A mandatory disclosure informing Data Principals about data collection purposes, rights, and processing details.
A privacy notice under DPDPA is a mandatory disclosure that must be presented to Data Principals at or before the point of data collection. Rule 3 of Rules 2025 specifies it must contain: the personal data being collected, the purpose of processing, how to exercise rights, how to file complaints with the Data Protection Board, and the mechanism to withdraw consent. The notice must be available in English and all 22 scheduled Indian languages.
No processing is lawful without a compliant privacy notice. If your notice is missing required elements or not available in mandated languages, all consent collected under it may be void — exposing you to penalties on every record.
A Kolkata food delivery app must display a notice before collecting location data, clearly stating: "We collect your GPS location to deliver orders (purpose), you can withdraw consent anytime via Settings (withdrawal), and complain to DPB at [URL] (grievance)." Available in Bengali, Hindi, and English at minimum.
A privacy policy buried in website footer is NOT a DPDPA-compliant notice. The notice must be actively presented at the point of consent collection, not passively available.
DPDPA Shield automates Consent Management. See how →