Using the Internet in India? Here’s What the IT Act, 2000 Says About Your Rights and Responsibilities

You’re on your device right now. You probably checked WhatsApp, scrolled Instagram, or paid a bill today. Many of these actions are governed by the IT Act, 2000, and most of us don’t have a clue what it says.
You Can’t Claim Ignorance…
Forwarded a morphed image? That’s Section 66E. Sent threatening messages? The law’s got provisions for that. Hacked someone’s account “as a prank”? Section 66, your intentions don’t matter.
The law assumes you know it. So shouldn’t you actually… know it?
Your Digital Life Is Your Real Life. Your bank account, conversations, and memories are all digital now. The IT Act sets out rules for this digital world. It tells you what you can do, what’s illegal, and how to protect yourself from cyber fraud and harassment.
The IT Act gives you rights, compensation for data destruction, protection from impersonation, and privacy safeguards. But if you don’t know these rights exist, how will you ever claim them?
Every time you click, type, or share, you’re either exercising a right or performing a duty under Indian law.
Not knowing it? That’s like driving without knowing traffic rules. You might manage for a while, but when something goes wrong, you may regret not knowing the law. So to get an overview of Indian laws in the digital world, keep on reading…

What Is the Information Technology Act, 2000?

Let’s go back to the year 2000. Internet cafes were in trend, everyone was discovering the world of emails, and India was stepping into the digital world for the first time. But our laws had absolutely no idea how to deal with this new reality, which meant new rules were needed.
Some of the main reasons for an urgent need to come up with the digital changes all over the country by making new laws were :

1. E-commerce needed legal backing as people were afraid to buy things online, because electronic transactions had zero legal standing.
2. Cybercrime was becoming out of control. Hacking, online fraud, these weren’t just happening; they were skyrocketing. And there was no law to stop them.
3. The world was rapidly moving. The UN had already passed the Model Law on Electronic Commerce back in 1996. If India wanted to compete globally, it had to catch up.

This law changed everything. It gave legal recognition to electronic records and digital signatures. It helped the government go digital. It gave protection from cybercrime. It protected data and privacy, and it laid down the rules for digital businesses.

Key features of the IT Act 2000 were:

• Electronic records have the same value as Paper documents. Your emails, digital contracts, and UPI transactions can all be held up in court now. Electronic signatures are just as valid as the ones you sign with a pen.

• Cybercrime has actual consequences. The Act doesn’t leave room for excuses. It lists out online crimes and their punishments clearly. Hacking or unauthorized access, Identity theft, Cheating using a computer, publishing someone’s private photos without consent, and cyber terrorism. Each one comes with specific penalties, fines, imprisonment, or both, depending on how serious it is.

• Extra-territorial reach: Even if you’re sitting outside India and your online crime involves a computer or network here, the IT Act applies to you. Geographical area doesn’t protect you anymore.

• The government can block content. Under sections like 69A, the government has the power to block online content or monitor data if it’s a matter of national security, public order, or foreign relations.

• Platforms get protection but with conditions. Social media platforms, websites where you post and share (Instagram, YouTube, Twitter, etc.) are called intermediaries under the Act. They get what’s called “safe harbour protection,” meaning they’re not automatically held responsible for what users post. But there’s a catch to keep that protection, they have to follow government rules and take down unlawful content when asked.

India’s Information Technology Act of 2000 has been amended multiple times to keep pace with how technology and society actually work. Four major updates stand out: the 2008 amendment, the 2021 rules, the 2023 rules, and the very recent Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026.

• The 2008 Amendment:

The 2008 amendment added Section 66A, which penalized sending “offensive” content through electronic means. The idea was to stop messages that incite hatred or threaten national security. But it was not clearly defined what “offensive” actually meant. This vagueness led to people getting punished for things that were not real crimes. Eventually, the section was repealed because it was being misused.

• The 2021 Rules:

In 2021, the Ministry of Electronics and IT dropped new guidelines that changed how intermediaries(basically social media platforms) operate. These rules covered due diligence, grievance handling, and ethics for digital media. So the platforms now had to: Set up grievance redressal systems and appoint officers to handle complaints. Big platforms (over 5 million users) haveto do extra due diligence requirements. Digital media publishers have to remove specific types of content within strict deadlines

• 2023 Rules:

India’s IT Rules got another update in 2023. The 2023 amendment added new requirements for online intermediaries ( social media platforms)or anyone hosting content online.New obligations for platforms were introduced as:

1. They can’t allow harmful or unapproved online games and their ads.
2. Must not share false information about the Indian government, as flagged by a government fact-checking unit. If the fact-check unit says something is fake, platforms must remove it or risk losing their “safe harbour” protection (the legal shield that protects them from being sued over third-party content)
3. Social media has to take down flagged posts, ISPs(Internet service providers) have to block URLs.
4. Online gaming platforms must register with a Self-Regulatory Body (SRB) that decides if a game is “permissible”
5. Games can’t involve gambling or betting. They must follow legal standards, including parental controls.

• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026

The Indian government dropped new regulations on AI content, and they will be taking effect from February 20, 2026.
The Ministry of Electronics and IT amended the 2021 Information Technology Rules. They’ve now defined “synthetically generated information” (SGI) as any AI-created content that looks real enough to fool people. Whether it be deepfakes, AI voices, face swaps, or anything that makes you think you’re seeing or hearing something authentic when it’s actually AI-generated.
Although they have carved out exceptions. Regular editing like color correction, formatting, or translations, doesn’t count as SGI. Educational materials and drafts are also exempted, as long as they don’t create fake documents.

Intermediaries (basically any platform) have new responsibilities now as they have to:

1. Inform users every 3 months, as breaking rules can get content removed or accounts terminated.
2. If someone uses their platform to create illegal AI content, they must warn users about penalties, as content removal timelines have become crisp: 3 hours instead of 36 hours for valid orders, and some urgent compliance needs action within 2 hours.

The AI-Specific Rules which platforms that enable AI content creation must use are:

1. Use automated tools to prevent illegal synthetic content (child abuse material, non-consensual intimate images, deceptive portrayals).
2. Label all lawful AI content clearly with visual watermarks for images, audio disclaimers for voice content.
3. Embed permanent metadata with unique identifiers.
4. Not allow users to remove these labels.
5. On social media, users must declare if content is AI-generated before posting. The platform will verify this and label it accordingly.

By these amendements India didn’t ban AI content. They went for transparency and accountability instead. The focus is on stopping deception and protecting people from harm without limiting innovation. This is India’s formal acknowledgment that AI-generated content isn’t a future problem.

Your rights aren’t scattered across confusing legal jargon anymore. The IT Act still deals with cybercriminals, but the Digital Personal Data Protection (DPDP) Act now gives you direct, enforceable control over how companies handle your information.

1. Your Right to Data Privacy
   Companies handling your personal data whether it’s your UPI ID, health records, or shopping history are now called “Data Fiduciaries,” and they face strict legal obligations.
2. Clear Consent, No More Fine Print:
   Companies can’t hide behind “implied consent” anymore. They must ask you clearly, in plain language (even in regional languages like Hindi, Tamil, or Bengali), before collecting your data. No more tiny checkboxes buried in 50-page agreements.
3. Access and Correction:
   You can ask any company, “What data of mine do you have?” and “Who have you shared it with?” If they’ve got something wrong, like an incorrect address or outdated phone number so you can demand to fix it.
4. The Right to Be Forgotten:
   Once the purpose is served (your delivery is complete, your account is closed), you can request companies erase your data. They must comply unless the law requires them to keep it.
5. Digital Legacy Planning:
   You can now appoint someone to manage your digital rights if you die or become incapacitated. Think of it as a digital will your nominated person can access, correct, or erase your data on your behalf.

The IT Act remains your primary shield against those who try to harm you online. Here’s what the law protects you from:

Hacking and Data Theft (Section 43 & 66): If someone hacked your account or stole your data, you have two options. Civil action lets you claim compensation for damages. Criminal action means they face up to 3 years of jail, a ₹5 lakh fine, or both in some cases.

Identity Theft (Section 66C): If someone used your password, Aadhaar, or digital signature without permission, they face up to 3 years in jail plus a ₹1 lakh fine.

Privacy Violation (Section 66E): If someone captured or shared private images of you without consent especially intimate or sexual content,they face up to 3 years in jail plus a ₹2 lakh fine.

Digital Contracts Count:
Your online order confirmations, rental agreements, and e-contracts are legally enforceable. Courts recognize them as valid documents.

E-Governance Documents:
Your e-Aadhaar, DigiLocker certificates, e-filed tax returns, and other digital government documents are recognized as legal evidence in court.

There is a fundamental shift in how India handles digital rights. You’re no longer just a “user”—you’re a “Data Principal” with enforceable legal rights. Companies must ask clearly, answer quickly, and delete when asked. If they don’t, the penalties are severe and the enforcement is real.
YOUR DATA, YOUR RULES. FINALLY

India’s digital scenario has transformed from “data protection” to “proactive accountability.” Whether you’re scrolling through Instagram, running an online business, or developing AI tools, the IT Act (2000) and DPDP Act (2023) now define exactly what you’re responsible for—with serious consequences and tight deadlines.
Your Duties as a Digital citizen are:

If You Use Digital Signatures:
The law puts the responsibility on your shoulders. Under Sections 40-42 of the IT Act, you must keep your private key secure with “reasonable care.”As you’re legally liable for anything signed with your digital signature until you officially notify the Certifying Authority to revoke it.

