Privacy Notices: What DPDP Mandates Every Business Include

What is a privacy notice under the DPDP Act

A privacy notice, as defined in Section 5 of the Digital Personal Data Protection (DPDP) Act, is not just a formality. It is a legal requirement that every organization must fulfill before or at the time of requesting consent to collect or process personal data from individuals (called “Data Principals” under the Act).

Unlike general privacy policies that describe an organization’s broad data practices, a DPDP-compliant privacy notice is specific, transactional, and tied to each instance of data collection. It’s a forward-looking disclosure, designed to ensure that the data principal is fully informed before giving consent for the processing of their digital personal data.

The Act makes it clear that personal data cannot be processed unless it serves a lawful purpose and either:

• The individual has been explicitly informed, and
• They have given free, specific, informed, and unambiguous consent for the stated purpose.

In this framework, the privacy notice becomes the foundation of informed consent. Without it, consent is not valid, and any processing of personal data would be considered unlawful.

Up next: We’ll look at when exactly you’re required to issue a privacy notice—and how that might differ depending on when the data was collected.

When am I required to issue a privacy notice

Under the DPDP Act, you are legally obligated to issue a privacy notice at two key points:

1. Before or at the time of collecting consent from an individual for processing their digital personal data.
2. Retroactively, for data you’ve already collected prior to the enforcement of the Act, if you wish to continue processing it.

1. New data collection (Post-Act)

Whenever your business collects digital personal data after the DPDP Act is in force, a notice must be presented upfront. This notice must precede or accompany the consent request and clearly outline:

• What data will be collected
• For what purpose
• How individuals can exercise their rights (like withdrawing consent or filing a complaint)

This requirement aligns with Section 5(1), and your organization cannot proceed with processing until consent is obtained based on this notice.

2. Previously collected data (Pre-Act)

For data that was collected with consent before the Act became operational, you must still issue a privacy notice under Section 5(2). This notice doesn’t need to re-seek consent immediately, but it must inform individuals:

• What data you’ve already collected
• Why it’s being processed
• How they can exercise their rights or raise concerns

This obligation is triggered “as soon as reasonably practicable,” a phrase the Act uses to give organizations some flexibility while still expecting timely compliance.

Compliance Timeline: Know Your Dates

The DPDP enforcement notification issued via GSR 843(E) makes this timing more concrete:

• The Act was partially enforced on 13 November 2025.
• The key sections covering notices and consent (Sections 3–10, including Section 5) will come into force 18 months from that date, i.e., 13 May 2027.

In other words, businesses have until May 2027 to ensure every data collection process is backed by a compliant notice. For existing databases, the same window applies to issue retroactive notices.

Coming up: We’ll explore what exactly your privacy notice must include to meet DPDP standards.

What information must a DPDP-compliant privacy notice include

To comply with the DPDP Act, a privacy notice must be specific, actionable, and accessible. Section 5 of the Act lays out three non-negotiable elements that every notice must contain:

1. Description of the personal data and its purpose

You must clearly state:

• What types of personal dataare being collected (e.g., name, email, location, health data)
• Whyeach category of data is needed (i.e., the specified purpose)

Importantly, the notice cannot be vague or bundled. Each purpose must correspond to the data being requested. This ensures that the consent is meaningful and specific, as required under Section 6(1).

2. Explanation of rights under the DPDP Act

Your notice must tell the data principal how they can exercise their legal rights, which include:

• Withdrawing consent (Section 6(4))
• Requesting correction, erasure, or access to their data (Sections 11 and 12)
• Filing grievances or complaints (Section 13)

This is critical for transparency and accountability. If your notice doesn’t provide a clear path for action, it’s considered non-compliant.

3. Instructions on how to file complaints

You must explain how individuals can escalate their concerns to the Data Protection Board of India. This is a mandatory inclusion and reflects the DPDP Act’s focus on user autonomy and redressal mechanisms.

Language Requirements

Notices must be provided in:

• English, and
• Any language listed in the Eighth Schedule of the Constitution, based on the data principal’s choice.

