Here is a fact that catches most Indian businesses off guard: the DPDP Act never uses the words "privacy policy." Not once. The law requires something it calls a notice, and the rules for that notice are specific enough that the generic privacy policy most companies copied off the internet, usually a GDPR template with "EU" swapped for "India", does not meet them.
That gap matters, because the burden of proving you gave a valid notice sits entirely on you. This guide explains whether the DPDP Act requires a privacy policy, how a privacy policy and a DPDP notice relate, exactly what the law says your notice must contain, and how to write one that holds up.
Does the DPDP Act Require a Privacy Policy?
The DPDP Act does not require a document called a "privacy policy." It requires a "notice" under Section 5, given before or at the time you ask someone for consent. A privacy policy and a DPDP notice are not the same thing: a privacy policy is the broad public document explaining your data practices, while the DPDP notice is a specific, consent-linked disclosure the law mandates by content and form.
In practice, most organisations satisfy the notice obligation inside their privacy policy, or link to it at the point of consent. That is fine. What is not fine is assuming a generic privacy policy automatically contains everything the DPDP notice must say. It usually does not.
Privacy Policy vs DPDP Notice
| Privacy Policy | DPDP Notice (Section 5) | |
|---|---|---|
| What it is | A general public document describing your data practices | A specific disclosure tied to a consent request |
| Required by name? | No (a business norm and customer expectation) | Yes, the Act mandates it |
| When shown | Always available, usually a footer link | Before or at the time consent is requested |
| Governed by | General expectation and good practice | Section 5 of the Act and Rule 3 of the Rules |
| Must be itemised? | Not strictly | Yes, an itemised list of data and purposes |
Key Takeaway
Think of it this way: the DPDP notice is the legally required core, and your privacy policy is the wrapper around it. You can keep one document, but it must contain the notice's mandatory elements, in the notice's required form, at the moment consent is sought.
What Your DPDP Notice Must Include
Section 5 and Rule 3 of the DPDP Rules 2025 set out what a compliant notice must contain. Strip away the legal language and it comes down to a short, non-negotiable list.
The three things every DPDP notice must state
- What and why: an itemised description of the personal data you collect and the specific purpose for each.
- How to exercise rights: how the individual can withdraw consent and exercise their rights (correction, erasure, grievance redressal).
- How to complain: how to file a complaint with the Data Protection Board of India.
Rule 3 then adds requirements about form, not just content:
- The notice must be self-contained. A person should be able to understand it without reading any other document.
- It must use clear, plain language, not dense legalese.
- It must give itemised descriptions, not a vague catch-all like "we collect data to improve our services."
- It must include working communication links so the individual can actually withdraw consent, exercise rights, and complain.
For the full mechanics of consent and notice, including how this interacts with consent withdrawal, see our consent and notice chapter.
The Language Rule Everyone Gets Wrong
This is the single most common error we see, and it is worth stating precisely.
The notice must be available in English or any one of the 22 languages listed in the Eighth Schedule to the Constitution (Hindi, Bengali, Tamil, Telugu, Marathi, and others). The law gives the Data Principal the option of a language. It does not require you to publish your notice in English and all 22 languages simultaneously. "Or" and "and" describe very different compliance burdens, so read this one carefully.
Beyond the Notice: What Your Privacy Policy Should Still Cover
The notice is the legally mandated core, but a privacy policy that only contains the notice is thin. Several other DPDP obligations are most naturally documented in your privacy policy, and customers and auditors will expect to see them:
- DPO or contact details. Section 8(9) and Rule 9 require you to publish the contact details of your Data Protection Officer or an authorised person, prominently on your website or app.
- Grievance redressal. You must describe an effective mechanism for individuals to raise concerns and get a response.
- Retention and erasure. Explain that data is erased when consent is withdrawn or the purpose is fulfilled, whichever is earlier.
- Data Principal rights. Set out the rights to access, correction, and erasure, and how to use them. Our Data Principal rights chapter covers these in full.
