What does the DPDP Act 2023 require for privacy policies in India?

The Digital Personal Data Protection Act 2023 (DPDP Act 2023), which received Presidential assent on 11 August 2023, is India's comprehensive personal data protection law and represents a fundamental shift in India's data privacy landscape. The DPDP Act replaces the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) for matters covered by the Act, and provides a framework for the processing of digital personal data in India. Key requirements under the DPDP Act 2023: Notice to Data Principals: Under Section 5 of the DPDP Act 2023, before or at the time of collecting personal data, the Data Fiduciary (i.e., the entity that determines the purpose and means of processing) must give the Data Principal (i.e., the individual whose data is being processed) a notice in clear and plain language specifying: the personal data to be collected; the purpose of processing; the manner in which the Data Principal may exercise their rights; and the manner in which a complaint may be made to the Data Protection Board of India. Consent: Under Section 6, the Data Fiduciary must obtain free, specific, informed, unconditional, and unambiguous consent from the Data Principal before processing their personal data. Consent must be signified by a clear affirmative action. The notice seeking consent must be clear and plain, and separate from other information. Consent may be withdrawn by the Data Principal at any time.

What are the obligations under the IT Act 2000 for handling sensitive personal data?

While the DPDP Act 2023 is the primary data protection statute in India, the Information Technology Act 2000 (IT Act 2000) and the IT (Amendment) Act 2008 continue to apply to electronic records, cybersecurity, and corporate data security obligations. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules), notified under Section 43A of the IT Act 2000, remain relevant pending the full operationalisation of the DPDP Act 2023. Section 43A of the IT Act 2000 imposes civil liability on a 'body corporate' (any company, firm, sole proprietor, or other association of individuals) that possesses, deals with, or handles sensitive personal data or information (SPDI) in a computer resource it owns, controls, or operates. If the body corporate is negligent in implementing and maintaining reasonable security practices and procedures, and this negligence causes wrongful loss or gain to any person, the body corporate shall be liable to pay damages by way of compensation to the person so affected. The SPDI Rules 2011 define 'sensitive personal data or information' to include: passwords; financial information (bank account, credit card, debit card, or payment instrument details); physical, physiological, and mental health condition; sexual orientation; medical records and history; biometric information; and any other information received by the body corporate in confidence.

What rights do users have under India's data protection law?

Under the Digital Personal Data Protection Act 2023 (DPDP Act 2023), Data Principals (individuals whose personal data is being processed) have the following rights vis-à-vis Data Fiduciaries: Right to Information (Section 11): The Data Principal is entitled to obtain from the Data Fiduciary: (a) confirmation of whether their personal data is being processed; (b) a brief summary of the personal data being processed and the processing activities undertaken by the Data Fiduciary with respect to such personal data; and (c) identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with a description of the personal data shared. Right to Correction and Erasure (Section 12): The Data Principal is entitled to: (a) correct their inaccurate or misleading personal data; (b) complete their incomplete personal data; (c) update their personal data; and (d) erase their personal data that is no longer necessary for the purpose for which it was collected, unless retention is necessary for compliance with a legal obligation or the exercise or defence of legal claims. Right to Grievance Redressal (Section 13): The Data Principal is entitled to have their grievances redressed by the Data Fiduciary. Every Data Fiduciary must provide an effective mechanism for Data Principals to register grievances and must respond to complaints expeditiously (timelines to be prescribed in the DPDP Rules).

Do I need a lawyer to create a Privacy Policy (India) in India?

A Privacy Policy (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Digital Personal Data Protection Act, 2023 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Do I need a lawyer to use a Privacy Policy (India) in India?

A Privacy Policy (India) does not legally require a lawyer in India, though legal advice is recommended. Under Indian law, the Indian Contract Act 1872 governs agreements. The Companies Act 2013 and Registrar of Companies (ROC) regulate corporate documents. The Information Technology Act 2000 governs electronic contracts and data protection. The Consumer Protection Act 2019 provides consumer rights. The Income Tax Act 1961 requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Indian advocate for significant transactions. Under India law, Digital Personal Data Protection Act, 2023, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). Forms-legal.com provides this template as a starting point for India-compliant documentation.

Privacy Policy (India)

Digital Personal Data Protection Act 2023 | Information Technology Act 2000 | IT (SPDI) Rules 2011

Effective Date: [Effective Date]

This Privacy Policy applies to [Website URL] operated by [Company Name], registered at [Company Address] (CIN/Registration: [Company CIN]) (the "Company", "we", "us", or "our").

1. PERSONAL DATA WE COLLECT

1.1 We collect the following categories of personal data: [Data Types Collected].

1.2 We collect personal data directly from you (when you register, place an order, or contact us), automatically (cookies, log files, device identifiers), and from third parties (payment processors, analytics providers).

1.3 We collect only such personal data as is necessary for the specified purposes (data minimisation principle under Section 8(3) of the DPDP Act 2023).

2. PURPOSES OF PROCESSING

2.1 We process your personal data for the following purposes: [Processing Purposes].

2.2 We process personal data either on the basis of your consent (which you provide by using our service) or on the basis of a legitimate use specified under Section 7 of the DPDP Act 2023.

