The Digital Personal Data Protection Act 2023 (DPDP Act) fundamentally changes how Indian websites and apps must handle user data. Every data fiduciary — any entity that determines the purpose and means of processing personal data — must provide a clear notice before collecting data, obtain free, specific, informed, unambiguous, and withdrawable consent, and honour the rights of data principals on demand. Failure to meet these requirements exposes your organisation to significant regulatory penalties from the Data Protection Board of India. This guide covers what a compliant privacy notice must contain, how valid consent works under DPDP, and the practical steps Indian businesses need to take now.
What the DPDP Act 2023 Actually Requires
The DPDP Act, notified by MeitY (Ministry of Electronics and Information Technology) in August 2023 and available at meity.gov.in, creates a rights-based framework for digital personal data. It applies to any processing of digital personal data within India, and to processing outside India if it involves offering goods or services to individuals in India.
The core obligations for data fiduciaries are:
- Notice — Provide a clear, plain-language notice to every data principal before or at the time of collecting personal data.
- Consent — Obtain valid consent that meets all five attributes: free, specific, informed, unambiguous, and withdrawable.
- Purpose limitation — Process data only for the purpose for which consent was given.
- Data minimisation — Collect only what is necessary for the stated purpose.
- Storage limitation — Erase personal data when the purpose is fulfilled or consent is withdrawn.
- Accuracy — Take reasonable steps to ensure data is accurate and complete.
- Security safeguards — Implement reasonable security measures to prevent data breaches.
What a Compliant Privacy Notice Must Contain
Under Section 5 of the DPDP Act, every notice to a data principal must include, in clear and plain language:
- The personal data being collected and the purpose for which it will be processed.
- The manner in which the data principal may exercise their rights (access, correction, erasure, grievance).
- The manner in which the data principal may withdraw consent.
- A link or reference to the contact details of the Data Protection Officer (or a nominated grievance officer, if no DPO is mandatory for your organisation).
| Notice Element | DPDP Act Requirement | Common Gap Found |
|---|---|---|
| Purpose of processing | Specific, not generic | "Improving services" without detail |
| Data types collected | Listed explicitly | Blanket "any information you provide" |
| Rights of data principal | Access, correction, erasure, grievance | No mention of erasure right |
| Consent withdrawal path | Clear mechanism stated | No withdrawal option offered |
| Grievance contact | Name/email of officer | Generic contact form only |
| Language availability | English + Eighth Schedule on request | English-only with no option stated |
| Consent Manager reference | If applicable | Not mentioned |
The Five Attributes of Valid Consent
Section 6 of the DPDP Act sets out the requirements for consent. Consent is only valid when it is:
- Free — Not conditional on accessing a service unless the data is genuinely necessary for that service. Pre-ticked boxes, dark patterns, and forced bundling invalidate consent.
- Specific — Given for a clearly defined purpose. Omnibus consent for "all present and future uses" is invalid.
- Informed — Given after the data principal has been provided the requisite notice.
- Unambiguous — Indicated by a clear affirmative action. Silence, inactivity, or pre-ticked checkboxes do not constitute consent.
- Withdrawable — Withdrawal must be as easy as giving consent, and must take effect immediately for future processing.
graph TD
A[Data Principal visits website] --> B[Consent Notice Served - purpose and rights]
B --> C{Data Principal Decision}
C -->|Gives consent - affirmative action| D[Processing begins - purpose limited]
C -->|Declines consent| E[Service restricted or continues without data processing]
D --> F[Data used for stated purpose only]
F --> G{Purpose fulfilled or consent withdrawn?}
G -->|Purpose fulfilled| H[Data erased or anonymised]
G -->|Consent withdrawn by data principal| I[Processing stops immediately]
I --> J[Erasure within reasonable timeline]
H --> K[End of lifecycle]
J --> K
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style D fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style H fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style K fill:#1e3d2f,stroke:#10B981,color:#e2e8f0A practical implication: if your sign-up form has a pre-checked "I agree to marketing emails" box, that consent is invalid under DPDP. Users must actively check it. Similarly, if your mobile app requests location access as a condition of using a feature that does not need location data, that consent is not free.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanConsent Managers: The New Infrastructure
The DPDP Act introduces the concept of a Consent Manager — a registered entity through which data principals can give, manage, review, and withdraw consent across multiple data fiduciaries through a single interface. Consent Managers will be registered with and regulated by the Data Protection Board of India.
For businesses, working through a registered Consent Manager shifts certain consent-record-keeping obligations to the Consent Manager. However, it does not absolve the data fiduciary of its core obligations. The rules around Consent Manager registration, interoperability standards, and certification are expected in the subordinate rules that MeitY is developing.
