Writing a DPDP-Compliant Privacy Notice: Requirements and Plain Language Rules
How to write a privacy notice that meets the DPDP Act 2023 requirements, including plain language mandates, mandatory disclosures, and grievance officer details.
A Privacy Notice Is Not a Privacy Policy
Most organisations conflate two distinct documents: the privacy notice and the privacy policy. The DPDP Act 2023 draws a clear line between them.
A privacy policy is an internal governance document. It defines how your organisation handles personal data, assigns responsibilities, and sets retention schedules. It is written for your teams, your legal counsel, and your auditors.
A privacy notice is an external disclosure addressed directly to the Data Principal. It tells the individual what data you collect, why you collect it, what rights they have, and how to exercise those rights. It is written for the person whose data you are processing.
The DPDP Act requires the notice. Section 6 mandates that every Data Fiduciary provide an itemised notice to the Data Principal before or at the time of collecting personal data. An internal policy document sitting on your intranet does not satisfy this obligation.
The consequences of treating one as the other are tangible. A company with a detailed internal privacy policy but no public-facing privacy notice is non-compliant. A company with a public notice that reads like a legal brief is also non-compliant, because the Act demands plain language.
What the DPDP Act Requires in a Privacy Notice
The Act prescribes specific disclosures that every privacy notice must contain. Missing any of these elements creates a compliance gap that the Data Protection Board can act on.
| Required Element | DPDP Act Reference | Description |
|---|---|---|
| Description of personal data collected | Section 6(1) | Itemised list of data categories, not vague references |
| Purpose of processing | Section 6(1) | Specific, stated purpose for each data element |
| Data Principal rights | Section 11-14 | Right to access, correction, erasure, and grievance redressal |
| Grievance officer contact | Section 13 | Named officer with direct contact details |
| Consent withdrawal mechanism | Section 6(7) | Clear instructions on how to withdraw consent |
| Cross-border transfer disclosure | Section 17 | Countries or categories of countries where data is transferred |
| Retention period | Section 8(7) | How long data is retained and on what basis |
| Third-party sharing | Section 8(5) | Categories of Data Processors and partners receiving data |
Each element in this table is non-negotiable. Omitting the grievance officer contact, for example, is a standalone violation regardless of how complete the rest of your notice may be.
The Plain Language Mandate
Section 6 of the DPDP Act requires that privacy notices be provided in “clear and plain language.” This is not a suggestion. It is a statutory requirement with enforcement implications.
What Plain Language Means in Practice
Plain language does not mean informal language. It means language that the intended reader can understand on a single reading without specialist knowledge.
Concrete standards to apply:
- Sentence length. Keep sentences under 25 words. A sentence with three subordinate clauses is not plain language, regardless of vocabulary.
- Vocabulary. Replace legal terms with everyday equivalents. “Data Fiduciary” can be replaced with “we” after the first usage. “Processing” can be explained as “collecting, using, storing, or sharing.”
- Structure. Use headings, numbered lists, and tables. Walls of text fail the plain language test by default.
- Reading level. Target a reading level equivalent to a broadsheet newspaper, not a legal journal. If a university-educated professional needs to re-read a paragraph, it is too complex.
Multi-Language Requirements
India has 22 scheduled languages under the Eighth Schedule of the Constitution. The DPDP Act does not specify which languages a privacy notice must be published in, but the plain language mandate carries an implicit requirement: the notice must be understandable by the Data Principal.
If your service operates in Hindi-speaking markets, a notice published only in English does not meet the plain language standard for those users. Best practice is to provide the notice in English and in the primary language of each market you serve.
At minimum, organisations serving Indian consumers should publish their privacy notice in:
- English
- Hindi
- Any regional language where the service has significant user concentration
Translation must preserve legal accuracy. A notice translated by automated tools without legal review creates liability, not compliance.
Structure of an Effective Privacy Notice
A well-structured privacy notice follows a predictable format that readers can navigate quickly. The following ten-section template covers every mandatory disclosure under the DPDP Act.
Section 1: Who We Are
State the legal name of the Data Fiduciary, registered address, and the capacity in which you process data. If you operate through subsidiaries, clarify which entity is responsible for data processing.
Section 2: What We Collect
List every category of personal data you collect. Do not use catch-all phrases like “and other information.” Specificity is the requirement.
| Category | Examples |
|---|---|
| Identity data | Full name, date of birth, PAN, Aadhaar |
| Contact data | Email address, phone number, postal address |
| Financial data | Bank account details, payment card numbers |
| Technical data | IP address, device identifiers, browser type |
| Usage data | Pages visited, features used, session duration |
Section 3: Why We Collect It
Map each data category to a specific, stated purpose. The DPDP Act requires purpose limitation: data collected for one purpose cannot be used for another without fresh consent.
Section 4: How We Use It
Describe the processing activities in plain terms. “We use your email address to send you order confirmations and delivery updates” is compliant. “We process your personal data in accordance with our legitimate business interests” is not.
Section 5: Who We Share It With
List the categories of recipients. Name specific third parties where possible, or describe them by function (payment processor, cloud hosting provider, analytics service). Include any government or regulatory bodies to whom data may be disclosed.
