How to Draft a Privacy Policy Compliant with Indian Laws

Introduction

In the digital age, a privacy policy is not just a formality—it's a legal obligation and a trust-building tool. For Indian businesses, drafting a compliant privacy policy is crucial to meet statutory requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules) and the Digital Personal Data Protection Act, 2023 (DPDP Act).

In this guide, we walk you through the essential elements of a privacy policy under Indian law and how to ensure it’s both legally robust and user-friendly.

1. Why a Privacy Policy Is Mandatory in India

   A privacy policy is required under:

   • Section 43A of the IT Act, 2000, read with the IT Rules, 2011 – for body corporates handling sensitive personal data or information.

   • The DPDP Act, 2023 – which mandates transparency and disclosure obligations for data fiduciaries.

   • Sector-specific regulators like RBI, SEBI, and IRDAI may also require tailored privacy disclosures.

   • Failure to provide a privacy policy can result in penalties, reputational harm, and data fiduciary liability.

     
     

2. What Should a Privacy Policy Contain?

   Here are the key clauses every privacy policy should include to comply with Indian law:

   1. Type of Information Collected

      • Personal data (e.g., name, contact details)

      • Sensitive personal data (e.g., financial info, passwords, health data)

      
      

   2. Purpose of Collection and Usage

      • Why the data is being collected (e.g., to provide services, for marketing, legal compliance)

      • Legal basis: consent or legitimate use

      
      

   3. Disclosure of Information

      • Third-party sharing, government requests, cross-border transfers

      • Names or categories of entities with whom data may be shared

        
        

   4. Data Storage and Retention

      • Location of servers (especially for cross-border compliance)

      • Duration for which data will be retained and grounds for deletion

        
        

   5. Security Practices

      • Encryption, access controls, periodic audits

      • Reference to ISO/IEC 27001 standards or industry equivalents, if applicable

        
        

   6. User Rights

      • Right to access, correct, delete, and withdraw consent

      • Procedure to exercise these rights

        
        

   7. Grievance Redressal Mechanism

      • Name and contact details of the Grievance Officer

      • Response timelines as per the IT Rules (30 days)

        
        

   8. Consent

      • Mechanism for capturing and revoking consent

      • Separate opt-ins for marketing, profiling, and cookies

        
        

3. DPDP Act 2023: New Obligations for Privacy Policies

   With the enforcement of the DPDP Act, 2023, privacy policies must now include:

   • Language comprehensible to the user (especially in vernacular languages, where applicable)

   • Summary of individual rights under the Act

   • Disclosure on cross-border transfers, if any

   • A clear interface for grievance redressal and consent withdrawal

     
     

4. Tips for Drafting an Effective Privacy Policy

   • Use plain English: Avoid legalese and ensure it’s understandable by the average user.

   • Be specific, not vague: Clearly state what data is collected and for what purposes.

   • Make it accessible: Place the privacy policy link prominently on your website or app footer.

   • Keep it updated: Review the policy periodically as your data practices or applicable laws evolve.

     
     

5. Examples of Businesses That Need Customised Privacy Policies

   • E-commerce platforms collecting payment and delivery data

   • Fintech apps handling Aadhaar and financial records

   • Healthcare startups storing medical history

   • SaaS companies with user profiles and analytics

   • Marketing agencies conducting behavioral targeting

   
   

   Each of these businesses has different risk profiles and must tailor their policies accordingly.

   
   

6. Penalties for Non-Compliance

   Under the DPDP Act, failing to provide a compliant privacy policy can attract fines up to ₹200 crore. Further, if a data breach results from poor practices, the penalties can rise to ₹250 crore.

Conclusion

A privacy policy is not just a checkbox—it’s your first line of defence in India’s emerging data protection regime. As laws like the DPDP Act evolve and enforcement ramps up, businesses must draft policies that are transparent, specific, and legally sound.

Need a legally compliant privacy policy for your business? At Apar Law, we draft privacy policies tailored to your sector, technology stack, and risk exposure. Get in touch with us today for a free initial consultation.