- Breach contact. Who an individual can reach for more information, which connects to your breach notification process.
Common Privacy Policy Mistakes Under the DPDP Act
- Reusing a GDPR policy unchanged. GDPR has six lawful bases for processing; the DPDP Act has essentially two (consent and certain legitimate uses). A GDPR policy describes a legal framework that does not apply here.
- Burying the notice in legalese. Rule 3 explicitly demands plain language and self-containment. A wall of text fails on its own terms.
- No itemised list. "We collect personal information" is not itemised. You must specify the categories and the purpose for each.
- Forgetting the burden of proof. If a dispute arises, you must prove the notice was given and valid consent obtained. Keep records of what notice was shown, when, and to whom.
Key Takeaway
The DPDP notice is judged on substance and form: itemised data and purposes, plain self-contained language, working links to withdraw and complain, and a language the individual can choose. A privacy policy that ticks those boxes, and keeps evidence it was shown, is what compliance looks like.
How to Write a DPDP-Compliant Privacy Policy
- Map your data first. List every category of personal data you collect and the specific purpose for each. The itemised notice is impossible without this map.
- Write the notice core against the three-point list above, in plain language, self-contained.
- Add the supporting sections: DPO contact, grievance mechanism, retention, rights, breach contact.
- Wire the links so withdrawal, rights requests, and Board complaints actually work.
- Offer the language option (English or an Eighth Schedule language) at the point of consent.
- Keep the evidence: log which version of the notice was shown and when, so you can discharge the burden of proof.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessThe Bottom Line
The DPDP Act does not ask for a "privacy policy" by name, but it absolutely requires the substance of one, delivered as a Section 5 notice with specific, itemised, plain-language content and working links. A generic template will not get you there.
Treat your privacy policy as the wrapper and the DPDP notice as the legally mandated core inside it. Map your data, write the notice precisely, support it with the DPO, grievance, retention, and rights sections, and keep proof that you showed it. That is the difference between having a privacy policy and meeting the law.
Frequently Asked Questions
Does the DPDP Act require a privacy policy?+
Not by that name. The DPDP Act requires a notice under Section 5, given before or at the time you request consent. Most businesses satisfy this within their privacy policy, but the policy must contain the notice's mandatory elements in the required plain-language, itemised form.
What is the difference between a privacy policy and a privacy notice under DPDP?+
A privacy policy is a general public document describing your data practices. A DPDP notice is the specific, legally required disclosure tied to a consent request, governed by Section 5 and Rule 3. The notice can live inside the privacy policy, but it has mandatory content the policy must include.
What must a privacy notice include under the DPDP Act?+
Three things: an itemised description of the personal data collected and the purpose for each; how the individual can withdraw consent and exercise their rights; and how to complain to the Data Protection Board. Rule 3 also requires it to be self-contained, in clear plain language, with working communication links.
Does my privacy policy need to be in all 22 Indian languages?+
No. The notice must be available in English or any one of the 22 Eighth Schedule languages, giving the individual a choice. The Act does not require you to publish it in English and all 22 languages at once. Provide the language option at the point of consent.
Can I reuse my GDPR privacy policy for DPDP compliance?+
Not without significant changes. GDPR has six lawful bases for processing; the DPDP Act relies essentially on consent and a closed list of legitimate uses. A GDPR policy describes a framework that does not apply in India and will miss the DPDP notice's specific requirements.
Is a privacy policy mandatory for small businesses in India?+
The DPDP notice obligation has no turnover or headcount threshold, so even small businesses that collect personal data must provide a compliant notice. Because customers and auditors also expect a privacy policy, the practical answer for almost every business that handles personal data is yes.
For the full section-by-section breakdown of consent and notice, see our DPDP Act 2023 complete guide.
Legal Disclaimer: This article is for informational purposes only and does not constitute legal advice. Laws and regulations may change; for advice specific to your organisation's situation, consult a qualified legal professional. While every effort has been made to ensure accuracy, Vratex makes no representations as to the completeness or currency of the information contained herein.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness