All docs

Compliance

India (DPDP Act 2023) compliance with Consentico

Show a Digital Personal Data Protection Act-shaped consent notice to Indian visitors, surface your grievance officer contact, and capture defensible audit trail under DPDP §6.

India's Digital Personal Data Protection Act 2023 (DPDP) is the country's first comprehensive privacy law. The Act was passed in August 2023; the DPDP Rules 2025 were notified on 14 November 2025, and substantive obligations on Data Fiduciaries take effect 14 May 2027. Cookie-based tracking on Indian visitors falls squarely within DPDP's definition of "processing personal data of a Data Principal in India".

Consentico ships an opt-in India / DPDP mode that:

  1. Treats Indian visitors as a regulated region (default-deny + explicit opt-in).
  2. Auto-switches the banner copy to a DPDP-shaped notice that names rights, withdrawal, and your grievance officer contact (DPDP §13).
  3. Auto-translates to Hindi for hi / hi-IN visitors (other Eighth-Schedule languages route to Hindi as a sensible fallback; you can override via Settings → Language).
  4. Captures a policy snapshot on every consent decision so you can prove what notice the visitor actually saw — required by both GDPR Art. 7(1) and DPDP §6.

The Act and the 2025 Rules together require a Data Fiduciary processing personal data of Data Principals in India to:

  • Issue a notice in clear, plain language (English or any Eighth-Schedule language) at or before the time consent is requested. The notice must describe the personal data being collected, the purposes, and how to exercise rights.
  • Obtain consent that is free, specific, informed, unconditional, and unambiguous — language that closely tracks GDPR Art. 4(11).
  • Make consent as easy to withdraw as it was to give.
  • Publish the contact of the Data Protection Officer / grievance officer so a Data Principal can raise a concern (DPDP §13).
  • Retain demonstrable evidence of consent — i.e. an audit trail tying each consent to the notice that was displayed.

The good news: the GDPR-shaped consent flow Consentico already implements satisfies most of this. India-mode adds the missing pieces — grievance contact, DPDP-specific rights language, and a Hindi presentation — without changing the underlying mechanics.

Enable India / DPDP mode

  1. Open Consentico admin → Settings.
  2. Scroll to India (DPDP Act 2023) (under Geo-targeting).
  3. Toggle Show DPDP notice to Indian visitors on.
  4. Fill in Grievance officer contact — an email address or URL where Indian visitors can raise a privacy concern. This is required under DPDP §13 and gets appended to the banner notice.
  5. Save.

Enabling India mode automatically turns on the regulated-region gate so the banner now shows for both EU/EEA/UK/CH and India. If you only sell into India, that's still fine — the banner just shows for IN visitors and skips everyone else.

What Indian visitors see

When Consentico's geo lookup places a visitor in India (Cloudflare/Vercel header, then Asia/Kolkata timezone fallback, then hi/hi-IN Accept-Language fallback), the banner:

  • Renders with your existing title and description, then appends a DPDP rights line: "Under India's DPDP Act 2023 you have the right to access, correct, erase your data, withdraw consent, and raise a grievance. Grievance contact: <your contact>."
  • Shows three explicit choices — Accept All, Reject All, Customise — never a single dismiss-with-X. DPDP requires consent to be unambiguous, so a passive close is not consent.
  • Auto-translates to Hindi if the browser language is hi/hi-IN, or one of the other Eighth-Schedule languages we route to Hindi.

The full Hindi locale is also available as a manual override under Settings → Language → Banner locale: Hindi (हिन्दी).

Every consent decision under India mode persists a policySnapshot on the ConsentLog row containing:

  • The exact banner title and description shown (post-merchant-overrides, post-i18n).
  • The privacy policy URL.
  • The locale rendered.
  • The categories the visitor was offered.
  • Whether DPDP mode was active.
  • The grievance contact at decision time.

This is the same payload we capture for GDPR Art. 7(1). DPDP §6 has not yet been clarified by Rules in this exact area, but the snapshot covers any reasonable interpretation of "demonstrable consent". Export the audit log via Consentico admin → Privacy → Export.

What Consentico is not

We want to be precise:

  • Consentico is not a registered Consent Manager under the DPDP Rules 2025. The Rules introduce a separate licensed entity called a Consent Manager that acts as a single point of contact for Data Principals across multiple Data Fiduciaries. That's a different product category. Consentico is a Data Fiduciary tool — it helps you (the merchant) collect, log, and honour consent on your storefront.
  • Consentico does not register your store with the Data Protection Board of India. That's a manual step, not yet operational pending DPDP Rules implementation. Watch the MeitY website for the Board's commencement notice.

DPDP enforcement activates 14 May 2027, but India-mode is safe to enable today:

  • Now → 14 May 2027: voluntary good-practice posture. No penalty for being early; you build a clean audit trail and acclimatise Indian visitors to your consent flow.
  • From 14 May 2027: mandatory for any Data Fiduciary processing personal data of Data Principals in India. Penalties under DPDP §33 can reach ₹250 crore (~$30M) per significant violation, though typical first-instance penalties are expected to be substantially smaller.

If you ship products into India and run any non-essential tracking (Meta Pixel, Google Ads, Hotjar, Klaviyo), enable India mode now.

Limitations to be aware of

  • Geo detection is IP-based with timezone and Accept-Language fallbacks. A Bengaluru visitor on a US VPN won't be classified as IN. This is the industry standard — DPDP's "good faith" framing accepts IP geolocation as adequate effort.
  • Sensitive personal data (DPDP §2(t) — health, financial, biometric) carries additional handling expectations that go beyond the cookie banner. If your store collects this kind of data, coordinate with your privacy counsel — Consentico handles the consent surface, not the storage handling.
  • Children's data (under-18 Data Principals) requires verifiable parental consent under DPDP §9. Consentico does not currently age-gate; if your storefront targets minors, additional flows are needed outside the banner.