How to Create a DPDP-Compliant Privacy Policy

Your privacy policy is not just a legal formality — under India's DPDP Act 2023, it is a mandatory compliance document. Section 5 of the Act requires Data Fiduciaries to provide a clear, detailed notice to Data Principals before or at the time of collecting their personal data. A non-compliant privacy policy does not just expose you to regulatory risk; it undermines the validity of any consent you collect.

This guide walks you through every element your privacy policy needs to include to meet DPDP Act requirements.

What the DPDP Act Requires in a Privacy Notice

Section 5 of the DPDP Act mandates that before requesting consent, a Data Fiduciary must give the Data Principal a notice containing:

1. The personal data being collected and the purpose of processing
2. The manner in which the Data Principal may exercise their rights under the Act
3. The manner in which the Data Principal may make a complaint to the Data Protection Board of India

This notice must be in clear and plain language, providing an itemized description of the data and purposes. If you are processing data collected before the Act came into force, you must provide this notice as soon as reasonably practicable.

Essential Sections of a DPDP-Compliant Privacy Policy

1. Identity and Contact Details of the Data Fiduciary

Start with the basics. Clearly identify your organization — legal name, registered address, and contact details. Include a dedicated email or contact channel for privacy-related inquiries.

Data Fiduciary: [Your Company Name]
Registered Address: [Full Address]
Privacy Contact: privacy@yourcompany.com

2. Personal Data Collected

Provide an itemized list of the categories of personal data you collect. Be specific rather than vague. Instead of saying "we collect personal information," enumerate the actual data points.

Good example:

• Full name
• Email address
• Phone number
• Billing address
• IP address
• Device identifiers
• Cookie data and browsing behavior on our website

Bad example:

• We collect personal information necessary for our services

The DPDP Act requires specificity. Vague descriptions undermine the informed nature of consent.

3. Purpose of Processing

For each category of personal data, explain why you are collecting and processing it. The DPDP Act ties consent to specific purposes — you cannot collect consent for one purpose and use data for another.

Example purposes:

• Account creation and management — Name, email, phone number
• Order fulfillment — Name, address, payment details
• Customer support — Name, email, conversation records
• Marketing communications — Email address (with separate consent)
• Analytics and service improvement — IP address, device identifiers, usage data
• Legal compliance — Tax records, KYC documents

4. Consent Mechanism

Describe how you obtain consent and reference Section 6 requirements. Your privacy policy should explain that:

• Consent is collected through clear affirmative action (e.g., checking an unchecked box, clicking an "I Agree" button)
• Consent is specific to each stated purpose
• Data Principals can withdraw consent at any time
• Withdrawal of consent is as easy as giving consent

Link to your actual consent management interface or explain how users can manage their preferences. For detailed guidance, see our complete guide to consent management under DPDP.

5. Data Retention Periods

Specify how long you retain personal data for each purpose. The DPDP Act requires deletion of personal data when it is no longer needed for the purpose it was collected or when consent is withdrawn (unless retention is required by law).

Example:

• Account data: Retained while your account is active, deleted within 90 days of account closure
• Transaction records: Retained for 8 years as required by tax law
• Marketing preferences: Retained until you withdraw consent
• Support tickets: Retained for 2 years after resolution

6. Data Principal Rights

Clearly explain how Data Principals can exercise their rights under Sections 12-14 of the Act:

• Right to Access (Section 12) — Request a summary of personal data being processed and processing activities
• Right to Correction (Section 13) — Request correction of inaccurate or misleading personal data
• Right to Erasure (Section 13) — Request deletion of personal data that is no longer necessary
• Right to Grievance Redressal (Section 14) — File a complaint about data processing practices
• Right to Nominate (Section 14) — Nominate another individual to exercise rights in case of death or incapacity

Include the specific process for submitting requests (email, web form, or portal link) and state that you will respond within 30 days as required by Section 13(3).

7. Grievance Redressal Mechanism

The Act requires a clear grievance redressal process. Include:

• Contact details for your Grievance Officer or privacy team
• The process for submitting a grievance
• Expected response timeline (within 30 days)
• Information about escalation to the Data Protection Board of India if the Data Principal is not satisfied with your response

8. Data Sharing and Transfers

Disclose if and how you share personal data with:

• Data Processors — Third-party service providers processing data on your behalf (name the categories, e.g., cloud hosting, payment processing, email delivery)
• Cross-border transfers — Whether data is transferred outside India and to which countries
• Government or legal requests — Circumstances under which data may be disclosed to authorities

9. Children's Data

If your service is accessible to children (under 18 years under the DPDP Act), include specific provisions:

• You will obtain verifiable parental consent before processing children's data (Section 9)
• You will not undertake tracking, behavioral monitoring, or targeted advertising directed at children
• Your process for verifying parental consent

10. Security Measures

While you do not need to disclose your complete security architecture, provide assurance that you implement reasonable security safeguards to protect personal data. Mention general categories such as encryption, access controls, regular security audits, and incident response procedures.

11. Changes to the Privacy Policy

Explain how you will notify Data Principals of material changes to the privacy policy. Best practice is to notify via email and prominently display the update on your website. Include the date of the last update.

Language and Accessibility

The DPDP Act requires notices in clear and plain language. Avoid legal jargon wherever possible. The Act also contemplates notices in English and the 22 languages listed in the Eighth Schedule of the Indian Constitution. Consider providing your privacy policy in Hindi and other regional languages relevant to your user base.

Common Mistakes to Avoid

• Copy-pasting a GDPR privacy policy — While there is overlap, the DPDP Act has different requirements. See our DPDP vs GDPR comparison
• Using vague language — "We may collect some information" does not meet the specificity requirement
• Burying the notice — The privacy policy must be provided before or at the time of data collection, not hidden in a terms of service page
• Forgetting withdrawal instructions — Section 11 compliance requires you to explain how consent can be withdrawn
• No grievance mechanism — A privacy policy without a clear complaint process is incomplete

Hosting and Managing Your Privacy Policy

Your privacy policy needs to be a living document — updated as your data practices change, accessible from every point of data collection, and versioned for audit purposes.

DPDP Comply includes a privacy policy management feature that helps you create, host, and version your privacy documents with automatic audit trails. Combined with our consent management banner, you get end-to-end compliance from notice to consent to rights management.

Get Started Free to create your DPDP-compliant privacy policy today, or View Pricing for team and enterprise plans.

Next Steps

1. Audit your current privacy policy against the requirements listed above
2. Update or rewrite sections that do not meet DPDP standards
3. Implement a consent mechanism that references your updated policy
4. Set up a rights request workflow to fulfill Data Principal requests within 30 days
5. Use DPDP Comply to manage the entire process from a single dashboard

For a broader understanding of the DPDP Act, see our complete guide to the DPDP Act 2023.