Your Phone Number Is Not Just a Login. It Is Data.

Most people do not think about it. You download an app, enter a phone number, tap agree, and move on. It takes seconds. What it sets in motion, legally and practically, is considerably more significant.

This is the everyday digital trade-off that India's data protection regime is now, finally, attempting to address.

The constitutional foundation was laid in Justice K.S. Puttaswamy v. Union of India, where the Supreme Court recognised privacy as a fundamental right under Article 21. That ruling was not merely symbolic. It established the legal basis for everything that followed including the Digital Personal Data Protection Act, 2023, which places consent at the centre of all personal data processing.

The obligations the Act creates are specific. Section 6 requires that consent be free and informed, not buried in terms and conditions that no one reads. Section 8 places a corresponding duty on companies to process personal data only for lawful purposes, and to do so responsibly. Together, these provisions shift the balance. Data collection is no longer simply a commercial decision. It is a regulated one.

When those obligations are violated, the Act provides a clear escalation path. A complaint begins with the company itself. If unresolved, it moves to the Data Protection Board of India, which carries the authority to investigate and impose penalties under Section 33.

In 2026, enforcement is still finding its shape. The legal architecture exists. Its real weight is emerging gradually — through complaints filed, compliance pressure applied, and early enforcement actions that signal how seriously the Board intends to exercise its mandate.