India DPDPA compliance checklist

The Digital Personal Data Protection Act is India's first comprehensive data protection law. It applies to any data fiduciary processing digital personal data in India, and to those outside India who process the data of people in India in connection with offering goods or services. If you have users in India, it likely applies to you.

The law is built around two ideas that should shape your checklist: clear itemized notice and verifiable consent. Unlike the GDPR's several lawful bases, the DPDPA leans heavily on consent as the route for most commercial processing, which raises the importance of getting the consent flow right.

Consent under the DPDPA must follow a notice that itemizes what personal data you collect, the specific purposes, how the person can withdraw consent, and how they can complain to the Data Protection Board. The notice has to be in clear and plain language and be available in English and the languages listed in the Indian constitution.

Vague blanket statements do not satisfy this. Each purpose should be stated so the person can tell exactly what they are agreeing to, item by item.

Consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and limited to the data necessary for the stated purpose. Crucially it must be verifiable, meaning you can later demonstrate that a specific person consented to specific purposes after seeing the notice.

Build your banner and forms so that each consent event is recorded with the purposes shown and the choice made, producing evidence you can stand behind if the Board asks.

Section 9 is one of the strictest parts of the law. For anyone under 18, you must obtain verifiable consent from a parent or lawful guardian before processing, and you must not undertake tracking, behavioral monitoring or targeted advertising directed at children.

This means an age-gate and a parental consent flow are not optional if children might use your service. Design the flow so a child cannot simply self-assert an adult age without any check, and make sure your advertising trackers are blocked for users identified as children.

The DPDPA requires that withdrawing consent be as easy as giving it. Once a person withdraws, you must stop the related processing within a reasonable time and ensure your processors do the same. A buried, multi-step withdrawal flow does not meet the as-easy-as standard.

Keep a persistent, obvious way to withdraw, and make sure the withdrawal actually halts the trackers and processing it covers, not just updates a flag.

The Act introduces the concept of a Consent Manager, a registered entity through which people can give, manage, review and withdraw consent across services. Design your consent records to be interoperable with this model rather than locked to a single proprietary format.

Also stand up the data principal rights the law grants, including access to a summary of processing, correction, erasure and grievance redressal. A working request intake with clear timelines covers this and overlaps with the DSAR processes you may already run for other regions.