What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

DPDP Biometric Data: Fingerprint & Face Recognition Rules

Understanding DPDP rules for biometric data (fingerprint, face recognition) in India. Learn consent, storage, and cost.

Sushant Pasumarty11 June 2026

DPDP Biometric Data: Quick Answer

Yes, the DPDP Act significantly impacts how Indian businesses collect, process, and store biometric data, including fingerprints and face recognition. While the Act doesn't explicitly name 'biometric data' as a separate category, it falls under 'personal data' and often 'sensitive personal data' due to its unique identifier nature. This means strict consent, security, and purpose limitation rules apply.

💡 Key Insight: Biometric data is intrinsically linked to an individual and, if compromised, can lead to severe identity theft. The DPDP Act's general principles around personal data protection apply with amplified rigor due to the inherent sensitivity of such identifiers.

What This Means Right Now

The DPDP Act is expected to be enforced soon, and businesses collecting biometric data cannot delay preparation. Unlike general personal data, biometric identifiers are permanent and irreplaceable. A breach has long-term implications for the data principal.

Sushant Pasumarty, founder of Meridian Bridge Strategy, emphasizes that any entity using biometric systems – from employee attendance to customer authentication – must establish robust frameworks. This isn't a future problem; it's an immediate operational and compliance challenge.

Enforcement Timeline & Practical Reality

While specific implementation dates for all sections are pending, businesses should operate as if the DPDP Act is fully active. Regulators will expect a demonstrable commitment to data protection, especially for high-risk data like biometrics. Practical reality dictates that businesses start reviewing their biometric data practices now.

What You Actually Need To Do for Biometric Data Compliance

Compliance with DPDP for biometric data requires a structured approach focusing on consent, purpose, storage, and security. Sushant Pasamarty outlines these critical steps:

Obtain Valid Consent: For biometric data, consent must be explicit, informed, and specific. Data Principals (individuals) must understand exactly what biometric data is being collected, for what purpose, how it will be stored, and their rights (e.g., withdrawal). A simple checkbox is insufficient; detailed notice is essential.
Define & Limit Purpose: Collect biometric data only for clearly defined, lawful purposes. Do not collect more biometric data than necessary for that purpose. For example, if fingerprint is for attendance, it should not be used for tracking other activities without separate, specific consent.
Implement Robust Security Measures: Biometric data requires elevated security. This includes encryption, access controls, regular security audits, and measures to prevent unauthorized access or modification. Data Fiduciaries must ensure the integrity and confidentiality of this sensitive information.
Establish Retention & Deletion Policies: Biometric data should only be retained for as long as necessary for the stated purpose. Once the purpose is served (e.g., employee leaves, customer account is closed), the biometric data must be securely deleted. This includes deletion from backups and any third-party processors.
Conduct Data Protection Impact Assessments (DPIAs): For systems handling biometric data, a DPIA is highly recommended (and may become mandatory for Significant Data Fiduciaries). This assessment helps identify and mitigate risks associated with processing sensitive personal data.

✅ Pro Tip: Review all third-party vendors (e.g., biometric device providers, HR software) that handle your biometric data. Ensure their contracts and practices are fully compliant with DPDP requirements, including data processing agreements (DPAs).

What It Costs for DPDP Biometric Data Compliance

Addressing biometric data under DPDP is not a standalone cost; it integrates into your overall DPDP readiness. The cost depends on the complexity of your operations, the volume of biometric data, and your current compliance posture. Meridian Bridge Strategy (MBS) offers productized services that cover these needs:

Tier	What it includes	Price range	Duration
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it. Essential to identify all biometric data points.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent for biometrics, DPAs for biometric vendors, grievance, breach, deletion policies). Identifies specific biometric compliance gaps.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap. Develops a concrete plan for biometric data consent mechanisms, security upgrades, and deletion protocols.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion. Comprehensive support to fully integrate biometric data compliance into your operations, including DPO training on handling biometric data requests.	₹7L – ₹12L	3-6 months

For businesses with extensive biometric data processing, such as those in manufacturing for attendance, or tech companies offering face recognition services, a Full DPDP Consulting engagement often provides the most robust and sustained compliance. Sushant Pasamarty and MBS leverage their experience in identity verification and cybersecurity to build tailored solutions.

When To Start

You should start immediately. Delaying compliance for biometric data carries significant risk due to its sensitive nature and the high potential for penalties under the DPDP Act. Even a foundational Data Mapping exercise will identify where biometric data resides.

Next Step

Understand your specific exposure. Use our free DPDP Cost Calculator to get an initial estimate of which MBS tier fits your needs. Then, book a consultation with Sushant Pasamarty to discuss your biometric data processing activities and ensure a comprehensive compliance strategy.

Check Your DPDP Cost

Use the free calculator first. Then decide if your team needs the DPDP Readiness Workshop.

Check My DPDP Cost

Or book a call with Sushant →

DPDP Biometric Data: Fingerprint & Face Recognition Rules

DPDP Biometric Data: Quick Answer

What This Means Right Now

Enforcement Timeline & Practical Reality

What You Actually Need To Do for Biometric Data Compliance

What It Costs for DPDP Biometric Data Compliance

When To Start

Next Step

Related Guides

DPDP Compliance: Mandatory for Indian Startups?

DPDP Fines for Small Businesses: What You Need to Know

DPDP Act: Foreign Companies in India – Guide by MBS

Check Your DPDP Cost