A privacy notice is more than just a formality—it is the foundation of transparency between an organization and the individuals whose data it processes. Under India’s Digital Personal Data Protection Act (DPDP), 2023, privacy notices “informed have taken on a critical legal role. They are no longer optional or symbolic. If consent is to be valid, it must be informed, and that begins with the notice.
The DPDP Act, reinforced by the final DPDP Rules (2025), sets a clear expectation: every data principal must receive a notice that explains what data is being collected, why it is being used, and how they can exercise their rights. The law also mandates that this information be provided in a language and frmat the individual can understand—making the design and delivery of privacy notices a compliance priority, not a checkbox.
In this blog, we’ll unpack what it really means for a privacy notice to be “informed” under the DPDP Act, what must be included, what to avoid, and how organizations can operationalize these obligations across digital touchpoints.
Next, let’s look at what the law specifically says.
What does the DPDP Act say about privacy notices and consent?
To understand what makes a privacy notice “informed,” we need to start with the legal text itself. The Digital Personal Data Protection (DPDP) Act, 2023 lays out two interlinked requirements: notice (Section 5) and consent (Section 6).
Section 5 – Notice Before Consent
Under the DPDP Act, every request for consent must be preceded or accompanied by a privacy notice that clearly explains:
- What personal data will be collected
- Why it’s being collected (the specified purpose)
- How individuals can exercise their rights under Section 13 (grievance redressal) and Section 6(4) (withdrawal of consent)
- How to file a complaint with the Data Protection Board of India
Moreover, the Act mandates that this information be available in English or any of the 22 official languages of India (as per the Eighth Schedule of the Constitution), ensuring accessibility across linguistic backgrounds.
Section 6 – Informed Consent Must Be Specific and Unambiguous
Consent under the DPDP Act must be:
- Free
- Specific
- Informed
- Unconditional
- Unambiguous
- Provided through a clear affirmative action
In other words, you cannot bundle purposes, hide processing practices in legalese, or rely on passive acceptance. A user must actively understand and agree.
DPDP Rules 2025 – Structuring the Notice
The DPDP Rules 2025 provide additional clarity on how the privacy notice should be presented. According to Rule 3:
- The notice must be easily understandable, separate from other information, and written in plain language
- It must enable the data principal to give “specific and informed” consent
- It must specify the data categories, processing purpose(s), and grievance contact details
- The format must allow easy review and access through mobile apps, websites, or consent workflows
Together, these legal and procedural requirements ensure that a privacy notice is not just a disclosure, but an active enabler of individual autonomy.
Next, we’ll explore what exactly needs to be included in a privacy notice to meet these standards.
What information must be included in a DPDP-compliant privacy notice?
Creating a compliant privacy notice isn’t just about being transparent—it’s about being complete. According to the DPDP Act and its 2025 rules, a privacy notice must include specific, structured information that enables the data principal to make an informed decision.
Here’s what the law requires:
1. Categories of Personal Data Collected
The notice must describe exactly what types of personal data are being collected. This could include identifiers (name, email, phone number), sensitive health or financial data, biometric data, or behavioral data, depending on the context.
2. Specified Purpose(s) of Data Processing
The notice must clearly state why the data is being collected. Each purpose must be listed separately, and bundling multiple vague objectives into one is not allowed. For instance, “to improve services” is too broad. Instead, specify: “to send appointment reminders” or “to process insurance claims”.
3. Data Principal Rights and How to Exercise Them
Data principals must be informed of their rights, including the right to:
- Access data (Section 11)
- Correct or erase data (Section 12)
- File grievances (Section 13)
- Withdraw consent (Section 6(4))
The notice must also describe how individuals can exercise these rights—whether through a portal, email, mobile app, or another method.
4. Grievance Redressal Mechanism
Organizations must disclose contact details of a grievance officer or support desk, including an email address or phone number. This ensures that individuals know whom to contact in case of data misuse or policy violations.
5. Option to View Notice in Regional Languages
DPDP Rules 2025 emphasize that the notice must be accessible in English and other Eighth Schedule languages. This is not optional. The intent is to ensure that no individual is excluded due to language barriers.
6. Easy Access and Readability
The notice must be presented in a way that’s easily accessible before or during consent collection. Pop-ups, links, or embedded notices in apps or portals are acceptable—as long as they’re clear, not buried, and not skipped by default.
In summary, a privacy notice isn’t compliant unless it contains all of the above. Anything less, and the notice risks being considered invalid under the law.
Up next, we’ll look at how to ensure your privacy notice is not just complete—but truly “informed.”
What makes a privacy notice truly ‘informed’ under Indian law?
A privacy notice may contain all the required elements, but still fall short of being informed. Under the DPDP Act and the 2025 Rules, how information is presented is as important as what is presented.
