A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Compliance for Freight Forwarders

Freight forwarders handle massive amounts of personal data, from KYC documents to consignee details. Learn how to comply with India's DPDP Act 2023.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Compliance for Freight Forwarders, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Can I share consignee phone numbers with third-party delivery drivers?

Yes, but only for the specific delivery. You must ensure the driver's agency contractually agrees to delete the contact information once the proof of delivery is signed.

How do I handle data for LCL shipments involving multiple individual shippers?

You must keep KYC documents for each shipper in separate digital or physical files. Ensure one shipper cannot see the contact details or ID proofs of others sharing the same container.

Does DPDP apply to the data of foreign consignees?

If you process the personal data of a foreign individual within India to facilitate an export, you must follow DPDP rules for how that data is stored and secured on your local servers.

Real-World Examples Companies struggling with this issue

Healthcare

1mg

60

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

⚠️ Consent mechanism bundled with service terms — not explicitly 'freely given' and granular per Section 6, and no mention of Consent Manager integration.
⚠️ Data retention period undefined — uses 'as long as necessary' language, lacking specific timelines or automated erasure triggers per Section 9.
+4 more gaps detected
Mar 2026 View Report
Real Estate

99acres (Info Edge India Ltd.)

47

99acres's privacy policy remains heavily anchored in the IT Act 2000 and the 2011 Privacy Rules. While it provides strong security disclosures, it fails major DPDP Act 2023 hurdles — specifically regarding granular consent, multi-language notice availability, and the specific rights of data principals (like nomination and DPB escalation). For a platform handling significant financial intent and PII, these gaps represent high regulatory risk.

⚠️ Consent is bundled with Terms of Use — fails Section 6 requirement for 'freely given' and 'unconditional' consent
⚠️ No reference to the Data Protection Board (DPB) of India for grievance escalation
+4 more gaps detected
May 2026 View Report
Government

Aadhaar (UIDAI)

55

Aadhaar is unique — it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

⚠️ DPDP Section 17 exempts government from some provisions but not all
⚠️ Biometric data (fingerprints, iris scans) security adequacy questions remain
+4 more gaps detected
Feb 2026 View Report
Book clarity call