How to Draft a DPDPA-Compliant Privacy Policy

Most privacy policies currently deployed on Indian websites and applications were drafted for compliance with the Information Technology Act, 2000 and its rules, or adapted from GDPR templates. The DPDPA introduces requirements that these legacy policies do not address. The notice must be provided in English or any language specified in the Eighth Schedule of the Constitution. Each processing purpose must be separately and clearly identified. The notice must inform the Data Principal of the right to withdraw consent and the procedure for doing so.

The consequence of a non-compliant notice is not merely regulatory exposure. Under the DPDPA, consent obtained on the basis of an inadequate notice may be treated as invalid. If the notice did not clearly identify the processing purpose, the consent given for that purpose may not satisfy Section 6 requirements. This creates a cascading compliance failure: invalid notice leads to invalid consent, which renders the processing unlawful.

Data Fiduciary Identification

The notice must clearly identify the Data Fiduciary by name, registered address, and contact details. Where a Data Protection Officer has been appointed, the DPO's contact information must also be provided.

Purpose Specification

Each processing purpose must be separately identified and described in clear, plain language. Vague descriptions such as "improving our services" or "business purposes" do not satisfy the specificity requirement.

Rights Disclosure

The notice must inform the Data Principal of every right available under Sections 11 to 14, including the right to access, correction, erasure, and grievance redressal, together with the procedure for exercising each right.

Complaint Mechanism

The notice must describe how the Data Principal can file a complaint with the Data Protection Board of India if the Data Fiduciary fails to respond to a grievance within the prescribed timeline.

Consent Withdrawal Procedure

The notice must clearly explain how consent can be withdrawn and confirm that the process for withdrawal is as straightforward as the process for granting consent. The consequences of withdrawal must be stated.

Cross-Border Transfer Disclosure

If personal data is transferred outside India, the notice must disclose this fact, identify the jurisdictions involved, and confirm that the transfers comply with Section 16 requirements.

Privacy Notice Architecture for Digital Platforms

The challenge for digital platforms is balancing comprehensive disclosure with usability. A privacy notice that satisfies every legal requirement but is never read fails its transparency objective. Effective privacy notice architecture uses layered disclosure: a concise first-layer notice at the point of data collection, linked to a comprehensive policy that provides full statutory detail. Each layer must be self-sufficient for its purpose, and the first-layer notice must contain enough information to satisfy the informed consent requirement.

"A privacy policy that cannot be understood by the person it is meant to protect has failed its fundamental purpose. Clarity is not optional under the DPDPA."

What must a DPDPA-compliant privacy policy include?

Under Section 5, a DPDPA-compliant privacy notice must identify the Data Fiduciary, describe each processing purpose, specify the categories of personal data collected, inform the Data Principal of their rights under Sections 11 to 14, explain the consent withdrawal procedure, disclose any cross-border transfers, and provide the mechanism for filing complaints with the Data Protection Board.

Is a GDPR-compliant privacy policy sufficient for DPDPA compliance?

No. While there is significant overlap, the DPDPA has specific requirements that differ from the GDPR. For example, the DPDPA requires notices in English or Eighth Schedule languages, has different consent framework requirements under Section 6, and does not recognise all GDPR lawful bases for processing. A GDPR policy must be reviewed and supplemented for DPDPA compliance.

When must the privacy notice be provided?

Section 5 requires the notice to be provided before or at the time of requesting consent. For personal data already collected before the DPDPA's commencement, Section 5(2) requires the notice to be given as soon as reasonably practicable. The notice must be provided before any new processing begins.

Can a single privacy policy cover multiple websites and applications?

Yes, provided the policy clearly identifies each Data Fiduciary entity, specifies the processing purposes applicable to each platform, and describes the data collection practices specific to each service. A single policy covering multiple platforms must be structured so that users can easily identify the information relevant to the platform they are using.

Get the Privacy Policy Compliance Brief

This brief provides a structured framework for drafting, reviewing, and maintaining DPDPA-compliant privacy policies across websites, applications, and enterprise platforms.