The Privacy Notice is not a formality. It is the first legal instrument that establishes your relationship with the Data Principal. Under DPDPA, this notice must be presented before or at the moment you seek consent. Not after. Not buried in terms of service. Before.
What the Law Demands
Section 5 of the DPDPA 2023 mandates that every Data Fiduciary provide a notice containing specific information. Rule 3 of the DPDP Rules 2025 expands this requirement with granular detail. The notice must itemize each category of personal data you collect. It must state every purpose for which you process that data. It must explain how the Data Principal can withdraw consent. And it must provide a clear channel for grievances.
- Itemized description of personal data categories
- Specific purposes for each data category
- Consent withdrawal mechanism
- Grievance redressal contact details
- Data retention periods where applicable
Standalone Requirement
The privacy notice under DPDPA must be standalone. This is a departure from common practice where privacy disclosures are embedded within lengthy terms of service. The regulator expects a dedicated document. Clear. Accessible. Written in plain language that an average person can understand without legal training.
Language and Accessibility
Rule 3(2) requires the notice to be available in English and all languages specified in the Eighth Schedule to the Constitution. This means 22 languages. If your user base includes speakers of Hindi, Tamil, Bengali, or any scheduled language, you must provide the notice in that language. Translation is not optional.
Timing Is Everything
The notice must be provided before seeking consent or at the time of seeking consent. Presenting it after data collection is a violation. Relying on implied consent without notice is a violation. The sequence matters because the law treats informed consent as foundational.
Essential Clauses
Data Categories Itemization
Rule 3(1)(a)Each type of personal data must be listed separately with its processing purpose
Purpose Specification
Section 5(1)Vague purposes like "improving services" are insufficient. State specific, concrete purposes.
Consent Withdrawal Procedure
Section 6(4)Must explain exactly how a Data Principal can revoke consent with equal ease as granting it
Grievance Officer Details
Rule 3(1)(d)Name, designation, and contact information of the person handling complaints
Third-Party Sharing Disclosure
Section 8(2)If data will be shared with Data Processors or other entities, this must be stated
Cross-Border Transfer Notice
Section 16If data may be transferred outside India, explicit disclosure required
Implementation Steps
Conduct a data inventory to identify all personal data categories you collect
Map each data category to its specific processing purpose
Draft the notice in clear, plain language avoiding legal jargon
Engage professional translators for scheduled language versions
Establish the grievance redressal mechanism before publishing the notice
Integrate the notice presentation into your data collection workflows
Test user flows to ensure notice appears before consent is sought
Implement version control to track notice updates over time
Frequently Asked Questions
Need This Document Drafted?
Understanding the requirement is the first step. Having it implemented correctly is what protects your organization. Our team drafts DPDPA-compliant documents tailored to your specific operations.
Get in Touch