A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Privacy Policy Guide

Get a practical guide to writing clear DPDP privacy policies that users and internal teams can understand.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Privacy Policy Guide, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Do I need to translate my privacy policy into all 22 Indian languages immediately?

No, but you must have a system to provide the notice in any of those 22 languages if a user requests it. Your website should ideally offer the notice in the primary languages of your Indian user base.

Can I bundle my privacy policy with my Terms and Conditions?

No, DPDP requires the notice for personal data collection to be separate and clear. The request for consent must be in "plain and shemly" language and not buried inside a legal contract.

What happens if I don't list a specific data processor in my policy?

You must list the categories of personal data shared and the purposes of sharing. If a processor handles data for a purpose not listed in your notice, that processing lacks valid consent.

Real-World Examples Companies struggling with this issue

Real Estate

99acres (Info Edge India Ltd.)

47

99acres's privacy policy remains heavily anchored in the IT Act 2000 and the 2011 Privacy Rules. While it provides strong security disclosures, it fails major DPDP Act 2023 hurdles — specifically regarding granular consent, multi-language notice availability, and the specific rights of data principals (like nomination and DPB escalation). For a platform handling significant financial intent and PII, these gaps represent high regulatory risk.

⚠️ Consent is bundled with Terms of Use — fails Section 6 requirement for 'freely given' and 'unconditional' consent
⚠️ No reference to the Data Protection Board (DPB) of India for grievance escalation
+4 more gaps detected
May 2026 View Report
E-commerce

Amazon India

58

Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.

⚠️ Global privacy policy not tailored to DPDP Act 2023
⚠️ Alexa voice data and Ring camera data handling raises DPDP questions
+4 more gaps detected
Feb 2026 View Report
E-commerce

Blinkit

58

Blinkit’s privacy policy, last updated in January 2025, remains heavily influenced by the IT Act 2000 framework. While it provides high transparency regarding 'what' is collected, it fails the 'how' of DPDP Act 2023—specifically regarding granular consent, the right to be forgotten, and the new statutory rights of nomination. The reliance on 'implied consent' through platform usage is a high-risk area under the new regulatory regime.

⚠️ Consent is 'deemed' by continued use — violates Section 6 requirement for affirmative action
⚠️ No provision for the Right to Nominate (Section 14) in case of death or incapacity
+4 more gaps detected
Apr 2026 View Report
Book clarity call