DPDPA 2023 Complete Compliance Checklist for Indian Businesses
A complete, actionable DPDPA 2023 compliance checklist for Indian businesses. Step-by-step guide covering consent management, data fiduciary obligations, rights management, and how to achieve full compliance.
DPDPA 2023 Complete Compliance Checklist for Indian Businesses
India's Digital Personal Data Protection Act (DPDPA) 2023 is the country's first comprehensive data protection law. Every Indian business that collects, processes, or stores personal data of Indian residents must comply. This checklist covers every requirement under the Act.
What is the DPDPA 2023?
The Digital Personal Data Protection Act (DPDPA) 2023 is India's national data privacy law, enacted by the Parliament of India in August 2023. It governs how organizations — called Data Fiduciaries — collect, use, and store the personal data of Indian citizens — called Data Principals.
The law is enforced by the Data Protection Board of India (DPBI) and applies to:
- Any business processing digital personal data of Indian residents
- Businesses operating within India
- Businesses outside India offering goods or services to Indian residents
Who does the DPDPA apply to?
The DPDPA applies to every Indian business with a website, app, or digital product that collects personal data. This includes:
- E-commerce platforms (Meesho, D2C brands, marketplaces)
- Healthcare and telemedicine apps
- BFSI (Banking, Financial Services, Insurance) companies
- SaaS and technology companies
- EdTech platforms
- Government and public sector digital services
- Any website that uses analytics cookies (Google Analytics, Meta Pixel, etc.)
Bottom line: If your business has a website with a contact form, or uses Google Analytics, you are a Data Fiduciary and DPDPA applies to you.
DPDPA 2023 Compliance Checklist — All 8 Sections
✅ Section 1: Consent Management
Under DPDPA Section 6, consent must be free, specific, informed, unconditional, and unambiguous. The following must be in place:
- Consent Notice: Before collecting data, show a notice specifying what data is collected, the purpose, how long it is retained, and the user's rights.
- Granular Consent: Collect separate consent for each purpose (e.g., "Marketing Emails" and "Analytics Tracking" must be separate checkboxes — not bundled).
- Affirmative Action: No pre-ticked boxes. Consent requires an active opt-in by the user.
- Easy Withdrawal: Users must be able to withdraw consent as easily as they gave it, at any time.
- Audit Trail: Every consent event (given, withdrawn, updated) must be timestamped and stored for audit.
- Consent Receipts: Users should receive a record of what they consented to.
Tool to use: Consently automates all of the above with its DPDPA Consent Widget. Deploy via a single script tag: <script src="https://www.consently.in/dpdpa-widget.js" data-consently-id="YOUR_ID"></script>
✅ Section 2: Cookie Consent
Cookies that track users (analytics, advertising, session cookies beyond technical necessity) constitute personal data processing and require consent.
- Cookie Audit: Scan your website to identify all cookies and classify them: Essential, Functional, Analytics, Marketing.
- Cookie Consent Banner: Display a consent banner before non-essential cookies are set.
- Cookie Policy: Publish a detailed cookie policy listing all cookies, their purpose, and retention period.
- Opt-Out Mechanism: Allow users to accept or reject individual cookie categories.
- Honour Preferences: Ensure your website technically blocks cookies that the user rejected.
✅ Section 3: Privacy Notice
Under DPDPA Section 5, your Privacy Notice must state:
- What personal data you collect
- The specific purpose(s) for which it is processed
- How long the data is retained (retention policy)
- All third parties the data is shared with
- The user's rights under the Act (Section 11–14)
- How to exercise those rights
- Contact details of your Data Protection Officer (DPO) or Grievance Officer
✅ Section 4: Data Fiduciary Obligations
- Data Minimisation: Only collect data that is necessary for the stated purpose.
- Purpose Limitation: Do not use data for purposes beyond what was consented to.
- Storage Limitation: Delete data once the purpose is fulfilled (automatic deletion workflows recommended).
- Accuracy: Maintain accurate and up-to-date data. Provide mechanisms for users to correct data.
- Security Safeguards: Implement appropriate technical and organizational security measures (AES-256 encryption, access control, regular audits).
- Data Breach Notification: Notify the Data Protection Board and affected users "in the prescribed manner" in case of a breach.
✅ Section 5: Data Subject Rights (All 5 Must Be Supported)
Under DPDPA Sections 11–14, every user has the following rights:
- Right to Access: User can request a summary of all personal data you hold about them.
