DPDPA Compliance for Indian Websites — Digital Personal Data Protection Act 2023

What DPDPA covers

Enacted August 2023, rules phased in 2024-2026. Applies to:

• Any website / app processing personal data of people in India
• Data fiduciaries (you, as the business)
• Data processors (your hosting provider, payment gateway, email service)

"Personal data" = anything identifying an individual — name, email, phone, Aadhaar, location, IP address, login history.

DPDPA differs from GDPR in some ways:

• No separate "sensitive" category (Aadhaar is not treated differently by DPDPA specifically — but Aadhaar Act still applies)
• Narrower scope on non-digital data
• Stronger on consent language requirements (must be in English + regional language)
• Penalties up to ₹250 crore per incident

Who must comply

Even a small website with a contact form collects personal data. Compliance is not optional.

Core requirements

1. Consent notice at collection

Before processing personal data, you must:

• State what data you collect
• State purpose clearly
• State the data fiduciary (your business) + grievance officer
• Provide translations in English + at least one schedule-8 language
• Obtain explicit, informed consent (no pre-ticked boxes)

Example notice:

We collect your email to send order updates. Your email is
stored on servers in India. You can withdraw consent anytime
at [email protected]. Grievance Officer: Ms. Priya Sharma,
[email protected], +91-XXX-XXXX-XXX.

Available in: English | हिन्दी | தமிழ் | తెలుగు
[ ] I consent to the processing described above.

Must be a checkbox the user actively ticks — not pre-checked.

2. Data-principal (user) rights

You must honour these requests from any user, within reasonable time (rules suggest 30 days):

• Right to know — what data you have on them
• Right to correction — fix wrong data
• Right to erasure — delete data (unless legally required to keep)
• Right to grievance redressal — file complaint, get a response
• Right to nominate — designate someone to act on their behalf after death

Build a self-service privacy page or at minimum [email protected] that actually responds.

3. Breach notification

On a data breach:

• Notify the Data Protection Board of India as soon as feasible
• Notify each affected user
• No defined timeline yet in rules, but prepare for 72-hour window (aligning with global norms)

4. Children's data

• Data of under-18s requires verifiable parental consent
• No targeted advertising to children
• Age check required in signup flows

5. Significant Data Fiduciaries (SDF)

If you process large volumes or "sensitive" operations, the government may designate you SDF with extra obligations:

• Appoint Data Protection Officer (DPO)
• Conduct periodic Data Protection Impact Assessments
• Independent audits

Technical implementation

Consent record

Store every consent with timestamp + IP for audit trail:

CREATE TABLE consent_records (
    id           bigserial PRIMARY KEY,
    user_id      uuid REFERENCES users(id),
    purpose      text NOT NULL,    -- "marketing_emails", "analytics", etc.
    consent_text text NOT NULL,    -- exact text shown to user
    language     text NOT NULL,    -- 'en', 'hi', 'ta'
    granted_at   timestamptz DEFAULT now(),
    withdrawn_at timestamptz,
    ip_address   inet,
    user_agent   text
);

When user withdraws, mark withdrawn_at; don't delete the row (audit).

Consent banner (minimal, compliant)

<div id="consent-banner" style="position:fixed; bottom:0; left:0; right:0; background:#fff; padding:20px; box-shadow:0 -2px 8px rgba(0,0,0,0.1);">
  <p>We use cookies for essential site function, analytics (Google Analytics),
  and personalisation. Your data is processed as per our
  <a href="/privacy">Privacy Policy</a> (available in English, हिन्दी).</p>

  <label><input type="checkbox" name="essential" checked disabled> Essential (required)</label>
  <label><input type="checkbox" name="analytics"> Analytics</label>
  <label><input type="checkbox" name="marketing"> Marketing</label>

  <button onclick="saveConsent()">Accept selected</button>
  <button onclick="acceptAll()">Accept all</button>
  <button onclick="rejectOptional()">Reject optional</button>
</div>

Save selection to a cookie + to your DB:

function saveConsent() {
  const form = document.getElementById('consent-banner');
  const selections = {
    essential: true,
    analytics: form.analytics.checked,
    marketing: form.marketing.checked,
  };
  document.cookie = `consent=${JSON.stringify(selections)}; path=/; max-age=31536000; SameSite=Lax`;

  fetch('/api/consent', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify(selections),
  });

  form.style.display = 'none';
  // Only now load Google Analytics if analytics=true
  if (selections.analytics) loadAnalytics();
}

Data export / deletion endpoints

// User-initiated data export
app.get('/api/me/export', async (req, res) => {
  const userId = req.user.id;
  const data = {
    profile: await db.user.findUnique({ where: { id: userId } }),
    orders: await db.order.findMany({ where: { userId } }),
    consents: await db.consent.findMany({ where: { userId } }),
    // ... every table where user data lives
  };
  res.setHeader('Content-Type', 'application/json');
  res.setHeader('Content-Disposition', 'attachment; filename=my-data.json');
  res.json(data);
});

// User-initiated deletion
app.post('/api/me/delete', async (req, res) => {
  const userId = req.user.id;
  // Soft-delete personally, anonymise in audit
  await db.user.update({
    where: { id: userId },
    data: {
      email: `deleted-${userId}@deleted.local`,
      name: 'Deleted User',
      phone: null,
      deletedAt: new Date(),
    },
  });
  // Cascade to orders: keep (legal retention) but mark anonymous
  await db.order.updateMany({
    where: { userId },
    data: { customerName: 'Deleted', customerEmail: null },
  });
  req.logout();
  res.json({ ok: true });
});

Data retention

Don't keep data forever. Schedule deletion of old records:

-- Example retention: delete session logs older than 90 days
DELETE FROM session_logs WHERE created_at < now() - interval '90 days';

-- Mark old customers as anonymous if no activity in 5 years + consent withdrawn
UPDATE users
SET email = '[email protected]', name = 'Anonymous', phone = NULL
WHERE last_login_at < now() - interval '5 years' AND deleted_at IS NULL;

Run via cron / scheduled job.

Encryption

• Data at rest — full-disk encryption (LUKS on VPS), encrypted DB backups (our automated backups guide)
• Data in transit — HTTPS everywhere (free Let's Encrypt via DomainIndia)
• Passwords — bcrypt/argon2, never plain or MD5

Logs and audit

Keep access logs ≥6 months. But also: logs ARE personal data. Access to logs should itself be logged.

/var/log/nginx/access.log  → contains IPs = personal data
                          → retention policy: rotate + delete after 180 days

Cross-border transfers

DPDPA allows transfer to countries the government whitelists. For unlisted countries, rules are strict.

Practical impact:

• If your servers are on DomainIndia (India), you're already compliant for storage
• If you use AWS/GCP in Singapore or US regions — check if whitelisted; if not, consider migrating critical data to India-hosted infra
• Using OpenAI API in US — the prompts transferred may contain personal data. Disclose this in privacy policy.

Grievance Officer

Publish clearly on website footer:

Grievance Officer:
Name: Priya Sharma
Email: [email protected]
Phone: +91-XXX-XXXX-XXX
Address: [company address]
Response timeline: 7 working days

Appointing a real person (not a shared mailbox) is a key DPDPA requirement.

Privacy Policy template sections

Your policy must include:

1. Identity + contact of data fiduciary
2. Grievance officer details
3. Categories of data collected
4. Purposes of processing
5. Legal basis (consent / legitimate use)
6. Sharing with third parties (list them)
7. Retention periods
8. User rights + how to exercise
9. Cross-border transfer disclosure
10. Changes policy
11. Effective date + last updated

Common pitfalls

FAQ