India's Digital Personal Data Protection Act changes how every business that touches Indian users handles personal data. If you collect names, emails, phone numbers, or device identifiers from people in India, the DPDPA applies to you. Here is a clear checklist to work through, written for teams who want to get this right without drowning in legal language.
Start with notice and consent
The DPDPA is built around informed consent. Before you collect personal data, you have to tell people what you are collecting and why, in plain terms.
- Publish a clear privacy notice that lists the data you collect and the purpose for each use.
- Offer the notice in English and, where it matters for your users, in their preferred Indian language.
- Make consent specific. Bundling unrelated purposes into one I agree is not valid.
- Make withdrawal as easy as giving consent. A buried email request does not count.
The principle to remember is that consent has to be free, specific, informed, and unambiguous. If a reasonable person would not understand what they agreed to, you do not have valid consent.
Map your data and your processors
You cannot protect data you have not mapped. Before anything else, write down what you collect, where it lives, and who else touches it.
- List every form, tracker, and integration that gathers personal data.
- Identify each third party you share data with and confirm they are bound by contract.
- Note where data is stored and how long you keep it.
- Set a retention period for each category and delete data once the purpose is met.
Honor data principal rights
Under the DPDPA, the person whose data you hold is the data principal, and they have real rights. Your site needs a working way to act on them.
- Provide a route to request access to their data.
- Allow correction and updating of inaccurate data.
- Support erasure once the data is no longer needed.
- Offer a grievance channel and respond within a reasonable time.
Build these as a workflow, not a one-off favor. When requests arrive, you want a tracked process with deadlines, not an inbox scramble.
Handle children's data with care
The DPDPA sets a higher bar for anyone under eighteen. If children may use your service, you cannot ignore this.
- Obtain verifiable parental consent before processing a child's data.
- Do not run tracking or behavioral advertising aimed at children.
- Add an age signal or gate so child accounts get the stricter treatment by default.
The safest posture is to assume some of your users are minors and design your consent flow so their data is never processed for advertising without a parent's clear say-so.
Keep evidence you can show
Consent you cannot prove is consent you do not have. Regulators and auditors will ask how you know a person agreed.
- Record each consent with a timestamp and the version of the notice shown.
- Keep a tamper-evident log so the record cannot be quietly edited later.
- Make the evidence exportable so you can answer a query quickly.
Put it together
Notice, specific consent, easy withdrawal, mapped data, working rights, careful handling of children, and provable evidence. That is the spine of DPDPA readiness. None of it is exotic, but it does need to be deliberate and built into your product rather than bolted on.
If you want a consent layer that covers notice, withdrawal, DSAR workflows, and tamper-evident evidence out of the box, get started free with ConsentX and map your footprint in an afternoon.