Before a data fiduciary can rely on consent, it must give the data principal a notice. That notice is not a courtesy; it is a legal precondition for valid consent and a core transparency obligation in its own right. If the notice is deficient, the consent built on it is shaky, and the processing that follows is exposed.
The DPDP Act sets out what the notice must contain, and the 2025 Rules sharpen the expectation: notices must be standalone, itemised and written in clear, plain language. The days of burying data practices in dense, unreadable terms are ending.
This guide explains what a compliant notice must include, how the Rules expect it to be presented, how it differs from a traditional privacy policy, and how to structure a notice you can actually stand behind.
Why notice comes before consent
The logic of the Act is sequential: you inform, then you ask. Consent must be informed to be valid, and a person can only give informed consent if they have first been told, clearly, what they are agreeing to. The notice is therefore the foundation on which lawful, consent-based processing is built.
This also means notice quality directly affects consent quality. A vague or misleading notice does not just risk a transparency complaint; it can invalidate the consent itself, unravelling the lawful basis for the processing it was meant to support.
This dependency is worth internalising at the design stage: teams that treat the notice as marketing copy, rather than the legal foundation of consent, tend to produce notices that are persuasive but incomplete. The notice's first job is to inform accurately, not to reassure.
What the notice must contain
At minimum, the notice must describe the personal data being collected and the purpose for which it will be processed. It must also tell the data principal how they can exercise their rights under the Act, how they can withdraw their consent, and how they can make a complaint to the Data Protection Board.
These elements are not optional extras; they are the substance of the notice. A notice that explains what you take and why, but omits how to withdraw consent or complain, is incomplete and falls short of the Act's requirements.
A simple way to check completeness is a four-point test: does the notice say what data, what purpose, how to withdraw, and how to complain? If any of the four is missing or buried, the notice needs work before it can support valid consent.
The itemised, standalone standard
The 2025 Rules push notices toward being standalone and itemised. Rather than a wall of legal text covering every conceivable practice, the expectation is a clear, structured notice that lets a person see, item by item, what data is collected and for what purpose.
This is a meaningful shift in drafting. It rewards plain language, logical structure and honesty, and it penalises the bundling and obfuscation that characterised many older privacy statements. A good test is whether an ordinary user could read the notice once and accurately summarise it. Designing to that test is a practical cornerstone of dpdp compliance.
Itemisation also makes notices easier to maintain. When each data type and purpose is listed as a discrete item, updating the notice as your processing changes becomes a matter of adding or amending a line, rather than rewriting an impenetrable block of prose.
Plain language and multiple languages
The Act and Rules emphasise clear and plain language. Notices must be understandable to ordinary people, not just to lawyers, which means short sentences, concrete descriptions and the avoidance of unnecessary jargon.
Reflecting India's linguistic diversity, the request for consent — and the accompanying notice — must be available in English or any language listed in the Eighth Schedule of the Constitution. For consumer-facing services, offering the notice in the languages your users actually speak is both a legal expectation and a trust-builder.
Offering the notice in the languages your users actually read is not just a legal nicety; it is a trust signal. A person who can read, in their own language, exactly what you collect and why is far more likely to engage with your service confidently.
Notice for data collected before the Act
The Act also addresses personal data collected on the basis of consent before its commencement. In such cases, the fiduciary must give the data principal a notice as soon as reasonably practicable, so that individuals are informed about ongoing processing of data they provided under the old regime.
This means organisations cannot simply ignore their existing data stores. Part of getting ready is planning how to notify the people whose data you already hold, where you intend to keep relying on consent.
Planning this retrospective notice is part of data mapping: you need to know which existing records were collected on consent and how to reach those individuals. Organisations that ignore their legacy data risk a transparency gap precisely where they hold the most information.
Notice versus privacy policy
It helps to distinguish the DPDP notice from a general website privacy policy. A privacy policy is often a broad, organisation-wide document; the notice under the Act is specific to a particular act of collection and the consent attached to it.
In practice, many organisations will maintain both: a layered, itemised notice presented at the point of collection, and a fuller privacy policy that provides context. The key is that the point-of-collection notice meets the Act's specific content and clarity requirements, rather than relying on a sprawling policy few people read.
In practice the cleanest pattern is a layered approach: a concise, itemised notice at the point of collection that links to a fuller privacy policy for context. The point-of-collection notice carries the legal weight; the policy provides depth for those who want it.
Free resource
Free DPDP Policy Templates
Privacy notice, consent and core DPDP policy documents you can adapt to your business.
Designing the notice in practice
A practical, compliant notice is layered: a concise, itemised summary at the point of collection — what data, what purpose, how to withdraw, how to complain — with the option to expand into more detail. It uses plain language, is available in the relevant languages, and is genuinely visible rather than hidden behind a link no one clicks.
Templates can accelerate this work, but they must be tailored to your actual processing. A generic notice that does not reflect what your organisation really collects and does is worse than useless, because it misleads the very people it is meant to inform.
Treat templates as a starting structure, then populate them with your real data flows. The most common notice failure is not poor drafting but inaccuracy — a notice that describes processing the organisation does not actually do, or omits processing it does.
Keeping notices accurate over time
A notice is only compliant if it is true. As your processing changes — new purposes, new data, new recipients — the notice must be updated to match, and material changes may require fresh notice and consent. A notice that has drifted out of sync with reality is a liability.
Build notice review into your change-management process, so that whenever a team proposes a new use of personal data, updating the notice is part of shipping it. That discipline keeps your transparency obligations met as the business evolves.
A practical safeguard is to make 'update the notice' a required step in any project that introduces a new use of personal data. Wiring notice review into change management is what keeps transparency honest as the business and its data practices evolve.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.