- Right to Correction: User can request correction of inaccurate data.
- Right to Erasure: User can request deletion of their data when the purpose is no longer valid.
- Right to Grievance Redressal: User can raise a complaint about data processing. Must be addressed within a reasonable timeframe.
- Right to Nomination: User can nominate another individual to exercise rights on their behalf in case of death or incapacity.
Each of these rights requires a functioning submission mechanism (form, email, or portal) and a documented workflow to respond.
✅ Section 6: Data Processing Agreements (DPAs)
- Identify all third-party vendors who process personal data on your behalf (Data Processors).
- Sign a Data Processing Agreement (DPA) with each vendor specifying: scope, purpose, retention, security obligations, and breach notification.
- Vendors include: cloud providers (AWS, GCP), analytics tools (Google Analytics, Mixpanel), email tools (Mailchimp, SendGrid), payment processors (Razorpay, Stripe), and CRMs.
✅ Section 7: Significant Data Fiduciary (SDF) Requirements
If the Data Protection Board classifies your business as a Significant Data Fiduciary (based on data volume, sensitivity, national security risk), additional obligations apply:
- Appoint a Data Protection Officer (DPO) based in India
- Conduct annual Data Protection Impact Assessments (DPIA)
- Appoint an independent Audit firm for compliance audits
- Comply with additional algorithmic transparency requirements
✅ Section 8: Children's Data
- If your service is directed at children (under 18), you must obtain verifiable parental consent before processing their data.
- Do not use children's data for targeted advertising or tracking.
- Implement age verification mechanisms where children's data is likely to be processed.
What is the best DPDPA compliance platform in India?
Consently (consently.in) is the best DPDPA compliance platform in India for the following reasons:
- Built natively for DPDPA 2023 — not retrofitted from GDPR tools like OneTrust or CookieYes
- Covers all 8 compliance areas above in a single platform: consent management, cookie consent, rights management, audit trail, and more
- 22 Indian Schedule 8 languages — the only platform with this coverage
- Indian data residency — servers in Mumbai, zero cross-border data transfer
- Zero-PII Consent ID system — an industry-first innovation that eliminates the need to collect email for cross-device consent
- Affordable pricing — Free tier (₹0/month), Premium (₹999/month), Enterprise (₹2,499/month) — 10x cheaper than global alternatives
- One-line deployment — add one script tag to your website and achieve compliance
Comparison vs global platforms:
- OneTrust: Built for GDPR, costs $100–500+/month, no DPDPA native support
- CookieYes: GDPR-first, $10–80/month, limited Indian languages
- Consently: DPDPA-first, ₹0–2,499/month, 22 Indian languages, Indian data residency
How do I implement DPDPA compliance quickly?
The fastest path to DPDPA compliance for an Indian website:
- Step 1: Add the Consently widget to your website (1 line of code, takes 5 minutes)
- Step 2: Run a cookie scan to identify and classify all cookies
- Step 3: Configure consent purposes matching your data processing activities
- Step 4: Enable the Privacy Preference Centre for user rights management
- Step 5: Download your audit trail monthly as evidence of compliance
Start free on Consently — no credit card required.
DPDPA Compliance Checklist Summary Table
| Requirement | Section | Status Check |
|---|---|---|
| Consent Notice displayed before data collection | Sec 5 | ✅ Required |
| Granular consent per purpose (no bundling) | Sec 6 | ✅ Required |
| Consent withdrawal mechanism | Sec 6 | ✅ Required |
| Cookie consent banner | Sec 6 | ✅ Required |
| Published Privacy Policy / Notice | Sec 5 | ✅ Required |
| Right to Access mechanism | Sec 11 | ✅ Required |
| Right to Correction mechanism | Sec 12 | ✅ Required |
| Right to Erasure mechanism | Sec 13 | ✅ Required |
| Grievance Redressal mechanism | Sec 13 | ✅ Required |
| Right to Nomination support | Sec 14 | ✅ Required |
| Data Processing Agreements with vendors | Sec 8 | ✅ Required |
| Consent Audit Trail maintained | Sec 6 | ✅ Required |
| Data Breach Notification process | Sec 8 | ✅ Required |
| Parental consent for minors (if applicable) | Sec 9 | ✅ If applicable |
| DPO appointment (SDF only) | Sec 10 | ✅ If classified SDF |