

In this Leading Questions piece, Dhruv Kaushal explains how under India's DPDP Act, privacy notices must be clear, specific and regularly updated, reflecting actual data practices, using plain language, and functioning as dynamic tools to ensure transparency, informed consent, and accountability.
Question: The DPDP Act has elevated the importance of privacy notices. How does the current regime differ from the traditional approach of publishing a generic privacy policy on a website?
Answer: The DPDP Act marks a significant shift in how organisations communicate with individuals about the use of their personal data. Traditionally, privacy policies were treated as standard legal documents uploaded to websites as a checkbox exercise. Most users accepted these policies without understanding what they actually meant.
The DPDP Act changes this by making transparency and accountability central principles of data protection. Instead of merely hosting a privacy policy, organisations are now expected to provide a clear and accessible privacy notice at the point of data collection. The notice should specify the categories of personal data being collected, the purpose of processing, how the information will be used, and the rights available to individuals under the law.
The objective is not just legal compliance but enabling individuals to make informed decisions before sharing their personal data. Privacy notices are no longer a formality—they have become a foundational tool for demonstrating compliance while building trust and accountability.
Question: What are the essential ingredients of a legally compliant privacy notice under the DPDP Act, and what information should organisations avoid overlooking?
Answer: A privacy notice is often the first interaction an organisation has with an individual regarding personal data processing. It should therefore be complete, accurate, and easy to understand.
At a minimum, it should explain the categories of personal data being collected, the specified purpose of collection, how individuals can exercise their rights under the DPDP Act, the process for withdrawing consent, and the contact details for grievance redressal.
However, organisations frequently focus only on statutory requirements while overlooking how personal data is actually processed within their business. Personal data may include names, contact details, IP addresses, biometrics, device information, cookies, and user preferences. If these data elements are not accurately reflected in the privacy notice, a disconnect arises between what the organisation says and what it actually does, creating potential compliance risks.
A legally compliant privacy notice should therefore reflect the organisation's actual data processing practices rather than merely reproducing statutory language.
Question: Many organisations continue to use standard templates for privacy notices. What are the legal and compliance risks of adopting a one-size-fits-all approach?
Answer: Standard templates can serve as useful starting points, but they should never be viewed as complete compliance solutions.
Every organisation processes personal data differently depending on its industry, business model, technology, customer base, and third-party relationships. A generic privacy notice often fails to accurately describe these unique processing activities, leading to incomplete or inaccurate disclosures.
In the DPDP environment, where regulatory scrutiny and potential penalties are significant, a one-size-fits-all approach is unlikely to withstand examination. If regulators review an organisation's privacy practices, or individuals question how their data has been processed, inconsistencies between the published notice and actual operations can quickly become apparent.
Organisations should first understand their internal data flows and then draft privacy notices that genuinely reflect their operational realities.
Question: How frequently should organisations review and update their privacy notices to ensure they remain aligned with evolving business practices, technological developments, and regulatory expectations?
Answer: One of the biggest challenges in privacy compliance is making legal information understandable for ordinary individuals. A notice that is legally accurate but filled with technical or legal jargon may satisfy documentation requirements while failing to achieve meaningful transparency.
Organisations should therefore use plain language, clear headings, short paragraphs, and simple explanations of technical concepts. Layered notices, summaries, FAQs, and visual elements can also improve readability. Given India's linguistic diversity, publishing privacy notices in regional languages can further enhance accessibility.
The true test is whether individuals can understand what personal data is collected, how it will be used, and make an informed decision. If a notice is difficult to understand, it may undermine the principles of transparency and privacy by design, even if it technically complies with the law.
As a good governance practice, organisations should review their privacy notices at least twice a year and communicate updates whenever material changes are made.
Question: Beyond legal compliance, what role do privacy notices play in demonstrating organisational transparency, governance, and responsible data stewardship?
Answer: Privacy has evolved beyond being purely a legal obligation; it is now a business and governance issue. Customers, employees, investors, regulators, and business partners increasingly expect organisations to be transparent about how personal data is collected, processed, and protected.
A well-drafted privacy notice demonstrates that an organisation understands its data processing practices, has established effective governance mechanisms, and is committed to responsible data management. It reflects an organisation's privacy culture rather than merely its compliance status.
Internationally, regulators have even scrutinised seemingly minor aspects such as the size, colour, and prominence of "I Accept" and "I Reject" buttons when assessing an organisation's commitment to fair consent practices. As digital trust becomes a competitive differentiator, organisations that communicate openly about their data practices are more likely to build stronger stakeholder relationships.
A privacy notice is therefore no longer just a legal document, it is a statement of accountability, transparency, and good corporate governance.
Question: As the DPDP regime matures, do you foresee privacy notices evolving from static legal documents into dynamic communication tools that foster ongoing engagement with data principals?
Answer: Yes. Privacy regulation is increasingly moving in that direction. Traditionally, privacy notices were viewed as one-time legal documents accepted during registration or sign-up. Under the DPDP Act, however, transparency and informed consent are continuing obligations rather than one-time exercises.
As business models, technologies, and data processing practices evolve, organisations will need to keep individuals informed about significant changes affecting their personal data. Privacy notices are therefore likely to become more dynamic through timely updates, layered content, contextual disclosures, and in-app notifications at the point where personal data is collected or processed.
This evolution is not solely about regulatory compliance, it is about building trust. When organisations communicate openly and proactively about their data practices, individuals are better equipped to understand how their information is used and are more confident in sharing it.
Going forward, privacy notices should be viewed as an ongoing dialogue between organisations and Data Principals. Organisations that embrace this approach will be better positioned to demonstrate accountability, strengthen stakeholder confidence, and adapt to the evolving privacy landscape.
Dhruv Kaushal is a Partner and Head of the Data Protection & Digital Privacy Practice at King Stubb and Kasiva.