This means you may need to support multiple Indian languages depending on your user base, ensuring accessibility and inclusiveness.

What’s not acceptable

• Notices buried in terms and conditions
• Legalese that obscures intent
• Bundled or overly broad purposes (“marketing and service improvement” isn’t specific enough)

Next, we’ll explore how you should deliver these notices—across web, mobile, in-person, and offline flows—to ensure clarity and compliance.

How should a privacy notice be presented to the data principal

It’s not enough to include the right information—how you present your privacy notice matters just as much under the DPDP Act. Presentation plays a direct role in determining whether the consent you receive is legally valid.

Here’s what the law and accompanying guidance require:

1. Use plain, unambiguous language

Section 6(3) of the Act mandates that all requests for consent—along with the privacy notice—must be presented in “clear and plain language.” This applies regardless of format or platform.

Best practices include:

• No jargon or legal complexity
• Simple sentence structures
• Use of bullets and headings to improve readability

If your user needs legal assistance to understand your notice, it’s already non-compliant.

2. Offer multilingual access

As mentioned earlier, the notice must be available in English and at least one language listed in the Eighth Schedule of the Constitution, which includes major Indian languages like Hindi, Tamil, Bengali, Telugu, and more.

This ensures that individuals across India can understand and exercise their rights.

3. Make it visible and accessible

Depending on the touchpoint, the delivery format must ensure proactive visibility—not passive availability. That means:

• On websites: Display the notice as a pop-up, slide-in, or inline text before any data collection form.
• On mobile apps: Use modal prompts or screens that must be acknowledged before proceeding.
• In physical settings(like banks or hospitals): Use printed or digital signage, QR codes, or consent tablets with the full notice.
• Email/SMS: For pre-existing data or ongoing processing, send a direct notice via the channel already used for communication.

The notice should never be hidden in footers, linked via generic “privacy policy” buttons, or shown after consent is collected.

4. Include contact details for questions

Every notice must also include the contact details of the Data Protection Officer (for Significant Data Fiduciaries) or another authorized contact for handling data principal queries or complaints (Section 6(3)).

Coming up next: We’ll break down the specific compliance deadlines you must meet for issuing notices—and what counts as “reasonable time” under the DPDP enforcement timeline.

What are the deadlines for issuing privacy notices under DPDP

The DPDP Act sets clear expectations for when privacy notices must be issued. However, these deadlines vary depending on whether you’re processing new data or continuing to process pre-existing data collected before the Act came into force.

Let’s break down what’s required, and by when.

1. For new data collection (after DPDP enforcement)

If your organization begins collecting digital personal data after the relevant DPDP sections are enforced, you must issue a compliant privacy notice at the point of consent—that is, before or when requesting consent.

This is governed by Section 5(1), which becomes operational 18 months after the Gazette notification, i.e., by May 13, 2027.

By this date, your consent collection flows must:

• Present the DPDP-compliant privacy notice before consent
• Offer the notice in English and a local language
• Provide clear, actionable rights and contact pathways

2. For existing data (collected before the Act)

If you already have personal data that was collected with consent before May 13, 2027, you must issue a retroactive privacy notice under Section 5(2). This notice must be given:

• “As soon as reasonably practicable”after enforcement, and
• Before you continue or repurpose any processingof that data

This doesn’t require fresh consent, but you do have to notify individuals about:

• What data you hold
• The purposes it is being used for
• How they can exercise rights or raise complaints

Failure to notify in time could result in invalid consent status and non-compliance for ongoing processing.

What does “reasonably practicable” mean?

While the DPDP Act doesn’t define this phrase precisely, in regulatory practice it generally implies:

• Within a few weeks to months after enforcement (not years)
• Prior to any new data usage, sharing, or repurposing

For organizations with large user bases or fragmented data systems, it’s wise to begin preparing your notice distribution now—ahead of the formal enforcement date.

In the next section, we’ll look at what happens if you miss these deadlines—and how the Data Protection Board will handle enforcement.

