The Data Protection Board issued its first compliance notices under the Digital Personal Data Protection Act on Monday — four notices, to two digital lenders, a hospital network and an online gaming platform — moving India's privacy regime from its long guidance phase into enforcement, two years after the rules were notified and five after the law passed.

The four cases sketch the board's priorities more clearly than any of its circulars. The gaming platform faces the children's-data provisions: verifiable parental consent that investigators found cosmetically implemented, and behavioural-advertising profiles built on users the platform's own age-gate had flagged as minors. The hospital chain's notice concerns a breach — 210,000 patient records exposed through a diagnostic-partner integration — reported to the board 43 days after detection, against the 72-hour rule. The lenders face the consent-architecture provisions: bundled consents that conditioned loan disbursal on access to contacts and location, the 'consent theatre' the board's chairperson has publicly promised to dismantle.

The penalty exposure is the regime's teeth: up to ₹250 crore per violation category, with the breach-notification failure carrying the statute's highest band. Board officials have signalled that first-round outcomes will emphasise remediation over maximum penalties — but the notices themselves, published in redacted form on the board's portal, read as templates addressed to every fiduciary in the market.

Industry's response has the two layers it always has. Publicly, the large platforms welcome enforcement clarity, and genuinely: the compliance investments of the last two years — consent managers, data-minimisation audits, grievance architecture — were made on the assumption the law would eventually bite. Privately, the mid-market's compliance debt is the sector's open secret; a survey by an industry body in May found fewer than a third of covered entities with functioning consent-withdrawal flows.

The regime's structural critics remain unappeased in both directions. Civil-society groups note the government's own sweeping exemptions and the board's appointment architecture — enforcement against private fiduciaries, they argue, is the regime working precisely where it was designed to and nowhere it was not. Industry associations, meanwhile, want the cross-border rules' country-list finalised before enforcement scales.

The four fiduciaries have thirty days to respond. The board's first adjudications, expected by autumn, will write the case law a two-year-old regime has lacked — and tell a market that has priced privacy as a paperwork cost what it actually costs.