DPDP-Compliant Privacy Policy for Indian Businesses: Mandatory Elements and Requirements (2025)

If you run a website, app, or any digital service that processes personal data of Indian users, you need a privacy policy that complies with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the DPDP Rules, 2025. But what exactly must that policy contain? Most templates available online were written against older frameworks, and under the DPDP Act, a generic privacy policy is not just inadequate, it is a liability.

This guide sets out the mandatory elements every DPDP-compliant privacy policy must include, the specific requirements introduced by the DPDP Rules, 2025, and the practical mistakes that make otherwise well-intentioned policies legally indefensible.

1. Why Your Existing Privacy Policy Likely Does Not Comply with the DPDP Act

Under data protection laws in India prior to the DPDP Act, principally the Information Technology Act, 2000 and the SPDI Rules, 2011, a privacy policy was, in substance, a short disclosure document. It needed to list what data you collected, why, and how users could contact you. That was broadly it.

The DPDP Act, 2023 imposes a fundamentally different standard. A privacy policy under the DPDP Act is not a disclosure; it is a legally binding consent notice and a rights charter simultaneously. It must inform, empower, and govern, not merely describe. If your policy was drafted before 2024, does not reference the DPDP Act expressly, or follows a generic international GDPR template, it almost certainly misses several of the mandatory requirements outlined below.

2. Mandatory Elements of a DPDP-Compliant Privacy Policy

The DPDP Act, 2023 and the DPDP Rules, 2025 together prescribe what a valid consent notice and privacy policy must contain. The following elements are not optional:

a) Identity of the Data Fiduciary

The policy must clearly identify the Data Fiduciary, the entity that determines the purpose and means of processing personal data. This includes the full legal name of the business, its registered address, and contact details. Trading names or website names alone are insufficient.

b) Categories of Personal Data Collected

You must specify, with reasonable particularity, every category of personal data you collect. Broad descriptions such as “information you provide” or “usage data” do not meet the DPDP Act’s requirement of item-wise disclosure. Each category, name, email address, device identifiers, location data, financial information, health data, must be named explicitly.

c) Purpose of Processing, Per Category

The DPDP Act requires purpose limitation: personal data may only be processed for the specific, lawful purpose disclosed at the time of collection. Your privacy policy must state the purpose for processing each category of data separately. A single catch-all purpose clause (e.g., “to provide and improve our services”) covering all data categories is no longer legally valid.

d) Basis for Processing and Consent Architecture

Where consent is the basis for processing, which it will be for most commercial data processing under the DPDP Act, the policy must describe exactly how consent is obtained, what it covers, and how it can be withdrawn. Consent under the DPDP Act must be free, specific, informed, unconditional, unambiguous, and as easily withdrawable as it was given. Pre-ticked boxes, terms-of-service bundling, and implied consent clauses are explicitly invalid.

The DPDP Rules, 2025 add further precision: the consent notice must be presented in a clear and plain format, itemised by purpose, and separate from all other contractual terms.

e) Data Principal Rights and How to Exercise Them

The DPDP Act confers the following rights on every Indian user whose data you process:

• Right to access, to obtain a summary of personal data held and the processing activities conducted.
• Right to correction and erasure, to have inaccurate or incomplete data corrected and, subject to certain exceptions, to have personal data erased.
• Right to grievance redressal, to raise concerns and have them addressed within prescribed timelines.
• Right to nominate, to nominate another individual to exercise rights on the Data Principal’s behalf in the event of death or incapacity.

Your privacy policy must describe each right in plain language, the mechanism through which it can be exercised (e.g., a dedicated email address or in-app portal), and the turnaround time for responses. The DPDP Rules, 2025 prescribe specific timelines for responding to access requests and grievances: these timelines must be stated expressly in the policy.

f) Retention Period and Deletion Policy

Data must not be retained for longer than necessary to fulfil the stated purpose. Your privacy policy must specify retention periods for each category of data, or at minimum the criteria used to determine those periods. Upon expiry of the retention period or withdrawal of consent, the data must be deleted in accordance with the standards prescribed under the DPDP Rules, 2025.

g) Third-Party Sharing and Data Processors

If you share personal data with third parties, analytics vendors, payment processors, cloud providers, advertising networks, the policy must identify the categories of recipients, the purpose of sharing, and the safeguards in place. The DPDP Act holds Data Fiduciaries responsible for ensuring that Data Processors handle data in accordance with the Act’s requirements, and this accountability must be reflected in your policy.

h) Cross-Border Data Transfers

Transfer of personal data outside India is governed by government notifications specifying permitted and restricted countries. Your policy must disclose whether personal data is transferred outside India, identify the destination countries, and describe the legal basis and contractual safeguards for such transfers.

i) Children’s Data Protections

If any portion of your service is accessible to users under 18 years of age, or if you process personal data of minors, the privacy policy must contain a dedicated section on children’s data protection in India. Under the DPDP Act, processing children’s data requires verifiable parental consent, and behavioural tracking and targeted advertising directed at minors are prohibited outright.

j) Grievance Officer Details

Every Data Fiduciary must appoint a Grievance Officer and publish that officer’s name and contact details prominently in the privacy policy. Entities designated as Significant Data Fiduciaries must additionally appoint a Data Protection Officer (DPO), whose details must similarly appear in the policy.

k) Data Breach Notification Process

The DPDP Act requires Data Fiduciaries to notify both the Data Protection Board of India and affected Data Principals of personal data breaches. Your policy should describe the breach notification process, including the channels through which you will communicate with affected users in the event of a breach.

