DPDPA Compliance for Indian Websites — Digital Personal Data Protection Act 2023

# DPDPA Compliance for Indian Websites — Digital Personal Data Protection Act 2023 ## What DPDPA covers Enacted August 2023, rules phased in 2024-2026. Applies to: - Any website / app processing personal data of people in India - Data fiduciaries (you, as the business) - Data processors (your hosting provider, payment gateway, email service) "Personal data" = anything identifying an individual — name, email, phone, Aadhaar, location, IP address, login history. DPDPA differs from GDPR in some ways: - No separate "sensitive" category (Aadhaar is not treated differently by DPDPA specifically — but Aadhaar Act still applies) - Narrower scope on non-digital data - Stronger on consent language requirements (must be in English + regional language) - Penalties up to ₹250 crore per incident ## Who must comply Even a small website with a contact form collects personal data. Compliance is not optional. ## Core requirements ### 1. Consent notice at collection Before processing personal data, you must: - State what data you collect - State purpose clearly - State the data fiduciary (your business) + grievance officer - Provide translations in English + at least one schedule-8 language - Obtain explicit, informed consent (no pre-ticked boxes) Example notice: ``` We collect your email to send order updates. Your email is stored on servers in India. You can withdraw consent anytime at [email protected]. Grievance Officer: Ms. Priya Sharma, [email protected], +91-XXX-XXXX-XXX. Available in: English | हिन्दी | தமிழ் | తెలుగు [ ] I consent to the processing described above. ``` Must be a checkbox the user actively ticks — not pre-checked. ### 2. Data-principal (user) rights You must honour these requests from any user, within reasonable time (rules suggest 30 days): - **Right to know** — what data you have on them - **Right to correction** — fix wrong data - **Right to erasure** — delete data (unless legally required to keep) - **Right to grievance redressal** — file complaint, get a response - **Right to nominate** — designate someone to act on their behalf after death Build a self-service privacy page or at minimum `[email protected]` that actually responds. ### 3. Breach notification On a data breach: - Notify the Data Protection Board of India as soon as feasible - Notify each affected user - No defined timeline yet in rules, but prepare for 72-hour window (aligning with global norms) ### 4. Children's data - Data of under-18s requires verifiable parental consent - No targeted advertising to children - Age check required in signup flows ### 5. Significant Data Fiduciaries (SDF) If you process large volumes or "sensitive" operations, the government may designate you SDF with extra obligations: - Appoint Data Protection Officer (DPO) - Conduct periodic Data Protection Impact Assessments - Independent audits ## Technical implementation ### Consent record Store every consent with timestamp + IP for audit trail: ```sql CREATE TABLE consent_records ( id bigserial PRIMARY KEY, user_id uuid REFERENCES users(id), purpose text NOT NULL, -- "marketing_emails", "analytics", etc. consent_text text NOT NULL, -- exact text shown to user language text NOT NULL, -- 'en', 'hi', 'ta' granted_at timestamptz DEFAULT now(), withdrawn_at timestamptz, ip_address inet, user_agent text ); ``` When user withdraws, mark `withdrawn_at`; don't delete the row (audit). ### Consent banner (minimal, compliant) ```html ``` Save selection to a cookie + to your DB: ```javascript function saveConsent() { const form = document.getElementById('consent-banner'); const selections = { essential: true, analytics: form.analytics.checked, marketing: form.marketing.checked, }; document.cookie = `consent=${JSON.stringify(selections)}; path=/; max-age=31536000; SameSite=Lax`; fetch('/api/consent', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(selections), }); form.style.display = 'none'; // Only now load Google Analytics if analytics=true if (selections.analytics) loadAnalytics(); } ``` ### Data export / deletion endpoints ```javascript // User-initiated data export app.get('/api/me/export', async (req, res) => { const userId = req.user.id; const data = { profile: await db.user.findUnique({ where: { id: userId } }), orders: await db.order.findMany({ where: { userId } }), consents: await db.consent.findMany({ where: { userId } }), // ... every table where user data lives }; res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Disposition', 'attachment; filename=my-data.json'); res.json(data); }); // User-initiated deletion app.post('/api/me/delete', async (req, res) => { const userId = req.user.id; // Soft-delete personally, anonymise in audit await db.user.update({ where: { id: userId }, data: { email: `deleted-${userId}@deleted.local`, name: 'Deleted User', phone: null, deletedAt: new Date(), }, }); // Cascade to orders: keep (legal retention) but mark anonymous await db.order.updateMany({ where: { userId }, data: { customerName: 'Deleted', customerEmail: null }, }); req.logout(); res.json({ ok: true }); }); ``` ### Data retention Don't keep data forever. Schedule deletion of old records: ```sql -- Example retention: delete session logs older than 90 days DELETE FROM session_logs WHERE created_at < now() - interval '90 days'; -- Mark old customers as anonymous if no activity in 5 years + consent withdrawn UPDATE users SET email = '[email protected]', name = 'Anonymous', phone = NULL WHERE last_login_at < now() - interval '5 years' AND deleted_at IS NULL; ``` Run via cron / scheduled job. ### Encryption - **Data at rest** — full-disk encryption (LUKS on VPS), encrypted DB backups (our [automated backups guide](https://domainindia.com/support/kb/automated-backups-cron-rclone-s3)) - **Data in transit** — HTTPS everywhere (free Let's Encrypt via DomainIndia) - **Passwords** — bcrypt/argon2, never plain or MD5 ### Logs and audit Keep access logs ≥6 months. But also: logs ARE personal data. Access to logs should itself be logged. ``` /var/log/nginx/access.log → contains IPs = personal data → retention policy: rotate + delete after 180 days ``` ## Cross-border transfers DPDPA allows transfer to countries the government whitelists. For unlisted countries, rules are strict. Practical impact: - If your servers are on DomainIndia (India), you're already compliant for storage - If you use AWS/GCP in Singapore or US regions — check if whitelisted; if not, consider migrating critical data to India-hosted infra - Using OpenAI API in US — the prompts transferred may contain personal data. Disclose this in privacy policy. ## Grievance Officer Publish clearly on website footer: ``` Grievance Officer: Name: Priya Sharma Email: [email protected] Phone: +91-XXX-XXXX-XXX Address: [company address] Response timeline: 7 working days ``` Appointing a real person (not a shared mailbox) is a key DPDPA requirement. ## Privacy Policy template sections Your policy must include: 1. Identity + contact of data fiduciary 2. Grievance officer details 3. Categories of data collected 4. Purposes of processing 5. Legal basis (consent / legitimate use) 6. Sharing with third parties (list them) 7. Retention periods 8. User rights + how to exercise 9. Cross-border transfer disclosure 10. Changes policy 11. Effective date + last updated ## Common pitfalls ## FAQ