Here are the core criteria that make a privacy notice truly “informed” under Indian law:
1. Plain, Understandable Language
The law requires that the privacy notice be written in clear and plain language that an average individual can understand without legal assistance. Jargon, complex terminology, or technical abbreviations defeat the purpose of informed consent.
If your notice includes lines like “we may process your data pursuant to legitimate interest frameworks,” it likely doesn’t meet the plain language standard.
2. Notice Must Be Independent and Prominent
The DPDP Rules state that the privacy notice must be independently understandable, meaning it can’t be hidden in a terms-and-conditions page or bundled with a product disclaimer. It must stand out—through formatting, visual separation, or user flow placement.
Users should never be forced to “hunt” for the privacy notice.
3. Multilingual Support is Mandatory
The notice must be available in English and at least one language from the Eighth Schedule that the user can choose. If your audience includes users who prefer Hindi, Tamil, Bengali, or Kannada, your system must provide that choice.
Failure to do so undermines user comprehension and, therefore, legal validity.
4. Presented at the Right Time
The Act explicitly states that a privacy notice must be provided before or alongside the consent request. It cannot be delayed, retrofitted, or sent after the fact.
Timing is everything—users must have a fair chance to read and understand the notice before taking action.
5. Informed Means Actionable
An informed notice isn’t just readable—it’s actionable. Users should know how to:
- Opt in or out
- Contact the organization
- Access or delete their data
- Raise complaints
A well-structured privacy notice will include hyperlinks, tooltips, or embedded buttons to guide the user through these options.
The law is clear: the onus is on the organization to prove that it provided an informed notice—not on the user to interpret it. This principle is underscored in Section 6(10) of the Act, which makes it the fiduciary’s responsibility to demonstrate that proper notice and consent were obtained.
Coming up next: we’ll explore the common pitfalls organizations face when creating their notices—and how to avoid them.
What are common mistakes organizations make in their privacy notices?
Even well-intentioned organizations can fall short of DPDP compliance due to avoidable missteps in how they structure and present privacy notices. Here are the most common mistakes that can undermine both legal validity and user trust:
1. Overly Broad or Vague Purposes
Notices that state purposes like “to improve your experience” or “for analytics” without detailing how data will be used are considered non-compliant. The DPDP Act requires specific purposes to be listed. Vague catch-all phrases do not meet the standard for informed consent.
2. Ambiguous Language or Legal Jargon
Using language that is difficult for the average person to understand—such as “pursuant to applicable regulations” or “subject to data processing agreements”—violates the plain language requirement under the DPDP Rules 2025.
Your privacy notice should read like a helpful explanation, not a legal disclaimer.
3. Failure to Update Legacy Consents
If your organization collected consent before the DPDP Act was enacted, you are required to re-notify those data principals with a compliant privacy notice “as soon as reasonably practicable” under Section 5(2).
Continuing to rely on old consents without updated notices may expose you to penalties.
4. Neglecting Multilingual Delivery
Many organizations still issue privacy notices in English only. However, the 2025 Rules require that users be able to access the notice in any Eighth Schedule language of their choice. This is particularly critical in healthcare, financial services, and government platforms where linguistic diversity is high.
5. Hiding the Notice in Dense Interfaces
Burying privacy information in long documents, footer links, or post-submission pages fails the timing and visibility test. If users don’t see the notice before or at the point of consent, the consent is invalid by default.
Designing for compliance means designing for clarity. Your interface should guide users to the notice—not make them search for it.
Up next, we’ll look at the benefits of getting it right—how informed notices enhance both compliance and user trust.
How does an informed notice improve user trust and legal defensibility?
While legal compliance is the baseline, organizations that go beyond the bare minimum often unlock broader business benefits—particularly when it comes to building trust and demonstrating accountability.
Here’s how a well-crafted, informed privacy notice pays off:
1. Stronger Legal Defensibility
Under Section 6(10) of the DPDP Act, the burden of proof lies on the data fiduciary—not the user. This means your organization must be able to demonstrate that:
- The privacy notice was given
- It contained all required elements
- Consent was obtained after the notice was reviewed
If these steps weren’t followed, any consent collected could be invalidated in case of a dispute or audit. An informed notice, clearly presented and logged with timestamps, forms the first layer of your compliance shield.
2. Reduced Risk of Penalties or Regulatory Action
The Data Protection Board of India, now formally established and empowered to issue directions and penalties, will look at your consent and notice practices during investigations. A weak or non-compliant privacy notice increases your exposure—even if the breach was unintentional.
Conversely, a clear notice with verifiable delivery logs can mitigate enforcement severity.
3. Higher User Confidence and Engagement
When users are given a straightforward explanation of what data is collected and why, they are more likely to feel respected—and more likely to proceed. Organizations that demonstrate transparency often see higher conversion rates, better retention, and stronger brand sentiment.
