DPDP Act Privacy Notice Requirements: What to Include
Everything your privacy notice must contain under the DPDP Act 2023 — required elements, language obligations, format requirements, and how to audit your existing policy.
- Section 5 requires a privacy notice before or at the time of seeking consent — separate from the full privacy policy.
- The notice must include: data categories, processing purposes, rights of the Data Principal, and how to withdraw consent.
- Notices must be in clear, plain language — not legal boilerplate.
- Language accessibility is required: notices must be available in the Data Principal's preferred language.
- Privacy notices must be updated when processing purposes change, and Data Principals must be re-notified.
In this guide
Notice vs. Privacy Policy: The Distinction
Many companies conflate their "privacy policy" with the consent notice required by Section 5. They are different things. A privacy policy is a comprehensive document describing all your data practices. A Section 5 notice is a targeted, contextual communication given to a Data Principal at or before the time consent is sought for a specific processing purpose.
Your privacy policy may contain all the elements required in the notice — and should, for completeness. But the notice that accompanies a consent request must be immediately intelligible to the person reading it. A link to a 6,000-word privacy policy at the bottom of a signup form does not constitute providing the required notice.
Think of the notice as the "label" and the privacy policy as the "full ingredients list." The label must contain enough information for an informed decision. The full list is available for those who want detail. Both must exist and both must be accurate.
Required Elements Under Section 5
Section 5(1) specifies the required contents of the notice: (a) the personal data to be collected or processed; (b) the purpose for which the personal data is being processed; (c) the manner in which the Data Principal may exercise the rights conferred under the Act; and (d) the manner in which the Data Principal may make a complaint to the Board.
For each distinct processing purpose, the notice must be purpose-specific. A consent notice for marketing email must specifically state that it covers marketing communications, not bundle this into a generic data use description. For each data category collected, the notice must be transparent about what is being collected — including non-obvious data like device metadata or location.
The notice must also include, in practice, information about: how to contact the Data Fiduciary's grievance officer or DPO (if applicable); how to withdraw consent; and, for cross-border transfers, the countries or regions to which data will be transferred. Some of these elements are implied by the rights framework even if not explicitly enumerated in Section 5.
Language Accessibility Requirement
Section 5(2) requires the notice to be provided in English or any language specified in the Eighth Schedule to the Constitution. India's Eighth Schedule lists 22 official languages including Hindi, Tamil, Telugu, Bengali, Marathi, Gujarati, Kannada, Malayalam, Punjabi, Odia, and others. This is a significant operational requirement for consumer companies with pan-India user bases.
The practical interpretation: you must provide the notice in a language the Data Principal can understand. For a predominantly Hindi-speaking user base, a notice only in English may not satisfy the requirement. For multilingual consumer apps, consider detecting user language preference and displaying the notice accordingly.
Building and maintaining notice translations for 22 languages is expensive. Companies with limited resources should prioritise the languages most relevant to their user base. Work with qualified legal translators rather than machine translation for privacy notices — an inaccurate translation could be worse than no translation.
Format and Presentation Guidelines
The Act requires notices in "clear and plain language" — this is a qualitative standard, not a technical specification. "Clear and plain" means: no undefined legal terms, no double negatives, short sentences, active voice, and structured so the most important information appears first.
Best practice for notice format: use headers for each data category or processing purpose; use bullet points rather than dense paragraphs; highlight key information (purposes, rights, contact details) rather than burying it; and use a font size that is readable on mobile devices (where most Indian users will see the notice).
The notice should be modal or inline at the consent collection point — not a separate page that requires navigation. On mobile apps, a bottom sheet or inline card is appropriate. On websites, a contextual notice adjacent to the consent checkbox is appropriate. The user should be able to read the notice without leaving the screen where they are making the consent decision.
Updating Notices When Purposes Change
When you add a new processing purpose — a new analytics tool, a new marketing channel, sharing with a new category of partners — you must update your privacy notice and re-seek consent from existing Data Principals for the new purpose. You cannot add new processing activities and cover them by updating the privacy policy without active re-notification and re-consent.
Design your product and processes so that privacy notice updates trigger a re-consent flow for affected users. This means: a change management process for processing activities that identifies when a change triggers a re-notice requirement; a technical mechanism to show updated notices to users who have not seen them; and a process to handle users who decline the new consent (they may lose access to features dependent on the new processing).
Maintain version control of your privacy notice with effective dates. The Board may ask which version of your notice was in effect at a particular point in time — for example, to assess whether a Data Principal was properly notified before a particular processing activity began.
Notice at the Point of Collection
Section 5(1) requires the notice to be provided before or at the time of seeking consent. This means the notice must precede or accompany the consent request — you cannot collect data first and inform the user afterwards. Retroactive notice does not satisfy the Section 5 requirement.
For cookie consent on websites, the notice and consent request must appear before any non-essential cookies are set — not after the user has browsed several pages and cookies have already been set. This is a technically challenging requirement that requires a cookie consent management platform (CMP) configured to block all non-essential cookies until consent is given.
For in-app data collection (location, contacts, camera), the notice must appear before the permission request. Android and iOS already require app permission dialogs, but these system dialogs do not satisfy DPDP Act notice requirements on their own — you need an in-app notice that explains the purpose before triggering the OS permission dialog.
Auditing Your Existing Privacy Policy
Conduct a gap audit of your existing privacy policy and consent mechanisms against Section 5 requirements. Check: does the policy clearly identify each data category collected? Does it state the specific purpose for each collection? Does it describe each right the Data Principal has and how to exercise it? Does it provide a clear way to complain to the Board? Does it describe how to withdraw consent?
Check language accessibility: is the policy available in the relevant languages for your user base? Check format: is the policy in plain language, or is it dense with legal boilerplate? Check notice integration: is the notice actually shown to users at the point of consent, or is it just a page on your website that users can navigate to?
AuditPath provides a privacy notice checklist as part of its DPDP compliance framework. Run your existing policy through this checklist, note the gaps, and prioritise fixes based on enforcement risk — language accessibility and specific purpose statements are higher priority than formatting concerns.
Frequently Asked Questions
Can our privacy policy also serve as the Section 5 notice?
We are a B2B company and our users are businesses, not individuals. Do we still need a privacy notice?
How detailed does the notice need to be for each data category?
Does the notice need to mention the Data Protection Board?
Our product supports 8 Indian languages. Must our privacy notice be in all 8?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free