Section 6: Cross-Border Transfers
If personal data is transferred outside India, disclose the destination countries or the categories of countries. The DPDP Act permits cross-border transfers only to countries not on the Central Government’s restricted list. State the safeguards applied to each transfer.
Section 7: How Long We Keep It
State retention periods for each data category. Indefinite retention is not compliant. The Act requires deletion once the purpose of processing has been fulfilled.
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Account data | Duration of account + 90 days | Account deletion request |
| Transaction records | 7 years | Statutory audit period |
| Support tickets | 2 years after resolution | Purpose fulfilment |
| Marketing preferences | Until consent withdrawal | Consent withdrawal request |
Section 8: Your Rights
Enumerate the Data Principal rights under the DPDP Act:
- Right to access. You can request a summary of the personal data we hold about you.
- Right to correction. You can request correction of inaccurate or incomplete personal data.
- Right to erasure. You can request deletion of your personal data, subject to legal retention requirements.
- Right to grievance redressal. You can raise a complaint with our Grievance Officer.
- Right to nominate. You can nominate another person to exercise your rights in the event of death or incapacity.
Section 9: How to Contact Us
Provide the name, designation, and direct contact details of the Grievance Officer. A generic info@ email address does not satisfy this requirement. The officer must be a named individual with the authority to address complaints.
Section 10: Changes to This Notice
State how and when changes will be communicated. The DPDP Act does not prescribe a specific notification mechanism, but best practice is to notify Data Principals through the same channel used for the original notice.
Common Mistakes in Privacy Notices
Most privacy notices fail not because organisations intend to be non-compliant, but because they replicate patterns from GDPR templates or generic legal boilerplate without adapting to the DPDP Act’s specific requirements.
Vague purpose statements. “We collect your data to improve our services” is not a valid purpose statement. The Act requires specificity. State which service is improved, what data is used, and how.
Blanket consent clauses. “By using this website, you consent to the collection of all data described in this notice” is legally insufficient under the DPDP Act. Consent must be specific, informed, and unconditional. Each purpose requires its own consent mechanism.
Missing withdrawal mechanism. The notice must explain how to withdraw consent, and the process must be as straightforward as the process for giving consent. A notice that says “contact us to withdraw consent” without providing a direct mechanism fails this test.
Outdated third-party lists. If you added a new analytics provider six months ago and did not update the notice, you are processing data without valid disclosure. Treat the notice as a living document tied to your data inventory.
No grievance officer. This is a standalone violation. The DPDP Act requires every Data Fiduciary to appoint a Grievance Officer and publish their contact details in the privacy notice. An organisation without one is non-compliant regardless of how strong the rest of its notice may be.
Legal language instead of plain language. “The Data Fiduciary shall process personal data of the Data Principal in accordance with the provisions of this Act” is a quote from the statute, not a privacy notice. Rewrite it: “We will only use your personal data as described in this notice and as permitted by law.”
Consent and the Privacy Notice
The relationship between consent and the privacy notice is sequential and mandatory. The notice must be provided before or at the time consent is requested. Consent collected without a prior or concurrent notice is not valid under the DPDP Act.
Timing
Present the notice at the point of data collection. For a website form, this means displaying the notice (or a linked summary with a full notice available) before the user submits their data. For an in-person collection, this means providing the notice in writing or verbally before collecting any information.
Completeness
If the notice is incomplete at the time consent is requested, the consent itself is compromised. A missing section on cross-border transfers, for example, means the Data Principal consented without full knowledge of where their data would go. This creates grounds for a complaint under Section 13.
Layered Notices
For digital interfaces, a layered approach works well:
- First layer. A brief summary at the point of collection stating what data is collected, for what purpose, and linking to the full notice.
- Second layer. The complete privacy notice, accessible via a single click from the first layer.
The first layer must contain enough information for the Data Principal to make an informed decision. “We collect your data” with a link to the full notice is insufficient. “We collect your name and email address to create your account and send you order updates” with a link to the full notice meets the standard.
Keeping the Privacy Notice Current
A privacy notice written once and never updated is a compliance risk that grows with every change to your data processing activities.
When to Update
Review and update the notice whenever:
- You begin collecting a new category of personal data
- You add a new purpose for processing existing data
- You engage a new Data Processor or third-party service that receives personal data
- You begin transferring data to a new country
- The Central Government issues new rules or notifications under the DPDP Act
- Your grievance officer changes
- You change your data retention periods
Change Notification
Notify Data Principals of material changes to the privacy notice through:
- Email notification to registered users
- A prominent banner on your website or application
- In-app notification for mobile applications
For changes that affect the basis of consent (new purposes, new third parties, new cross-border transfers), consider whether fresh consent is required. A material change to the scope of data processing may invalidate previously collected consent.
Version Control
Maintain a version history of your privacy notice. Record each version’s effective date, the changes made, and the notification method used. This documentation is critical in demonstrating compliance during an audit or investigation by the Data Protection Board.
Start With the Right Foundation
A compliant privacy notice is one component of a broader compliance programme. Without a data inventory, gap analysis, and operational processes, the notice is a document without substance behind it.
Begin with the DPDP Gap Assessment to identify where your organisation stands. Use the Compliance Checklist to track progress across all obligation areas, including the privacy notice.
The DPDP Act does not reward intention. It requires documented, operational compliance. The privacy notice is where that compliance becomes visible to every person whose data you process.