Website Privacy Policy Best Practices 2026: India DPDPA Complete Guide
India's DPDP Rules 2025 have changed what a privacy policy must say. This guide covers exactly what your website's privacy policy must include to comply with DPDPA 2023, what language to use, and the 10 most common mistakes Indian businesses make.
What Must a Website Privacy Policy Include Under India's DPDPA 2023?
India's Digital Personal Data Protection Act 2023 (DPDPA) and the DPDP Rules 2025 (notified on 13 November 2025) impose specific requirements on what your privacy policy — called a consent notice under the law — must say. Non-compliance carries penalties up to ₹250 crore (~$30 million USD) per violation.
This is the most complete, up-to-date guide to website privacy policy best practices for India in 2026.
DPDPA 2023 Privacy Policy Requirements: The 8 Mandatory Elements
Under Section 5 and Section 6 of DPDPA 2023, your privacy notice must include:
- Identity of the Data Fiduciary: Your company name, registered address, and contact details.
- Nature of Personal Data Collected: Specifically what data you collect (name, email, device ID, location, etc.). Vague language like "certain information" does not comply.
- Purpose of Processing: The specific reason you are processing each category of data. One purpose per processing activity — bundled or blanket purposes are not DPDPA-compliant.
- How to Withdraw Consent: A clear, equally prominent method for users to revoke consent at any time — as easy as giving consent.
- Data Principal Rights: A description of the user's five rights under DPDPA 2023: Right of Access, Right of Correction, Right of Erasure, Right to Grieve, and Right to Nominate.
- How to File a Grievance: Contact details for your Data Protection Officer (DPO) or grievance officer, with response timelines.
- Data Retention Period: How long you keep personal data, and the criteria for determining that period.
- Third-Party Sharing: Whether you share data with third parties, who they are (or the categories), and for what purpose.
The Language Requirement: A Critical Difference from GDPR
Unlike GDPR, which focuses on plain English or the language of the member state, DPDPA 2023 requires your privacy notice to be available in a language the user understands. For India's 1.4 billion population, this means supporting India's 22 Schedule 8 languages where your users are from non-English-speaking regions.
Best practice for 2026: Implement multilingual privacy notices with automatic language detection based on user location or browser settings.
Languages Your Privacy Policy Should Support (By User Base)
| Language | Speakers (approx.) | Priority for Businesses |
|---|---|---|
| Hindi | 530+ million | Essential for pan-India businesses |
| Bengali | 100+ million | Essential for East India, Bangladesh |
| Telugu | 80+ million | Essential for Andhra, Telangana |
| Marathi | 80+ million | Essential for Maharashtra |
| Tamil | 70+ million | Essential for Tamil Nadu, South India |
| Gujarati | 60+ million | Essential for Gujarat, SMBs |
10 Website Privacy Policy Mistakes Indian Businesses Make in 2026
Mistake 1: Copy-Pasting a GDPR Privacy Policy
GDPR and DPDPA are structurally different. GDPR uses six legal bases for processing (including "legitimate interests"). DPDPA 2023 recognises consent as the primary basis — there is no "legitimate interests" equivalent. A GDPR policy will miss DPDPA-specific requirements like the Right to Nominate and grievance redressal timelines.
Mistake 2: Using Pre-Ticked Consent Boxes
DPDPA 2023 requires consent to be given by an affirmative action — a pre-ticked box is explicitly non-compliant. The user must actively check the box or click "I Agree."
Mistake 3: Bundling Purposes
Saying "we use your data for marketing and analytics" in a single consent is not DPDPA-compliant. Each processing purpose requires separate, granular consent. A user must be able to consent to analytics while refusing marketing.
Mistake 4: No Consent Withdrawal Mechanism
Your privacy policy must include a clear, accessible way to withdraw consent. A buried "unsubscribe" link is not sufficient. You need a Privacy Preference Centre where users can view and change their consent decisions at any time.
Mistake 5: Missing Data Retention Periods
DPDPA 2023 requires you to specify how long you retain personal data. "We keep data for as long as necessary" does not comply — you must provide specific periods or the criteria used to determine them.
Mistake 6: No Grievance Redressal Contact
Significant Data Fiduciaries must appoint a DPO. All businesses must provide a grievance mechanism. Your privacy policy must include a named contact, their designation, and expected response timelines.
Mistake 7: Not Disclosing Third-Party Transfers
If you use Google Analytics, Meta Pixel, payment gateways, or any SaaS tools that process user data, you must disclose these. DPDPA 2023 makes data fiduciaries liable for how their data processors handle data.
