Constitution Day, DPDP, and the Founder's Duty: A First-Person Take on India's New Data Rights

Today is Constitution Day — November 26 — the anniversary of the Constituent Assembly adopting the Constitution of India in 1949. The 2025 theme is "Hamara Samvidhan, Hamara Swabhiman" (Our Constitution, Our Pride). Twelve days ago, on November 14, MeitY notified the [DPDP Rules 2025](https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655) — the first time in our 76-year constitutional journey that we have a real, operational, enforceable framework for personal data rights. As a founder shipping a consumer product, this is the day I want to write about what that means for those of us who build the apps people log into every morning. ## A note on what this post is Most of what I write on the company blog is technical — playbooks, runbooks, "ship this on Tuesday." This one is a founder essay. It is the take I would give a younger founder over coffee. If you are looking for the engineering checklist, our [Nov 14 DPDP post](/blog/dpdp-rules-2025-7-day-action-plan-saas-founders-india) has the 12 tasks we are running for clients. This post is about the why. ## The arc from Article 21 to the Rules The Indian Constitution did not say "right to privacy" anywhere in 1949. It said "right to life and personal liberty" in Article 21, and for 67 years that was a living, contested phrase. In 2017, the [Puttaswamy judgement](https://main.sci.gov.in/judgments) declared privacy a fundamental right derived from Article 21 — a nine-judge bench reading personal liberty to include information about one's own life. In 2023, Parliament passed the DPDP Act to operationalise that right. In November 2025, MeitY notified the Rules to give the Act teeth. As a builder, you should read this not as a regulatory burden but as the moment a 76-year constitutional promise became a feature you have to ship. ## What the Constitution actually asks of builders The Constitution does not name "founders" or "engineers" or "product managers." It names citizens. Every product I ship is a tiny instance of the social contract — a few hundred million Indians granting me access to their photos, their conversations, their health metrics, their kids' homework, in exchange for my promise to use that access carefully. That promise was, until 2025, enforceable only through reputation and class action. Starting May 2027, it is enforceable through ₹250 crore penalties and a Data Protection Board with subpoena power. The asymmetry has flipped. ## Three things I think about, as a founder, after reading the Rules ## The consent-flow patterns I think builders should ship Reading the Rules carefully, I keep coming back to four patterns. Each is a UX choice, not just a checklist. Each compounds trust over time. ### Pattern 1: the standalone consent screen Section 8 of the Rules (and the corresponding rule) requires the consent notice to be a separate, standalone document — not buried in T&Cs. I think the right pattern is a single screen, immediately after signup, that asks for consent on each purpose separately. Not one big checkbox. One purpose, one toggle, one paragraph of plain Hindi/English/Tamil/whatever the user chose, with a "tell me more" link. The cost: 2 days of design + 3 days of engineering. The benefit: a user who said yes meaningfully, and an audit trail you can defend. Each toggle is independent. None default to "on." The user can revoke any of them later from the same screen. This is more friction than "tap to continue," and that is the point. ### Pattern 2: the "your data" dashboard Every user should be able to see, at a glance, what data you hold about them, what consents they have given, and one button to download or delete. The big tech companies have variants of this; small Indian SaaS firms almost never do. Building it is 10–15 engineering days. The product benefit: a meaningful trust signal on every onboarding screen — "you can see and delete everything we know about you, anytime, here." That is a marketing claim with teeth. ### Pattern 3: the audit log the user can read The deepest version of trust is letting the user see who accessed their data and when. Internal admin tools, support agents, automated jobs — log them all and surface a redacted version to the user. "Manvi from support viewed your account on Nov 22 to resolve ticket #4421." The first time we shipped this for a fintech client, the support team objected ("won't users get paranoid?"). They were wrong. Support tickets dropped 14% the next month because users could see what was happening and stopped guessing. ### Pattern 4: the data residency disclosure The Rules give users the right to know where their data is processed. Most apps ignore this. The pattern I like: a single sentence on the privacy page that names the city. "Your account data is stored in AWS Mumbai (ap-south-1). Backups are in AWS Hyderabad (ap-south-2). Analytics is processed in Bangalore on our own servers." Plain, specific, verifiable. The day a competitor cannot say the same is the day you have a moat. ## Common mistakes I see founders making this month Symptom: "We added a privacy policy page in 2022, we are fine." A privacy policy is not a consent notice. The Rules require operational mechanisms — programmatic erasure, downloadable data, audit logs of access. A 4,000-word policy document satisfies none of that. Symptom: "We will deal with this in 2027 when enforcement starts." The engineering work to retrofit this is 4–8x the cost if done after the product is built versus during. A 2027 retrofit on a 5-year-old codebase is a year-long project. A 2026 build-out on the same codebase is 12 weeks. Symptom: "Our lawyer said we are fine." Lawyers can read the Act and the Rules. They cannot ship the consent screen, the erasure pipeline, the audit log, the encryption-at-rest migration. The legal review is the start of the work, not the end. Symptom: "We are too small for the Board to care about us." The Board can act on a single user complaint. A small SaaS with 10,000 users that ignores erasure requests is more exposed than a 10M-user app with a clean process — because the small SaaS has no lawyer on retainer to fight. ## A founder confession I have shipped products in the past that did not pass the test I am writing about. Email lists I should not have built. Analytics events I should not have logged. Consent flows that were a tap-to-continue. The DPDP Rules are not making me more careful as a punishment — they are making me more careful because the law has finally caught up with what I believed when I started building. I think most founders will read the Rules and have a similar reaction, somewhere between "this is going to be a lot of work" and "this is what I should have been doing all along." ## A real example: a founder call I had on Nov 18 A consumer-facing SaaS