Section 5 of the DPDP Act 2023 requires every Data Fiduciary to provide a notice to the Data Principal before or at the time of collecting personal data. This notice must meet specific content requirements. Here's what to include and how to write it.
Legal Requirements (Section 5)
Your privacy notice must state:
- What personal data is being collected
- The purpose for which the data is being processed
- The manner in which the Data Principal may exercise their rights
Additionally, it must be in "clear and plain language" — not legal jargon — and be available in any of the 22 Eighth Schedule languages if requested by the customer.
What a Good DPDP Privacy Notice Must Cover
1. Identity of the Data Fiduciary
Who you are, your business name, and how to contact you. Include:
- Business name and address
- Contact email for privacy matters (e.g., privacy@yourstore.in)
- If you have a DPO (required for Significant Data Fiduciaries), their contact
2. What Data You Collect
Be specific. Don't say "we collect personal information." Say exactly what categories:
- Contact data: name, email address, phone number
- Address data: delivery address, billing address
- Transaction data: order history, payment method type (but not full card numbers — those go to the payment gateway)
- Device and browsing data: IP address, browser type (if you run analytics)
- Communication data: messages you exchange via DM or email
3. Why You Collect Each Type of Data (Purpose)
The purpose must be specific to each data type. Generic purposes like "to improve our services" are not sufficient. Examples:
- Phone number: to send order confirmations and delivery updates via SMS/WhatsApp
- Address: to process and deliver your orders
- Email: to send order receipts and, with your consent, promotional offers
- Browsing data: to understand how customers use our website (Google Analytics)
4. Who You Share Data With
List every Data Processor that receives customer data. Be specific:
- Payment processing: Razorpay India Pvt. Ltd.
- Delivery and fulfillment: Shiprocket / Delhivery / [your courier]
- Email marketing: Mailchimp / Klaviyo / [your email tool]
- Website analytics: Google Analytics (Google LLC)
- Cloud hosting: Amazon Web Services / [your host]
For each, explain what data is shared and why. If you share delivery addresses with Delhivery, say so.
5. How Long You Keep Data
Define a retention period for each data category:
- Order records: 7 years (required for GST compliance)
- Customer account data: for the duration of the relationship + 2 years
- Marketing data (email lists): until consent is withdrawn or 3 years of inactivity
- Transaction logs: 3 years for fraud prevention
6. Customer Rights
Explain how customers can exercise each right:
- Access: Email us at privacy@yourstore.in with "Data Access Request" in the subject line
- Correction: Log in to your account and update your details, or contact us at privacy@yourstore.in
- Erasure: Email privacy@yourstore.in with "Delete My Data" in the subject line. Note that some data may be retained for legal purposes.
- Withdraw Consent: Click "Unsubscribe" in any marketing email, or contact us at privacy@yourstore.in
- Complaint: You may also complain to the Data Protection Board of India at [DPB portal URL once available]
Where to Publish Your Privacy Notice
- Website: Footer link (privacy policy / privacy notice)
- Checkout: Link at the consent checkbox
- WhatsApp/Instagram: Link in bio or pinned message with a short URL
- Physical premises: QR code at POS for offline businesses
Language Requirements
The notice must be available in any of the 22 Eighth Schedule languages if the customer requests it. For most SMBs, maintaining 22 translated versions manually is impractical. EasyDP generates and serves privacy notices in all 22 languages automatically, detecting the customer's preferred language based on their location or preference setting.
Keep It Updated
If you add a new Data Processor, change your retention policy, or start using customer data for a new purpose — you must update your notice and re-obtain consent for the new purpose. Treat your privacy notice as a living document, not a one-time checkbox.