchart LR
A[IN Caller] --> B[Voice Agent]
B --> C[Consent Manager\nNov 2026]
C --> D[Token Validation]
B --> E[Plain-Language Notice]
B --> F[Children's Data\nGate]
F --> G[Parental Consent]
B --> H[SDF: DPIA + Audit]
```

## Compliance checklist

1. Inventory all India data flows; map to DPDP fiduciary or processor role.
2. Build the consent-manager integration scaffold ahead of 13 November 2026.
3. Draft the plain-language notice in English and major regional languages.
4. Identify children's-data flows; build verifiable-parental-consent paths.
5. Assess Significant Data Fiduciary likelihood; prepare DPO appointment.
6. Run a DPIA for AI training and inference on personal data.
7. Implement the data principal rights intake (access, correction, erasure, grievance).
8. Document cross-border transfer destinations; monitor the negative list.
9. Stand up a 72-hour breach-notification workflow to the DPB and affected principals.
10. Track DPB rulings and the May 2027 hard-deadline countdown.

## FAQ

**Is consent the only basis?**
DPDP recognises consent and "certain legitimate uses" — a closed list including employment, public interest, and emergencies. There is no broad legitimate-interests basis.

**Are voice recordings personal data?**
Yes — they identify or relate to an identifiable individual.

**What is a consent manager?**
A DPB-registered intermediary that captures, stores, and revokes consent on behalf of data principals; interoperable consent tokens are the design intent.

**When does the substantive law bite?**
13 May 2027 for full obligations. Plan for it now; the consent-manager phase tests the wiring.

**Are HIPAA-style entity exemptions present?**
No direct equivalent. Healthcare data is sensitive but DPDP is technology-neutral.

## Sources

- MeitY DPDP Act and Rules: [https://www.meity.gov.in/data-protection-framework](https://www.meity.gov.in/data-protection-framework)
- DPDP Act 2023 (India Code): [https://www.indiacode.nic.in/handle/123456789/2069842](https://www.indiacode.nic.in/handle/123456789/2069842)
- IAPP DPDP Rules Finalised Nov 2025: [https://iapp.org/news/a/with-rules-finalized-india-s-dpdpa-takes-force](https://iapp.org/news/a/with-rules-finalized-india-s-dpdpa-takes-force)
- Hogan Lovells Consent Management Rules: [https://www.hoganlovells.com/en/publications/india-publishes-consent-management-rules-under-digital-personal-data-protection-act](https://www.hoganlovells.com/en/publications/india-publishes-consent-management-rules-under-digital-personal-data-protection-act)
- EY DPDP Rules 2025 Analysis: [https://www.ey.com/en_in/insights/cybersecurity/transforming-data-privacy-digital-personal-data-protection-rules-2025](https://www.ey.com/en_in/insights/cybersecurity/transforming-data-privacy-digital-personal-data-protection-rules-2025)

---

Source: https://callsphere.ai/blog/vw6f-india-dpdp-2026-implementation-rules