What happens if I fail to issue or update privacy notices properly

Failing to issue privacy notices—or issuing ones that are incomplete, unclear, or inaccessible—can have serious compliance and operational consequences under the DPDP Act. The law doesn’t treat notice failures as minor oversights; they are seen as a fundamental violation of user rights and transparency obligations.

Here’s what can happen if your privacy notices are non-compliant or missing:

1. Your consent becomes invalid

If consent was obtained without a valid notice (as required under Section 5), it may be considered invalid under Section 6. This means:

• You are not legally authorized to processthat user’s data
• Any ongoing processing could be classified as unauthorized and unlawful

In such cases, the user’s data must be erased unless another lawful basis exists, and any decisions made using that data may be challenged.

2. The burden of proof is on you

Section 6(10) puts the responsibility on the Data Fiduciary (your organization) to prove that a notice was issued and valid consent was obtained. If a user raises a complaint or the Board initiates an inquiry, you’ll need to:

• Produce a record of the notice content
• Show how and when it was delivered
• Demonstrate that consent was based on that notice

Failure to demonstrate this can lead to enforcement action.

3. Complaints and inquiries from the Data Protection Board

Under Section 27 of the Act, the Data Protection Board of India is empowered to:

• Initiate inquiries upon complaints or data breaches
• Investigate failures to issue notices or obtain valid consent
• Impose penaltiesas specified under Section 33

These penalties may be financial and reputational, particularly if the violation affects a large number of users or involves sensitive personal data.

4. Erosion of trust and opt-out risks

Beyond legal penalties, failing to notify users can lead to:

• Loss of trust and increased opt-outs or consent withdrawals
• Higher support burden due to rights requests or grievances
• Brand damage, especially for consumer-facing platforms or services

Timely, clear, and accessible notices are not just compliance safeguards—they’re also essential for user confidence.

Next: We’ll explore how Certinal helps simplify the delivery of DPDP-compliant privacy notices across digital channels and consent journeys

How Certinal simplifies DPDP-compliant notice delivery

While the DPDP Act places a clear responsibility on businesses to issue legally valid privacy notices, the operational complexity of doing so—at scale, across languages, formats, and user journeys—can be daunting. This is where Certinal’s consent management system helps.

Certinal is designed to automate and streamline privacy notice delivery as part of a compliant consent lifecycle. Here’s how:

• Pre-built notice templates: Aligned with Section 5 requirements, customizable for various data collection scenarios.
• Multilingual support: Automatically delivers notices in English and any Eighth Schedule language based on user preference.
• Omnichannel deployment: Integrates across web, mobile, email, and in-person interfaces to ensure notices are shown before consent is captured.
• Audit-ready logs: Maintains timestamped records of notice delivery, consent collection, and language choice—helping meet the proof burden under Section 6(10).
• Real-time updates: Ensures existing users are notified as per Section 5(2) when processing is ongoing from pre-Act data.

By embedding compliance directly into your data workflows, Certinal helps you meet legal obligations while improving transparency and trust with your users.

Book a demo to see how Certinal can support your DPDP readiness.

Frequently Asked Questions (FAQs)

1. What is a privacy notice under the DPDP Act?
A privacy notice under the DPDP Act is a mandatory disclosure that informs individuals what personal data is collected, why it’s collected, and how it will be used before consent is taken. Without a valid notice, consent is not legally valid.

2. When is a business required to issue a privacy notice under DPDP?
Businesses must issue a privacy notice before or at the time of collecting consent for new data and retroactively for previously collected data they wish to continue processing.

3. What information must a DPDP-compliant privacy notice include?
A DPDP-compliant privacy notice must describe the personal data collected and its purpose, explain user rights under the Act, and provide instructions for filing complaints with the Data Protection Board.

4. Are privacy notices required in multiple languages under the DPDP Act?
Yes, privacy notices must be provided in English and any language listed in the Eighth Schedule of the Constitution, based on the data principal’s choice.

5. What happens if a business fails to issue a proper privacy notice under DPDP?
Failure to issue a compliant privacy notice can invalidate consent, make data processing unlawful, and expose the business to complaints, investigations, and penalties under the DPDP Act.