The majority of Indian businesses have a privacy policy on their website. The majority of those policies are not compliant with the Digital Personal Data Protection Act 2023. Most were written for GDPR alignment, or copied from a generic template, and contain requirements that are either absent, insufficient or structurally wrong for the DPDP framework. Run through this checklist against your current policy.
The 10 DPDP compliance requirements your privacy policy must meet
1. Identity of Data Fiduciary: Your privacy policy must clearly identify who is the Data Fiduciary — the legal name of your business entity, not just a brand name. 2. Purposes of processing: Every purpose for which you collect and process personal data must be stated — specifically, in plain language, and separately for each category of data. A generic 'to improve our services' is insufficient. 3. Categories of data collected: The policy must list all categories of personal data you collect — name, email, phone, device identifiers, financial data, location, behavioural data, etc. 4. Legal basis: For each processing purpose, the legal basis must be stated. Under DPDP, the primary basis is consent — obtained freely, specifically and unambiguously.
Requirements 5-10
5. Data retention periods: You must specify how long each category of data is retained. 'We retain data as long as necessary' does not satisfy this requirement. 6. Third-party sharing: All categories of third parties with whom you share personal data must be disclosed — analytics providers, cloud hosts, payment gateways, marketing platforms. 7. Data Principal rights: The policy must explain each right available to the data subject — access, correction, erasure, withdrawal of consent, and the right to nominate. 8. Grievance Officer: A named Grievance Officer with contact details must be designated and published. A generic support email address is insufficient. 9. Data breach notification: Your policy should describe your breach notification obligations under the Act. 10. Policy updates: The mechanism by which you notify users of policy changes must be described.
The most common gaps in existing policies
The most frequent DPDP gap Vilot finds in existing privacy policies is the absence of a Grievance Officer designation — most policies reference a generic email. The second most common gap is insufficient purpose specification — policies that describe data use in broad terms without distinguishing between different purposes. The third is missing data retention schedules. These three gaps alone are enough to create compliance exposure under the DPDP Act's penalty framework.
What a DPDP-compliant privacy policy cannot do alone
Even a perfectly written DPDP-compliant privacy policy is not sufficient for full DPDP compliance. The policy is the disclosure document — it tells users what you do. Compliance also requires: functional consent mechanisms on all data collection touchpoints, operational processes for responding to data principal rights requests, internal data retention and deletion schedules, vendor data processing agreements, and security safeguards. Vilot's DPDP Compliance Package addresses all of these components, not just the policy document.