Mistake 8: Only Having an English Version
India's linguistic diversity means a significant portion of your users cannot read English. An English-only privacy policy fails the "language the user understands" requirement and may be challenged.
Mistake 9: No Consent Audit Trail
If the Data Protection Board investigates a complaint, you must be able to prove when consent was given, what the user consented to, and in what language. Without a consent management system generating tamper-evident audit logs, you cannot prove compliance.
Mistake 10: Treating the Privacy Policy as a Legal Formality
Under DPDPA 2023, the privacy notice is a living document. It must be updated when processing activities change, new third parties are added, or purposes change — and users must be re-notified of material changes.
Privacy Policy vs. Cookie Policy vs. Consent Notice: The DPDPA Definitions
| Document | What It Covers | DPDPA Requirement |
|---|---|---|
| Privacy Policy | All personal data processing — how you collect, use, store, share, and delete data | Mandatory — must be accessible before consent is obtained |
| Cookie Policy | Specifically cookies and tracking technologies on your website | Required if you use non-essential cookies; must list each cookie category, name, and purpose |
| Consent Notice | The specific notice shown to users asking for consent to a specific processing activity | Mandatory under Section 5 DPDPA — must be clear, itemised, and in accessible language |
| Data Processing Agreement | Agreement with third-party processors (vendors, SaaS tools) | Required for all data processors handling personal data on your behalf |
DPDPA 2023 Privacy Policy Compliance Checklist
Use this checklist to audit your existing privacy policy:
- ✅ Full legal name and address of your company
- ✅ Specific categories of personal data collected (not vague)
- ✅ Purpose of each data processing activity (separate per purpose)
- ✅ Legal basis for each processing purpose
- ✅ How users can withdraw consent (with a direct link to your Privacy Preference Centre)
- ✅ All five DPDPA rights explained clearly (Access, Correction, Erasure, Grieve, Nominate)
- ✅ DPO or grievance officer contact details
- ✅ Grievance response timelines
- ✅ Data retention periods for each data category
- ✅ Third-party processors listed or categorised
- ✅ International transfer disclosures (if applicable)
- ✅ Available in all languages your users read
- ✅ Last-updated date clearly displayed
- ✅ Consent audit trail in place (via a consent management platform)
How to Implement DPDPA-Compliant Privacy Notices Automatically
Manually maintaining DPDPA-compliant privacy notices across all your processing activities is time-consuming and error-prone. A consent management platform (CMP) like Consently automates the entire process:
- Auto-generates consent notices from your data processing activity definitions
- Delivers notices in all 22 Indian Schedule 8 languages (powered by Bhashini)
- Captures consent with a timestamped, tamper-evident audit trail
- Provides a Privacy Preference Centre for consent withdrawal
- Manages all five DPDPA rights requests in one dashboard
- Costs ₹0/month to start — no credit card required
Implementation time: Under 5 minutes with a single script tag.
Frequently Asked Questions: Privacy Policy Best Practices India 2026
Q: Is a privacy policy legally required in India?
Yes. Under DPDPA 2023 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules), any business collecting personal data of Indian users must maintain a privacy policy. DPDPA 2023 goes further by requiring purpose-specific consent notices before processing.
Q: What is the difference between DPDPA consent notice and a privacy policy?
A privacy policy is a comprehensive document describing all your data practices. A DPDPA consent notice is a specific, itemised notice shown to users before collecting their data for a specific purpose — it must be clear, simple, and in the user's language. Your website needs both.
Q: Can I use a free privacy policy template for DPDPA compliance?
Generic templates are a starting point, but they are rarely DPDPA-compliant because they are built for GDPR or CCPA. DPDPA has unique requirements (Right to Nominate, Consent Manager framework, Indian language requirements, specific grievance timelines) not covered by standard templates. Always have a qualified Indian data protection lawyer review your privacy policy.
Q: How often should I update my privacy policy?
Any time you: (1) add a new data processing purpose, (2) share data with a new third party, (3) change your data retention policies, or (4) when DPDPA rules are updated. As of March 2026, the DPDP Rules 2025 are in a transitional period with enforcement beginning May 2027 — update your policy now to avoid a compliance rush.
Q: What are the penalties for a non-compliant privacy policy in India?
Under DPDPA 2023, the Data Protection Board can impose penalties up to ₹50 crore (~$6 million USD) for failure to implement adequate security safeguards and up to ₹250 crore (~$30 million USD) for the most serious violations. In addition, reputational damage and loss of user trust are significant non-financial consequences.