Notice Requirements Under DPDPA

Every time you collect personal data, you must provide a notice to the individual. Getting the notice right is one of the most practical and immediately implementable compliance tasks.

What Is a Notice Under DPDPA?

Under Section 5 of DPDPA, before or at the time of collecting personal data, a Data Fiduciary must provide the Data Principal with a notice containing:

• What personal data is being collected — specifically, not vaguely
• The purpose for which the data is being processed — each distinct purpose should be listed
• How the Data Principal can exercise their rights — where to go, how to raise a request
• How to withdraw consent — should be as easy as giving it

Where Does the Notice Need to Appear?

The notice must accompany or precede every consent request. This means it is needed at:

• Website enquiry and contact forms
• Checkout and account creation flows
• Job application forms
• Admission and enrollment forms
• WhatsApp and SMS opt-in flows
• Newsletter subscription forms

What Does a Good Notice Look Like?

A DPDPA-compliant notice should be:

• Specific — "Your name and email will be used to send you course updates" not "used to improve your experience"
• Plain language — avoid legalese; write for a 12-year-old
• Visible — placed immediately next to the consent action, not buried in T&Cs
• Itemised by purpose — if you are collecting data for multiple purposes, list each purpose separately

What a Notice Must NOT Do

• Use vague phrases like "for business purposes" or "to improve services"
• Bundle multiple purposes into one statement
• Be hidden in a 30-page Terms and Conditions document
• Use language that implies the individual has no choice

Sample Notice Language (Illustrative)

For a job application form:

"We will use the information you provide in this form (name, contact details, work history, qualifications) to evaluate your application for the role of [X]. If your application is successful, we will retain your data for employment purposes. If unsuccessful, we will retain your CV for 12 months in case other suitable roles arise — you can opt out of this below. You may request access, correction, or deletion of your data by emailing privacy@yourcompany.com."

Notice vs Privacy Notice (Privacy Policy)

A consent notice is a short, purpose-specific disclosure at the point of data collection. It is different from your full Privacy Notice (privacy policy), which is a comprehensive document covering all your data processing activities.

Both are required. The consent notice is the just-in-time disclosure; the Privacy Notice is the full reference document. Your consent notice should link to your full Privacy Notice.

Practical Implementation Steps

• List every touchpoint where your business collects personal data
• For each touchpoint, draft a short, specific notice covering the four required elements
• Place the notice immediately above or next to the consent checkbox
• Ensure the notice links to your full Privacy Notice
• When you change how you use the data, update the notice and re-seek consent if necessary
• Record the version of the notice shown at the time of consent

Notice for Existing Data

If you collected personal data before DPDPA enforcement and did not provide a compliant notice, you will need to remediate. Options include:

• Running a re-consent campaign with a fresh, compliant notice
• Sending a retroactive notice to existing contacts explaining how their data is used
• Deleting data collected under non-compliant conditions if re-consent cannot be obtained