Privacy Notice Requirements
Plain English Translation
Under Section 5(1) of the Act, you cannot simply ask a user to click "I Agree." You must first present a clear privacy notice DPDP act compliant statement that explains exactly what personal data is being collected and why. This privacy notice requirements checklist includes detailing the specific data types, the processing purpose, and how the user can withdraw consent or file a grievance. Using a standardized DPDP privacy notice template ensures you consistently answer "what," "why," and "how to complain" before the consent request is made, ensuring the user is fully informed.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Hardcode the privacy notice text on the sign-up page above the checkbox.
- Ensure the text includes data types, purpose, and contact info.
- Store a simple boolean flag for acceptance.
Required Actions (scaleup)
- Implement a privacy notice India template using a dedicated CMP tool.
- Version control notices in the database.
Required Actions (enterprise)
- Automated data processing purpose notice updates via API linked to the Record of Processing Activities (RoPA).
- Real-time audit logging of notice presentation and acceptance.
- Automated blocking of data collection for users on deprecated notice versions.
According to Section 5(1), the notice must include the specific personal data proposed to be processed, the purpose of processing, the manner of exercising rights (including withdrawal), and the manner of making a complaint to the Data Protection Board.
A compliant notice must accompany or precede the consent request. It should clearly inform the Data Principal about the data usage and rights. Section 5(3) also implies offering it in English or any language in the Eighth Schedule to the Constitution.
The Act specifically refers to a "notice" under Section 5(1) accompanying a consent request for a specific purpose. A policy (Section 8(4)) generally refers to the broader internal technical and organisational measures to ensure observance of the Act.
Section 5(1) mandates that the notice must be given "accompanied or preceded by" the request for consent. It must appear before or at the exact moment the Data Principal is asked to agree to processing.
If notice is not provided, the consent may not be considered "informed" under Section 6(1). The Data Fiduciary generally bears the burden of proof (Section 6(10)) to show a proper notice was given.
Yes, Section 5(1) states the request for consent shall be "accompanied or preceded by" the notice. This allows them to be presented together, provided the notice details (data, purpose, rights) are clearly informed to the Data Principal.
The Act requires notice for a "specified purpose". If the purpose changes, a new notice and new consent would effectively be required under Section 6(1) to ensure consent remains specific and informed for the new processing activity.
"Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
