India 2023 Digital Personal Data Protection Act (DPDPA) Privacy Policy

India, a global giant in both population and economic scale, has introduced fresh personal data protection legislation requiring website operators to publish a privacy policy on their websites. Moreover, the India DPDPA-compliant privacy policy must contain several essential elements in order to meet the legal standards.

The new law, the India Digital Personal Data Protection Act (DPDPA) 2023, marks the country's first-ever comprehensive data protection law. While it made its debut in the Official Gazette on August 11, 2023, it comes into effect in mid-2024.

By then, you have to learn the privacy policy requirements to comply with the law. That's why in this article we will present you with:

• What is a DPDPA-compliant privacy policy
• What are the DPDPA privacy policy elements
• Does the India DPDPA apply to your business and obliges you to meet the standards
• How to get a DPDPA-compliant privacy policy for your website and comply with the law

What is a DPDPA-compliant privacy policy?

The privacy policy is the document with which you inform the users how you handle personal information. The DPDPA states that the data fiduciary, i.e., the website or app operator, at the moment of consent collection must provide the data principal, i.e., the website or app user, with a notice that includes the following:

• The personal data to be processed
• The purpose of processing;
• How to exercise the data principal rights; and 
• How to make a complaint to the Data Protection Board of India.

The consent must be informed, which means that the user shall know what she is consenting to. That's why data fiduciaries must provide a notice to the data principals at the consent request. That way, the data principal can read the notice, learn what he gives consent to, and make an informed decision on whether to consent or not.

That leads us to the next important point: the notice must be up-to-date and contain the essential parts prescribed by the law. Otherwise, the consent won't be valid, and that would make the processing of personal data invalid as a whole.

What should you write in your India DPDPA privacy policy?

The minimum you must include in your privacy notice is:

• The personal data is to be processed. Here you need to include the categories of personal data that you want to collect and process, such as email addresses, browsing behavior, purchase behavior, IP addresses, device information, and so on.
• The purpose of processing. Here, you need to tell users why you process personal data. The common purposes are marketing, website analytics, providing website or app functionalities, and others. 
• How to exercise the data principal rights. Data principals have DPDPA rights, and you must honor their rights. These rights extend beyond withdrawing consent. You need to include them all in the privacy notice and explain to them how they can exercise their rights. In most cases, you'll have to provide them with an email address or a web form where they can submit the data privacy requests.
• How to make a complaint to the Data Protection Board of India. Finally, if the data principals are not happy with some of your privacy practices, they can submit a complaint to the Data Protection Board of India, which is the national data protection authority. Your duty is to briefly explain to users how they could submit a complaint there.

You can include all this information in your cookie consent banner, but in most cases, that would be too much text for a banner. In that case, you can provide a link to the privacy policy on the cookie banner.

Aside from the essential elements, you can add more transparency to the policy by adding information on the transfer of personal data outside India, who your data processors are, the identity of your Data Protection Officer, if you are a significant data fiduciary, and other information. That could also help you comply with other data protection laws outside of India.

What are the consequences of a non-compliant DPDPA privacy policy?

A non-compliant privacy policy, or one that is not up-to-date, leads to invalid user consent. Invalid users' consent makes the processing of digital personal data invalid. Invalid processing is a violation of the DPDPA and leads to penalties.

The Data Protection Board is authorized to impose the following penalties:

• INR 10,000 for failure by a data principal to perform duties stipulated under the Act.
• Up to INR 50 crore for breach of any provision of the Act or the implementing rules for which no specific penalty is stipulated.
• Up to INR 250 crore for failure to fulfill the obligation to take reasonable security safeguards to prevent a personal data breach.

The most likely scenarios related to invalid consent and non-compliant privacy notices may lead to a penalty of up to INR 50 crore.

Does the India Digital Personal Data Protection Act 2023 apply to your website?

All these risks apply to your business only if the India Digital Personal Data Protection Act applies to it.

It does apply if you process personal data in digital form or digitized afterward, and your business meets at least one of the following:

• Operates within India, or
• Operates outside of India but offers products or services to Indian residents within the country.

Basically, if you are an Indian business, the law applies. If you are a foreign business targeting Indian data subjects, the law also applies.

How do I get a DPDPA privacy policy and comply with the India Data Privacy Law?

To meet the cookie consent rules set by India's new Digital Personal Data Protection Act (DPDPA), you'll need to ask for informed consent, and a compliant privacy policy will ensure that the obtained consent is valid.

A simple way to do this is by using a consent manager that's officially registered with the Data Protection Board of India. As soon as the registration process is open, Secure Privacy plans to register itself. Once that's done, businesses like yours can use Secure Privacy's services to make sure you're following the new law correctly.

We've already got a special feature designed just for DPDPA compliance, including a DPDPA-compliant privacy notice along with a cookie consent banner. So, the moment the new law goes into effect, our tool will be ready to help you not only meet the legal requirements but also build trust with your customers right from day one.