DPDP-Compliant Privacy Notice -What It Must Include (With Template)

The DPDP Act does not just require a privacy notice -it requires the right kind of notice, presented in the right way, at the right moment. A privacy policy buried in your website footer, written in legalese, no longer meets the bar. This guide breaks down what Section 5 actually demands, the eight elements every DPDP-compliant notice must contain, and a structured template you can adapt to your organisation.

For where this fits in the wider compliance programme, see Step 4 of our 90-day DPDP roadmap. For the consent mechanism that the notice accompanies, see our consent implementation guide.

1. What Section 5 Requires

Section 5 of the DPDP Act mandates that before processing personal data, the Data Fiduciary must provide a clear and plain notice to the data principal. The notice must be in English or any language from the Eighth Schedule of the Constitution, as requested by the data principal. Plain language is not a stylistic preference here -it is a statutory requirement. A notice that requires legal training to parse is not Section 5 compliant, even if every required element is technically present.

🎯

The "plain language" test

If a typical Indian internet user cannot read your notice and understand what data you collect, why, and how to exercise their rights -in five minutes or less -the notice is non-compliant regardless of how legally watertight it is. Test with non-lawyer readers before publishing.

2. The Eight Mandatory Sections

§1

Identity of the Data Fiduciary

Clearly state your company name, registered address, and contact details. The data principal must know who is collecting their data -not just the brand name, but the legal entity behind it.

§2

What Personal Data Is Being Collected

List the specific categories of personal data you collect -name, email address, phone number, device data, location, etc. Do not use vague terms like "certain personal information" or "data related to your use of our services." Be explicit.

§3

Purpose of Processing

State clearly why you are collecting each type of data. The purpose must be specific -"to send you account notifications" is acceptable; "for business purposes" is not. If you process data for multiple purposes (service delivery AND marketing AND analytics), list each separately and obtain separate consent for each.

§4

How Data Will Be Used and Shared

Explain who you share data with -third-party vendors, analytics platforms, business partners. Name the categories of recipients. If you transfer data outside India, say so and explain the basis for the transfer (see our cross-border transfer guide).

§5

Retention Period

Tell users how long you will keep their data. Tie this to purpose -data should not be kept longer than needed to fulfil the stated purpose. "Until you close your account" is acceptable. "As long as necessary" is not.

§6

Rights of the Data Principal

Clearly explain the rights available -right to access, right to correction, right to erasure, right to grievance redressal, right to nominate a nominee. Provide a clear pathway to exercise each right -an email address, a form, or a dedicated portal.

§7

Grievance Officer Contact Details

Name and provide contact information for your designated Grievance Officer. The data principal must be able to reach them directly. An email address at minimum; a form or phone number is even better.

§8

How Consent Can Be Withdrawn

Explain clearly how a user can withdraw consent and what happens when they do. Make it as simple as giving consent. State the practical mechanism -a Privacy Settings page link, an email address, or a per-purpose toggle.

3. The Full Template

The structured template below covers all eight sections. Replace the bracketed fields with your organisation's specifics.

-Privacy Notice —

[Company Name] ("we", "us", "our") is committed to protecting your personal data in accordance with the Digital Personal Data Protection Act 2023 (India).

What We Collect

We collect: [list specific data types -e.g., name, email address, phone number, device identifiers, IP address, location data, payment information].

Why We Collect It

We collect this data to: [list specific purposes -e.g., create and manage your account, send transactional notifications, process payments, deliver the services you have requested, analyse usage to improve our products, send marketing communications you have separately consented to].

Who We Share It With

We share your data with: [list third parties -e.g., cloud hosting providers (AWS, Azure), payment processors (Razorpay), analytics services (Google Analytics), email delivery (SendGrid)]. We do not sell your personal data. Some of these vendors are based outside India; in those cases we transfer data under appropriate contractual protections.

How Long We Keep It

We retain your data for [specific period -e.g., the duration of your account plus 3 years thereafter, except where law requires longer retention (such as tax records, kept for 8 years)].

Your Rights

You have the right to access, correct, or request erasure of your personal data, to lodge a grievance, and to nominate a nominee. To exercise any right, contact our Grievance Officer at [email or form URL].

Grievance Officer

Name: [Name] | Role: [Title] | Email: [email] | Response time: within 30 days of receipt.

Withdrawing Consent

You may withdraw consent at any time by [specific action -e.g., visiting your Privacy Settings page at /privacy-settings or emailing privacy@company.com]. Withdrawal will not affect processing already done with your consent.

-End of Notice —

4. Where and How to Present It

The Section 5 obligation is not just that the notice exists -it is that the data principal sees it at the moment they would consent. In practice this means two locations:

Persistent footer link. A "Privacy Notice" or "Privacy Policy" link in the footer of every page, pointing to the full notice. Discoverable, durable, accessible after the fact.
Contextual notice at point of collection. A summary inline at the moment of consent -on the sign-up form, on the cookie banner, on the booking page. The user does not need to leave the form to see what they are consenting to.

For mobile apps, the same pattern applies -notice surfaced at onboarding and accessible from the settings menu thereafter.

5. Drafting Mistakes to Avoid

Using generic "we may collect various information" language -be specific
Combining multiple purposes into a single statement
Not updating the notice when your processing changes
Hiding the notice behind a link rather than presenting it inline at the point of consent
Not providing the notice in the language requested by the user
Omitting the Grievance Officer's actual name and contact (a generic "contact us" form is not sufficient)
Stating retention as "as long as necessary" without tying it to purpose

Need a notice that actually fits your processing?

SecComply drafts and reviews DPDP-compliant privacy notices, calibrated to your data flows and presented at the right places in your product. We also handle the consent flow and grievance officer setup that the notice references.

Book a notice review call →

FAQ

Can our existing GDPR privacy notice double as a DPDP notice?▼

Not directly. GDPR notices are good starting points but typically miss DPDP-specific elements -the Grievance Officer contact, the right to nominate a nominee, language-of-service obligations under the Eighth Schedule, and Indian-specific data principal rights phrasing. Adapt the GDPR notice rather than copy it; ensure the DPDP-specific sections are added and the language is appropriate for Indian users.

Does the notice have to be in multiple languages?▼

The Act requires the notice to be available in English or any language listed in the Eighth Schedule of the Constitution, as requested by the data principal. In practice, most Indian websites provide the notice in English and Hindi as a baseline, with additional Eighth Schedule languages added on request or based on user demographics. You do not need to publish all 22 languages by default -but you must serve a requested language if asked.

How often should the privacy notice be updated?▼

Update whenever your processing materially changes -new data categories, new purposes, new vendors, new sub-processors, new transfers. Even without changes, review the notice at least annually to verify accuracy. Material updates require re-prompting existing users for consent under the new notice version; minor clarifications usually do not.

Where should the privacy notice be displayed?▼

In two places. First, a persistent link in the website or app footer that points to the full notice, accessible from every page. Second, an inline summary or contextual notice at the point of data collection -the sign-up form, the cookie banner, the booking page -so the data principal sees the relevant section at the moment they would consent to processing. A buried footer link alone does not satisfy the Section 5 informed-consent requirement.

Does the notice need to list every cookie individually?▼

Not in the main privacy notice. A separate Cookie Policy that enumerates each cookie (with purpose, party, duration) is standard practice. The main privacy notice references the cookie policy by name and link. This separation keeps the privacy notice readable while satisfying the granular disclosure expectation for cookies and similar tracking technologies.