Privacy policy and data compliance for Indian websites: DPDP Act explained

India's Digital Personal Data Protection Act (DPDPA) 2023 is now law. If you have a website that collects any data from Indian users — contact forms, analytics, e-commerce, even just cookies — you need to understand what it requires.

What is the DPDPA?

The Digital Personal Data Protection Act 2023 is India's first comprehensive data privacy law. It establishes:

• Rights of individuals ("Data Principals") over their personal data
• Obligations of businesses ("Data Fiduciaries") that collect and process personal data
• Consent requirements before data is collected
• Penalties for violations

Rules under the Act are still being notified by the government (as of 2025), but the Act itself is in force.

Who must comply

You must comply if you process personal data of individuals who are in India, regardless of where your business is based.

"Personal data" means any data that can identify an individual directly or indirectly — name, email, phone number, IP address, location data, photos.

In practice: Almost every Indian business website collects personal data (contact form submissions, analytics with IP addresses, e-commerce orders). Compliance applies to you.

What the DPDPA requires

1. Consent before processing

You must obtain clear, free, specific, and informed consent before processing someone's personal data — except for a few legitimate purposes (e.g. processing necessary to fulfil a contract).

For a contact form: The user submitting the form is implicitly consenting to you using their details to respond to their enquiry. You do not need a separate consent checkbox for this.

For marketing emails: You must have clear consent before sending marketing communications. A checkbox at checkout — pre-ticked — is not valid consent. An explicit un-pre-ticked checkbox is.

For analytics: Analytics tools that collect personal data (including IP addresses) technically require consent under strict interpretation. Cookie banners address this.

2. Notice to users

Before or at the time of collecting data, you must inform users:

• What data you are collecting
• Why you are collecting it (the purpose)
• How long you will retain it
• Who you will share it with (if anyone)
• Their rights under the Act

This is the content of your privacy policy. A privacy policy is not just good practice — it is legally required.

3. Data minimisation

Only collect data you actually need for the stated purpose. Do not collect a phone number on a contact form if you only need email.

4. Data Principal rights

Users have rights you must respect:

• Right to access: A user can ask what data you hold about them
• Right to correction: A user can ask you to correct inaccurate data
• Right to erasure: A user can ask you to delete their data
• Right to nomination: Users can nominate someone to exercise their rights on their behalf

You need a process to handle these requests. For a small business, a "Data Requests" email address is sufficient.

5. Security safeguards

You must implement reasonable security safeguards to protect personal data — HTTPS, secure password storage, database access controls, backups.

6. Significant Data Fiduciaries

Large platforms that process significant quantities of sensitive data may be classified as "Significant Data Fiduciaries" with additional obligations. For most small and medium Indian businesses, this is not relevant yet.

Writing a privacy policy for your Indian website

Your privacy policy must cover:

1. Who you are: Your business name, address, contact details
2. What data you collect: List every type — name, email, phone, payment information, cookies, analytics
3. Why you collect it: Purpose for each type of data
4. How long you keep it: Retention periods
5. Who you share it with: Payment gateways, analytics providers, email service providers
6. User rights: How users can exercise their DPDPA rights
7. Contact for data requests: A dedicated email or contact method

Do not copy someone else's privacy policy. It must reflect your actual practices. Copying a policy that does not match what you do creates legal liability.

Generators that help: iubenda.com and termsfeed.com generate compliant privacy policies. Start with these and customise for India-specific requirements.

Cookie consent for Indian websites

The DPDPA does not have a specific cookie regulation like GDPR's ePrivacy Directive. However:

• Cookies that collect personal data (analytics, advertising) are covered by the DPDPA's consent requirement
• International visitors (EU users visiting your site) are covered by GDPR, which requires explicit cookie consent

Practical recommendation: Add a cookie consent banner if you use Google Analytics, Facebook Pixel, or advertising cookies. This covers both DPDPA and GDPR compliance.

Cookie consent plugins for WordPress:

• Complianz (good free option)
• CookieYes
• Cookiebot (paid but comprehensive)

E-commerce-specific requirements

If you collect payment information:

• Never store raw card numbers (your payment gateway handles this — do not build your own payment processing)
• Include payment data in your privacy policy
• State clearly that you use a third-party gateway (Razorpay, PayU, etc.)

For GST-registered businesses:

• Invoices must include buyer's data (name, address, GSTIN if B2B)
• This data must be retained for GST audit purposes (minimum 6 years under GST rules)

Children's data

The DPDPA has specific provisions for personal data of children (under 18). If your website might be used by minors, you may need verifiable parental consent before collecting their data.

For most business websites (B2B, adult services), this is not a concern.

Penalties under DPDPA

Penalties for violations can be significant — up to ₹250 crore for certain breaches. For small businesses, the risk is proportionate to the scale of the violation.

Real risk for small businesses: The biggest risk is not maximum penalties — it is a formal complaint or data breach that triggers investigation. Maintaining a clear privacy policy and reasonable security practices significantly reduces this risk.

Practical compliance checklist for Indian websites

• Privacy policy published and accessible from every page (usually in footer)
• Privacy policy covers all data types you collect
• Contact form has a link to privacy policy
• E-commerce checkout has a privacy policy link
• Marketing emails have an unsubscribe link
• Cookie consent banner if using analytics or advertising cookies
• Process to handle data access/erasure requests (dedicated email address)
• HTTPS is enabled on your entire site
• Database passwords are not stored in plain text
• Third-party services (analytics, chat, email) are disclosed in your privacy policy

This is the minimum viable compliance position for a small Indian business website. It is not legal advice — consult a lawyer for your specific situation.