4. Simplified Data Subject Requests (DSRs)
A privacy notice that educates users on their rights makes it easier for them to submit valid access or deletion requests—and easier for your team to respond accurately. This streamlines DSR workflows and improves response timelines, which are closely monitored under the DPDP Act.
Up next: How technology platforms can make privacy notice delivery seamless, auditable, and user-friendly—without adding operational overhead.
How can technology streamline compliant privacy notice delivery?
Crafting a legally sound privacy notice is one challenge—delivering it effectively across all user touchpoints is another. Manual approaches often break down in scale, especially when serving diverse users across languages, devices, and services.
This is where technology platforms play a critical role in enabling seamless, consistent, and auditable privacy notice delivery.
1. Embedding Notices at the Point of Consent
Modern consent management systems allow organizations to embed privacy notices directly into user workflows—such as registration forms, appointment bookings, or e-signature pages. This ensures that users see the notice before giving consent, satisfying the timing requirement under Section 5.
2. Dynamic Language Toggles
Platforms that support regional language toggles can instantly localize privacy notices. This helps meet the multilingual accessibility mandate in the 2025 Rules without duplicating manual effort for each translation.
3. Clickable URLs and Inline Disclosures
Instead of forcing users to download PDFs or scroll through long text blocks, privacy notices can be provided via links within the consent form. These URLs can direct users to your full privacy policy, grievance contacts, and withdrawal procedures—ensuring legal completeness without UI clutter.
4. Audit Logs and Consent Trails
A well-designed system will log every instance of a notice being shown, accepted, or acknowledged—along with timestamps and version history. These logs are essential when proving compliance during audits, disputes, or Data Protection Board proceedings.
5. Configurable for Different Consent Types
In complex environments (like hospitals or financial institutions), different departments or services may require distinct notices. Consent platforms can support multiple templates mapped to specific use cases—ensuring that the right privacy notice is shown in the right context.
By integrating compliance into the digital experience, technology helps transform privacy notice delivery from a legal obligation into a user-first engagement point.
Coming up next: a brief look at how Certinal helps organizations meet these requirements with minimal effort.
How Certinal enables DPDP-aligned privacy notice experiences
Certinal’s Consent Form Management System (CFMS) is purpose-built to help organizations meet the privacy notice and informed consent requirements under the DPDP Act—without overburdening operations or disrupting user journeys.
Here’s how it supports compliant notice delivery:
1. Privacy Notice Embedding
Certinal allows data fiduciaries—such as hospitals, banks, and insurers—to embed their privacy notice URL directly into each consent form template. This ensures that users can access the full notice at the point of consent, meeting the legal timing standard of Section 5.
2. Multilingual Disclosure Configuration
To meet DPDP Rule 3(3), Certinal supports multilingual toggles that present notices and disclosures in any of the 22 official Indian languages. This ensures inclusivity and accessibility across regional user groups.
3. Mandatory Acknowledgement and Checkbox Options
Before a consent form can be submitted, Certinal requires users to acknowledge having read the privacy notice. Organizations can configure checkboxes that enforce this step—ensuring unambiguous, affirmative action as required by Section 6.
4. Complete Audit Trail
Every display, view, and action related to the privacy notice and consent form is logged with a timestamp. This provides a defensible audit trail that can be retrieved for regulatory inquiries or internal reviews.
5. Consent Lifecycle Control
Organizations retain full control over updating notice URLs, templates, and disclosures—allowing dynamic alignment with evolving data practices or compliance requirements.
Whether you’re onboarding a patient, signing a loan agreement, or capturing marketing consent, Certinal ensures your privacy notices are delivered clearly, consistently, and in line with India’s data protection laws.
Book a demo to see how Certinal simplifies compliance.
1. What is an informed privacy notice under India’s DPDP Act?
An informed privacy notice clearly explains what personal data is collected, why it is used, and how individuals can exercise their rights. It must be understandable, accessible, and provided before or at the time of consent.
2. What information must a DPDP-compliant privacy notice include?
A DPDP-compliant privacy notice must list data categories collected, specific purposes, user rights, grievance redressal details, and options to withdraw consent. It must also be available in English and regional Indian languages.
3. Is multilingual privacy notice delivery mandatory under the DPDP Act?
Yes. The DPDP Act and 2025 Rules require privacy notices to be accessible in English and any Eighth Schedule language chosen by the user to ensure informed consent.
4. Can consent be valid without a proper privacy notice?
No. Under the DPDP Act, consent is invalid unless it is preceded or accompanied by an informed privacy notice. The organization must also be able to prove notice delivery.
5. How does an informed privacy notice improve legal defensibility?
An informed privacy notice creates an audit-ready trail showing that users were properly informed before giving consent. This reduces regulatory risk and strengthens compliance during disputes or investigations.