When You Post Content:
Major platforms now require you to declare whether your content is AI-generated which the law calls “Synthetically Generated Information” (SGI).

Platform Responsibilities:
Under the IT Rules Amendment 2026, social media companies and online platforms can’t just hide behind “we’re not responsible for user content” anymore. That legal protection (called “Safe Harbour”) must now be earned:

The 2-Hour Emergency Rule:
Platforms must remove non-consensual intimate imagery (NCII) or deepfake pornography within 2 hours of receiving a complaint. Two hours, not two days.

The 3-Hour Takedown Rule:
Any content deemed illegal by a court or government order (misinformation, incitement, etc.) must be removed within 3 hours. The old 36-hour window is history.

Mandatory AI Labels:
All AI-generated audio, video, and images must be clearly and permanently labeled. Platforms must also embed “digital fingerprints” (metadata) to trace synthetic content back to its source. These labels can’t be removed or hidden.

Faster Complaint Resolution:
Platforms must acknowledge complaints within 7 days and prioritize resolution of serious issues quickly this is a significant improvement from the old 15-day standard.

The days of “move fast and break things” are over. Whether you’re a user, a platform, or a business, ignorance is no longer an excuse. The law is clear, the deadlines are tight, and the penalties are substantial. Better to comply now than pay later.

• ​Myth: “Incognito Mode” or “Private Browsing” makes me invisible to the law.
  Reality: Wrong. Incognito mode only hides your history from people using your same computer. Your ISP(Internet Service Provider), the websites you visit, and the government can still see your IP address. Under the IT Act, “Private Browsing” provides zero legal immunity if you commit a cybercrime.
• ​Myth: WhatsApp can read my messages because of the Privacy Update.
  Reality: Mostly Myth. Personal chats are still End-to-End Encrypted. However, the reality is that they collect Metadata (who you talk to, when, and for how long). While they can’t see the content, the law (and Meta) can see the patterns of your behavior.
• ​Myth: Taking a screenshot of a private chat is illegal in India.
  Reality: It Depends. Simply taking a screenshot is not a crime. However, sharing that screenshot to ruin someone’s reputation (Defamation) or sharing private/intimate images from a chat (Section 66E) can land you in jail for 3 years.
• ​Myth: If I delete a message or a post, the evidence is gone forever.
  Reality: Factually False. Under the IT Rules, intermediaries (like X, Instagram, or WhatsApp) are often required to retain “logs” and “deleted data” for at least 180 days if requested by law enforcement. Digital footprints are much deeper than your “Delete for Everyone” button.
• ​Myth: Cyber laws only apply if I’m a “hacker” or a “pro.”
  Reality: Nope. If you use a fake profile to “prank” a friend (Section 66D – Cheating by Impersonation) or log into your ex’s Instagram without permission (Section 43 – Unauthorized Access), you are technically a cybercriminal in the eyes of the IT Act.

Let’s get one thing straight that the internet is not just a place to scroll memes, shop online, or binge-watch shows. It’s a legally regulated space, and whether you like it or not, every click you make falls under the law. The IT Act, 2000, along with its 2008 Amendment, the IT Rules 2021, and the very recent amendments of 2026, create the framework that protects you & holds you accountable. It safeguards your data. It punishes identity theft and hacking. It makes your digital transactions legally valid. It gives you rights and responsibilities.

But the problem is this that most people have NO idea these protections exist.
They don’t know they can claim compensation for data breaches. They don’t know Section 66C protects them from identity theft. They don’t realize their e-contracts are legally enforceable.And that ignorance? makes them vulnerable.

Digital Freedom Comes With Accountability. Do you want to use the internet freely? Fine, but that freedom has limits.
You can’t violate someone’s privacy and hide behind “freedom of expression.” You can’t steal data and call it “just browsing.” You can’t harass someone online and claim “it’s just a joke.”Rights and responsibilities go hand-in-hand.

India is becoming more digital every day. More data. More tech. More dependence on the internet and in this world, understanding the IT Act isn’t optional but essential.Being digitally active needs being legally informed. A responsible internet user isn’t just tech-savvy they’re legally conscious.
Know your rights. Know your responsibilities. Know the law because the internet is regulated. And you’re accountable.

STAY INFORMED. STAY RESPONSIBLE. STAY PROTECTED.