Practically, businesses should architect their consent infrastructure to be Consent Manager-compatible: store consent records with a unique identifier per data principal, make consent records queryable, and expose a consent withdrawal API endpoint that can be called by external Consent Manager platforms.
Handling Children's Personal Data
Section 9 of the DPDP Act imposes heightened obligations for processing personal data of children (under 18 years). Key requirements:
- Verifiable parental or guardian consent is mandatory before processing a child's personal data.
- Processing that is likely to cause harm to a child is prohibited regardless of consent.
- Tracking, behavioural monitoring, and targeted advertising directed at children are explicitly prohibited.
Significant Data Fiduciaries (SDFs), a category to be notified by the Central Government, will face additional compliance obligations around children's data processing, including algorithmic transparency and mandatory data audits.
Data Principal Rights Your Platform Must Support
The DPDP Act grants data principals the following rights, each of which requires a corresponding operational capability on your platform:
Right to access information (Section 11) — A data principal can request a summary of their personal data being processed and the purposes for which it is being processed. Your system must be able to generate this summary and deliver it on request.
Right to correction and erasure (Section 12) — A data principal can request correction of inaccurate or misleading data, completion of incomplete data, and erasure of personal data no longer necessary for the stated purpose. Your database architecture must support targeted deletion or anonymisation per user, not just account deactivation.
Right to grievance redressal (Section 13) — Every data principal must have access to a grievance mechanism. Grievances must be addressed within the timeline specified in the rules (expected to mirror existing IT Act obligations). The Data Protection Board is the appellate authority if the fiduciary does not respond adequately.
Right to nominate (Section 14) — A data principal can nominate another individual to exercise rights on their behalf in the event of death or incapacity.
pie title Data Principal Rights Under the DPDP Act 2023
"Access and Information" : 25
"Correction and Completion" : 20
"Erasure" : 20
"Grievance Redressal" : 20
"Right to Nominate" : 15Practical Steps to Make Your Indian Website Compliant
Step 1 — Conduct a Data Mapping Exercise
Before updating your privacy policy, map every point where personal data enters your systems: sign-up forms, payment flows, analytics scripts, third-party SDKs, CRM integrations, and API calls to partners. This data map becomes the factual basis for your notice.
Step 2 — Rewrite Your Privacy Notice
Replace legal boilerplate with a plain-language notice that lists each data type, its purpose, the retention period, and the withdrawal method. Keep it under 1,000 words for the summary; link to a full policy for detail. See the DPDP compliance guide for a structured checklist.
Step 3 — Implement a Consent Management Layer
Add a consent management component (cookie banner for web, permissions screen for mobile) that:
- Captures an explicit affirmative action for each consent category
- Records the consent with a timestamp and the version of the notice shown
- Surfaces a withdrawal option in the user account settings
- Triggers downstream erasure or processing-stop workflows on withdrawal
Step 4 — Build Rights-Response Workflows
Create internal processes for receiving and fulfilling access, correction, and erasure requests. Assign ownership (typically the DPO or a compliance lead). Define SLA timelines. Test the erasure path end-to-end, including cascading deletes or anonymisation in backup stores and third-party processors.
Step 5 — Assess Your Security Posture
The DPDP Act mandates "reasonable security safeguards." While the Act does not prescribe specific technical controls, CERT-In's Information Security Practices and ISO 27001 are the reference benchmarks. A periodic VAPT assessment — by Bachao.AI, operated by Dhisattva AI Pvt Ltd, or with a CERT-In empanelled partner — identifies vulnerabilities in your web and API attack surface that could lead to a notifiable data breach.
Step 6 — Appoint a Grievance Officer and Publish Contact Details
Even before the DPDP rules are finalised, publish the name, email, and response-timeline commitment of a nominated grievance officer on your privacy notice page. This is also a requirement under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 for most platforms.
DPDP vs GDPR: Key Differences for Indian Businesses
Many Indian businesses have adapted GDPR-style privacy policies. While there is philosophical overlap, the DPDP Act has distinct requirements:
| Dimension | GDPR | DPDP Act 2023 |
|---|---|---|
| Lawful basis options | 6 lawful bases (consent, contract, legitimate interest, etc.) | Primarily consent and certain legitimate uses; no "legitimate interests" balancing test |
| Right to portability | Yes | Not explicit in the Act; may be in rules |
| DPO requirement | Mandatory for certain controllers | DPO equivalent for Significant Data Fiduciaries only |
| Children's age threshold | 16 (varies by Member State) | 18 |
| Cross-border transfers | Adequacy decisions + SCCs + BCRs | Transfer to notified countries permitted; blacklisting model |
| Territorial scope | Global (EU residents) | India-centric + extraterritorial for India-targeted services |