founder I have known since 2019 called me at 9 PM on Nov 18, three days after the Rules dropped, asking what to prioritise. The call lasted 40 minutes. By the end we had agreed on three things: (1) ship the standalone consent screen by January, (2) build the erasure pipeline by March, (3) hire a part-time DPO by June. None of those is a heroic engineering effort. All three together are the floor of being a serious adult company in 2026. The hard part is not the engineering. The hard part is committing the team's calendar in a quarter where revenue targets compete with everything. ## The one number I think every founder should track For the next 18 months, I think every founder should track one number on the company dashboard: "days to delete a user, end-to-end." From the user clicking the delete button, to every system having scrubbed their data, with timestamped evidence. Today most Indian SaaS firms cannot answer this question. The ones that can answer it with "under 24 hours" by mid-2026 are the ones that will not have a Board investigation in 2027. The number is a forcing function. Every other DPDP control compounds from it. ## The personal angle I have a kid. He is going to grow up using apps built by my peers and competitors. The world I want him to inherit is not one where every brand has a 4,000-word T&C he has to scroll through. It is one where consent is meaningful, erasure is a button, and his data goes where he wants it to go. That is not a regulatory ambition. It is a constitutional one. The Rules notified on Nov 14 are the closest we have come to building the technical scaffolding for the right that Puttaswamy declared in 2017 and that Article 21 implied in 1949. If you are a founder reading this on Constitution Day, the question is not "do we have to comply." It is "what kind of company do we want to be." ## What we are doing at Softechinfra and our products I will be honest about what we are shipping. At [Softechinfra](https://softechinfra.com), we are baking DPDP into every CRM, web, and mobile build we ship from Q1 2026 — the standalone consent screen, the erasure pipeline, the audit log, the residency disclosure. On [PenLeap](https://penleap.com), our in-house edtech for kids 11+, the children-data work has been our priority since 2024 and the Rules ratify it. On [TalkDrill](https://talkdrill.com), our English-speaking product, we are migrating the consent flow from a single checkbox to the four-toggle pattern in this post. None of this is heroic. It is just what builders should do when the law catches up with what we already knew was right. For the technical playbook that goes alongside this essay, our team has put together the [12 engineering tasks for Indian SaaS founders](/blog/dpdp-rules-2025-7-day-action-plan-saas-founders-india) — the operational counterpart to the values I have written about above. [Manvi](/team/manvi) and [Hrishikesh](/team/rishikesh-baidya) have done the heavy lifting on the engineering side; [the consent UX patterns](/services/web-development) reflect their work on a Bengaluru fintech and a Hyderabad SaaS we worked with through October and November. For more of my own writing on this — the founder side rather than the company side — I keep [my personal blog at viveksinra.com](https://viveksinra.com), where I have been thinking out loud about the founder duty to data subjects since the Puttaswamy judgement. ## Where the Constitution and the codebase meet There is a romantic version of writing this kind of essay that I want to avoid: the "noble builder shoulders the constitutional duty" framing. The reality is more practical and more humble. We are people who write code for money. We have customers, payroll, runway. The Rules are a forcing function on a set of practices that, in my experience, the best founders were doing anyway because their users asked for it and their conscience asked for it. Constitution Day is a useful annual reminder that the Constitution and the codebase are not separate things. The Constitution is the upstream specification. The codebase is the implementation. May 2027 is the deadline to refactor. ## FAQ ### Why does the DPDP Act matter constitutionally? It is the legislative implementation of the Puttaswamy judgement (2017), which read the right to privacy into Article 21's "right to life and personal liberty." The Act and Rules are the enforceable mechanism for that fundamental right. Constitutionally, this is the first time builders have a real obligation grounded in fundamental rights, not just in tort or contract. ### What should founders do today? Read the Rules. The full text is on [meity.gov.in](https://www.meity.gov.in/). Then read your privacy policy with fresh eyes. Then schedule a 90-minute meeting with your CTO and head of product to plan the four patterns above. Ship something — even a small consent improvement — before December 31. Momentum compounds. ### Is this overstating the constitutional angle? Possibly. Reasonable people disagree on how much constitutional weight to give the Rules versus statutory weight. My view is that, given Puttaswamy's nine-judge bench reading, the Rules are constitutionally significant and not just regulatory. Read the [Puttaswamy judgement summary](https://main.sci.gov.in/) and decide for yourself. ### What about smaller startups with no engineering team? Most no-code platforms (Bubble, Webflow, Glide) are now adding DPDP-style consent components. If you are pre-engineering, use those. The bigger trap is starting with poor consent UX and inheriting the data-debt as you grow. Ship clean from day one if you possibly can. ### Will enforcement actually happen? The Data Protection Board exists from Nov 14, 2025. The penalty regime is fully active in Phase 3 (May 2027). Enforcement will start with high-profile cases — likely large breaches at well-known brands — to set precedents. SMBs will see informal compliance notices first, formal penalties later. The lag is the window to ship. ### How does this compare to what other countries did? The EU shipped GDPR in 2018 with a 2-year prep window. Indian DPDP gives 18 months from Rules notification. The compression is real. Brazil's LGPD had a similar compressed schedule. The countries that did this without major disruption all had aggressive industry preparation in the 12 months before. India is roughly 5 months behind the equivalent EU readiness curve. ### Where can I read more from a founder's perspective? [My personal blog](https://viveksinra.com) has been where I think out loud about the founder duty to users since 2017. I have a longer piece on Puttaswamy and product design from 2018 that has aged surprisingly well. The [Internet Freedom Foundation](https://internetfreedom.in/) and [Software Freedom Law Centre](https://sflc.in/) are the most useful civil-society reads on the implementation question.