2.3 You may withdraw your consent at any time by contacting us at [Rights Contact Email]. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

3. SHARING AND DISCLOSURE

3.1 We share your personal data with: [Third Party Sharing].

3.2 We do not sell your personal data to third parties.

3.3 We may disclose personal data to law enforcement agencies or government authorities where required by law, court order, or government direction.

3.4 International transfers: [International Transfers].

4. DATA RETENTION

4.1 We retain your personal data for the following period: [Data Retention Period]. After this period, we will erase or anonymise your personal data, subject to any legal obligation requiring longer retention.

5. YOUR RIGHTS UNDER THE DPDP ACT 2023

5.1 Under the Digital Personal Data Protection Act 2023, you have the following rights as a Data Principal:

(a) Right to Information (Section 11): obtain a summary of the personal data we hold about you and the purposes of processing;

(b) Right to Correction and Erasure (Section 12): request correction of inaccurate personal data or erasure of data that is no longer necessary;

(d) Right to Nominate (Section 14): nominate another individual to exercise your rights in the event of your death or incapacity;

(e) Right to Complain to Data Protection Board: if your grievance is not resolved satisfactorily, you may file a complaint with the Data Protection Board of India.

5.2 To exercise your rights, please email [Rights Contact Email]. We will respond within the timelines prescribed under the DPDP Rules.

6. COOKIES

6.1 Our website/app uses cookies: [Cookies Used]. Cookies are small text files placed on your device to improve your experience. You can control cookies through your browser settings.

7. CHILDREN'S PRIVACY

7.1 Children's data: [Children Data Processed]. Under Section 9 of the DPDP Act 2023, processing of personal data of children (under 18 years) requires verifiable parental consent.

8. SECURITY

8.1 We implement reasonable security safeguards (including encryption, access controls, and security audits) to protect your personal data against unauthorised access, disclosure, or destruction, in accordance with Section 8(5) of the DPDP Act 2023 and the IS/ISO/IEC 27001 standard.

8.2 In the event of a personal data breach affecting your data, we will notify the Data Protection Board of India and you in accordance with Section 8(6) of the DPDP Act 2023.

9. GRIEVANCE OFFICER

9.1 For any privacy-related queries or complaints, please contact our Grievance Officer as required under the IT Intermediary Rules 2021:

Name: [Grievance Officer Name]

Designation: [Grievance Officer Designation]

Email: [Grievance Officer Email]

Phone: [Grievance Officer Phone]

We will acknowledge your complaint within 24 hours and endeavour to resolve it within 30 days.

10. GOVERNING LAW

10.1 This Privacy Policy is governed by the Digital Personal Data Protection Act 2023, the Information Technology Act 2000, and the laws of India. Any disputes shall be subject to the jurisdiction of the courts at [Company Address].

Authorised Signatory (Data Fiduciary)

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Privacy Policy (India)?

A Privacy Policy (India) is a legally required public disclosure document under the Digital Personal Data Protection Act 2023 (DPDP Act 2023), the Information Technology Act 2000 (IT Act 2000), and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules 2011) that explains to users — called Data Principals under the DPDP Act 2023 — how a business collects, processes, stores, shares, and protects their personal data.

The DPDP Act 2023, which received Presidential assent on 11 August 2023 and represents India's first complete data protection statute, requires Data Fiduciaries (entities that determine the purpose and means of processing personal data) to provide a clear notice to Data Principals before or at the time of collecting personal data. Under Section 5 of the DPDP Act 2023, this notice must specify: the personal data to be collected; the purpose of processing; how the Data Principal may exercise their rights under Sections 11–14; and the manner in which a complaint may be made to the Data Protection Board of India established under Section 18.

The SPDI Rules 2011 under Section 43A of the IT Act 2000 continue to apply alongside the DPDP Act 2023 for matters not yet covered by the DPDP Rules (yet to be notified). Rule 4 of the SPDI Rules requires every body corporate that collects, receives, possesses, stores, deals with, or handles sensitive personal data or information to publish a privacy policy on its website providing for the following: type of personal or sensitive personal data collected; purpose of collection; disclosure practices; reasonable security practices adopted; and contact details for grievances. The SPDI Rules define sensitive personal data to include passwords, financial information, health data, biometric information, and sexual orientation.

For Significant Data Fiduciaries — a category to be designated by the Central Government under Section 10 of the DPDP Act 2023 based on the volume and sensitivity of personal data processed — additional obligations apply, including appointment of a Data Protection Officer, conducting Data Protection Impact Assessments, and periodic audits. The Data Protection Board of India will have the power to impose financial penalties up to ₹250 crore per breach under the DPDP Act 2023.

The Consumer Protection Act 2019 and the Consumer Protection (E-Commerce) Rules 2020 impose additional disclosure obligations on e-commerce entities operating in India, including mandatory privacy policy publication and grievance officer appointment. The Reserve Bank of India's guidelines on digital payments and the Securities and Exchange Board of India's data localisation requirements for regulated entities add further compliance layers for financial businesses. Forms-legal.com provides this Privacy Policy template to assist Indian businesses in meeting their obligations under the DPDP Act 2023, IT Act 2000, and allied regulations.