3. Language and Accessibility Requirements Under DPDP Rules 2025

One of the most distinctive requirements of the DPDP Rules, 2025 is the language mandate. The consent notice, and by extension, the privacy policy, must be available in English and in any of the 22 languages listed in the Eighth Schedule of the Constitution of India, as chosen by the Data Principal.

For most businesses, this means building a language-selection mechanism into the consent capture flow and ensuring that the underlying policy document is translated accurately, not mechanically, into each offered language. A policy available only in English, or one that uses automated translations without review by a language professional, does not meet this requirement.

The policy must also use plain, non-technical language. Defined terms must be explained on first use. Legalese and cross-references to external schedules that the average user cannot access should be avoided.

4. Privacy Policy Requirements by Business Type

The DPDP Act applies broadly, but the intensity of compliance obligations varies depending on the nature of your business:

• E-commerce platforms: Must address data collected during purchase flows, payment data handling (typically processed by a third-party payment gateway under a Data Processor arrangement), delivery partner data sharing, and marketing consent captured at checkout.
• SaaS and B2B platforms: Where enterprise customers are the Data Fiduciaries and you are the Data Processor, your privacy policy must clearly describe the Data Processor role and the contractual commitment to process data only on customer instruction.
• Mobile apps: Must address device permissions (camera, microphone, location, contacts), SDK-level data collection by third-party libraries, and the specific consent mechanisms used at onboarding.
• Startups and early-stage companies: DPDP compliance for startups in India is not proportionate to company size, obligations attach to data volume and sensitivity, not to employee count or revenue. A Series A startup with 500,000 registered users has the same notice obligations as a large enterprise.

5. Common Privacy Policy Mistakes Under the DPDP Act

The following errors appear repeatedly in privacy policies drafted without DPDP-specific guidance:

• Using a GDPR-template and substituting “India” for “EU.” GDPR and the DPDP Act share structural similarities but diverge on consent standards, rights architecture, penalty thresholds, and cross-border transfer rules.
• Listing a generic “info@” address as the grievance channel rather than a named Grievance Officer with a dedicated contact pathway.
• Omitting purpose-specific consent and relying on a single master consent tied to account creation.
• Failing to address children’s data despite the service being accessible to users under 18.
• Including broad indemnity clauses or limitation of liability language in the privacy policy itself, which can undermine the policy’s status as a genuine consent notice.
• Treating the privacy policy as a static document rather than a living instrument that must be updated whenever the purpose, scope, or third-party recipients of data processing change.

6. Frequently Asked Questions

Does the DPDP Act apply to small businesses and startups in India?

Yes. The DPDP Act does not exempt businesses based on size, revenue, or employee count. It applies to any entity that processes personal data of individuals in India, whether in digital form or in forms that are later digitised. Certain lighter obligations apply to smaller Data Fiduciaries, but the core consent and notice requirements, including a compliant privacy policy, apply universally.

Do I need a separate privacy policy for the DPDP Act, or can I update my existing one?

There is no requirement to create a separate document. You can update your existing privacy policy to incorporate DPDP-mandated disclosures, provided the result is comprehensive, plainly written, and structured in accordance with the consent notice requirements under the DPDP Rules, 2025. In practice, many existing policies require such extensive revision that a fresh draft is more efficient and legally safer than layering amendments onto an outdated baseline.

When does the DPDP Act come into force?

Full enforcement under the DPDP Act is scheduled for May 2027. However, data mapping, consent re-architecture, vendor renegotiation, and policy drafting typically take 9–18 months. Businesses that begin the process in 2025 will be operational and tested by the enforcement date; those that wait until early 2027 will not.

What is the penalty for a non-compliant privacy policy under the DPDP Act?

Penalties for DPDP non-compliance are assessed by the Data Protection Board of India on a per-instance basis. Failure to comply with notice and consent obligations can attract penalties of up to INR 50 crore per instance. Breaches involving inadequate security safeguards can attract penalties of up to INR 250 crore. These are not annual caps; a single enforcement action can trigger multiple instances across a large user base.

Is a privacy policy sufficient for DPDP compliance?

No. A compliant privacy policy is a necessary but not sufficient condition for DPDP readiness. It must be supported by operational measures: a functioning consent management platform, a grievance redressal mechanism, data retention and deletion protocols, a breach notification workflow, and DPDP-aligned vendor contracts. The policy is the public-facing declaration of these practices; the practices themselves must actually exist.

---

Getting the privacy policy right is the foundation. Every other DPDP compliance obligation, consent capture, rights fulfilment, breach response, vendor management, is built on top of what you disclose to your users in that document. A policy that is vague, outdated, or borrowed from an incompatible foreign framework leaves your business exposed not just to regulatory action, but to the trust deficit that comes from being caught unprepared.

This article is for general information only and does not constitute legal advice. Businesses should consult qualified legal counsel for advice tailored to their specific data processing activities and compliance requirements.