A privacy policy is not a legal disclaimer to be buried in fine print. Under India’s Digital Personal Data Protection Act, 2023, it is a foundational compliance instrument — and your first conversation with every data principal.
Most privacy policies fail before anyone reads them. They are drafted by copying a competitor’s document, inserting the company name, and publishing the result. The outcome is a policy that is simultaneously over-broad and under-specific — one that neither informs the data principal nor protects the organisation.
The DPDP Act changes the stakes considerably. A privacy policy is now a legal instrument that anchors your consent mechanism, defines the scope of processing, and determines the standard against which any complaint before the Data Protection Board of India will be judged.
Getting it right is not optional. Here is how to do it.
Start with the data, not the document
The single most common drafting error is writing a privacy policy before understanding what personal data the organisation actually processes. A policy written in the abstract will either be dangerously narrow — leaving unaddressed processing undisclosed — or uselessly vague, disclosing everything to say nothing.
Before a single word is drafted, conduct a data mapping exercise. Identify every category of personal data collected, the purpose for each collection, the lawful basis relied upon, the third parties to whom data is disclosed, and the retention period that applies. Your privacy policy is a summary of this map. If the map does not exist, the policy cannot be accurate.
“A privacy policy should read like a promise made by a person who knows exactly what they do with your data — not like a liability shield drafted by someone who does not.”
Understand what the DPDP Act requires you to disclose
The DPDP Act and its Rules establish a mandatory disclosure framework. A valid consent must be based on a notice that is:
- Written in clear and plain language that a data principal can reasonably understand
- Available in languages listed in the Eighth Schedule of the Constitution, upon request
- Explicit about the personal data being collected and the specific purpose for which it is processed
- Clear about the data principal’s rights — including the right to withdraw consent, access data, correct it, and seek erasure
- Transparent about grievance redressal — the name and contact details of the Data Protection Officer or equivalent point of contact
- Honest about cross-border transfers, where applicable
These are not aspirational standards. They are statutory obligations. A privacy policy that omits any of these elements is non-compliant from day one.
Always keep the data principal in mind
The DPDP Act’s plain language requirement is one of its more quietly consequential provisions. It signals a legislative intent that privacy notices should be comprehensible to the person they concern — not merely defensible to the person who drafted them.
In practice, this means three things:
Use active voice and direct sentences. “We collect your name and email address when you create an account” is clearer than “Personal data, including identifiers such as name and electronic mail address, may be collected upon the creation of a user account by the data principal.”
Avoid cross-references to cross-references. A data principal should be able to understand your policy without reading three other documents. Where definitions are necessary, place them in a simple glossary at the top.
Be specific about purposes. “To improve our services” is not a purpose — it is a blank cheque. State precisely what you do with the data and why. “To send you order confirmation and delivery status updates by email” is a purpose.
Structure the document for real-world use
A privacy policy that no one can navigate provides no protection to anyone. Structure matters. A proven structure for an Indian organisation subject to the DPDP Act includes:
Introduction — who you are, what this policy covers, and its effective date
What we collect — a plain-language table of data categories and sources
Why we collect it — one purpose per category, with the lawful basis clearly stated
Who we share it with — data processors, subsidiaries, and government authorities where required by law
How long we keep it — a retention schedule, or the criteria used to determine it
Transfers outside India — if applicable, the countries or regions involved and the safeguards in place
Your rights — a plain-language explanation of each right under the DPDP Act, with instructions on how to exercise them
Grievances — the name, email, and response timeline for your DPO or grievance officer
Changes to this policy — how and when you will notify data principals of material changes
Contact us — a single, clear point of contact
Address children’s data with particular care
The DPDP Act introduces heightened obligations for the processing of personal data of children — defined as persons under eighteen years of age. If your services are likely to be accessed by minors, your privacy policy must address:
- The requirement for verifiable parental consent before processing a child’s personal data
- The prohibition on behavioural tracking or targeted advertising directed at children
- The mechanism by which age is verified or parental consent is obtained
Silence on these points in a policy for a platform used by children will be treated as a significant deficiency.
Don’t set it and forget it
A privacy policy is a living document. Every time a new product is launched, a new third-party vendor is onboarded, a new category of data is collected, or the law changes — the policy must be reviewed and updated. Under the DPDP Act, material changes to processing activities require fresh notice and, where applicable, fresh consent.
Build a review cadence into your compliance calendar — at minimum annually, and triggered by any material change to your processing activities. Date-stamp every version and maintain a changelog.
The five drafting errors we see most often
1. Boilerplate from a foreign jurisdiction. GDPR-style templates are not DPDP Act-compliant. The rights, lawful bases, and notice requirements differ materially.
2. Purposes stated at the category level. “Marketing purposes” is not a purpose. Name the specific activity and the data it uses.
3. No contact details for the DPO or grievance officer. The Act requires a named, reachable point of contact. A generic privacy@company.com with no name attached will not suffice.
4. Retention periods missing or unlimited. “We retain data for as long as necessary” is circular. Specify periods per category, or the criteria used to determine them.
5. Rights described but not actionable. Telling a data principal they have a right of erasure is meaningless unless you tell them how to exercise it, who to write to, and how long it will take.
The bottom line
An effective privacy policy is honest, specific, readable, and maintained. It reflects what the organisation actually does with personal data — not what it would like to be seen as doing. Under the DPDP Act, it is also the document that will be scrutinised first in any investigation or complaint proceeding.
Drafting it well is not a one-time compliance exercise. It is an ongoing signal of how seriously your organisation takes the rights of the people whose data it processes.
If your privacy policy was last reviewed more than twelve months ago, or was adapted from a template that pre-dates the DPDP Act, it is time for a structured review.
Anindya Majumdar is a DSCI Certified Data Protection Officer (DPO 1225/036) and founder of The Privacy Desk. He provides privacy policy drafting, gap assessments, and DPDP compliance programs for Indian organisations across sectors.
Need a privacy policy review or a fresh draft? Book a discovery call.