When Do You Need a Privacy Policy (India)?

A Privacy Policy is needed for any Indian business that collects personal data from users, customers, employees, or other individuals — whether through a website, mobile app, offline forms, or any other means. It is mandatory under the DPDP Act 2023 and the SPDI Rules 2011 for all body corporates handling personal or sensitive personal data.

Specific triggers: (1) Operating a website or app that collects user data (name, email, phone, location, payment details); (2) Running an e-commerce platform; (3) Providing cloud, SaaS, or IT services; (4) Operating a healthcare, education, financial services, or HR platform processing sensitive personal data; (5) Running any business that maintains customer records digitally; and (6) Receiving data from EU/UK users (requiring GDPR compliance in addition to DPDP Act compliance).

Parties in India should prepare a Privacy Policy (India) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

What to Include in Your Privacy Policy (India)

A compliant India Privacy Policy under the Digital Personal Data Protection Act 2023 and IT (SPDI) Rules 2011 must include the following key elements.

Data Fiduciary identification: Full legal name, registered address, CIN (for companies registered under the Companies Act 2013), and contact email of the entity acting as Data Fiduciary. For Significant Data Fiduciaries designated under Section 10 of the DPDP Act 2023, the Data Protection Officer's name, designation, and contact details must be separately disclosed.

Grievance Officer details: Under Rule 5(9) of the SPDI Rules 2011 and the Consumer Protection (E-Commerce) Rules 2020, the name, designation, postal address, email address, and working hours of the Grievance Officer must be published in the privacy policy. The Grievance Officer must respond to complaints within one month of receipt.

Personal data collected: A specific list of personal data categories collected — name, email address, phone number, postal address, date of birth, PAN/Aadhaar (where collected), payment card details, device identifiers, IP addresses, location data, browsing history, and any sensitive personal data categories defined under Rule 3 of the SPDI Rules 2011 (passwords, financial information, health data, biometric data, sexual orientation).

Purposes of collection and legal basis: For each category of personal data, the specific purpose for which it is collected and the legal basis under the DPDP Act 2023 — either consent under Section 6 or legitimate use under Section 7 (processing for legal obligations, employment, medical emergencies, or state functions). Vague or catch-all purpose descriptions do not satisfy Section 5.

Data retention: The period for which each category of data is retained, and the basis for that retention period. Under the DPDP Act 2023, personal data must be deleted once the purpose for which it was collected is fulfilled, unless retention is required by law.

Third-party sharing and Data Processors: Identification of categories of third parties with whom personal data is shared (payment gateways, cloud storage providers, analytics services, marketing platforms), the purposes of sharing, and whether the third parties are Data Processors under contractual agreements. Cross-border data transfers — permissible subject to Central Government notification under Section 16 of the DPDP Act 2023 — must be disclosed with details of the destination countries.

Security practices: Description of technical and organisational security measures implemented — encryption in transit and at rest, access controls, regular security audits, IS/ISO/IEC 27001 certification (if obtained), and incident response procedures. Section 8(5) of the DPDP Act 2023 requires Data Fiduciaries to implement reasonable security safeguards.

Data Principal rights: Clear explanation of each right under Sections 11–14 of the DPDP Act 2023 — right to information (Section 11), right to correction and erasure (Section 12), right to grievance redressal (Section 13), right to nominate a person to exercise rights after death or incapacity (Section 14), and right to withdraw consent (Section 6). Instructions for exercising each right must be specific and actionable.

Children's data policy: Under Section 9 of the DPDP Act 2023, processing personal data of children (under 18 years) requires verifiable parental consent. The policy must describe the consent verification mechanism and confirm that the service does not knowingly collect data from children without consent.

Data Protection Board complaint mechanism: Contact details and URL for lodging a complaint with the Data Protection Board of India established under Section 18 of the DPDP Act 2023, after the Grievance Officer fails to resolve the complaint satisfactorily.

Policy updates: The date of last revision, the procedure for notifying Data Principals of material changes, and confirmation that continued use of the service after notification constitutes acceptance. Forms-legal.com provides this Privacy Policy template for Indian businesses of all sizes, covering mandatory requirements under the DPDP Act 2023, IT Act 2000, and SPDI Rules 2011.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Privacy Policy (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/policies/privacy-policy-india

MLA

"Privacy Policy (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/policies/privacy-policy-india.

BibTeX

@misc{formslegal-privacy-policy-india,
  author       = {{Forms Legal}},
  title        = {Privacy Policy (India) (India)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/india/business/policies/privacy-policy-india}},
  note         = {Free legal document template. Based on Digital Personal Data Protection Act, 2023}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Digital Personal Data Protection Act, 2023 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Privacy Policy (India)

What Is a Privacy Policy (India)?

When Do You Need a Privacy Policy (India)?

What to Include in Your Privacy Policy (India)

Cite this page

Also available for these jurisdictions:

Frequently Asked Questions

Related Documents

Terms of Service (India)

Data Protection Policy (India)

Acceptable Use Policy (India)