AccordKit
Back to Blog

DPDP in Plain English: What Founders & Developers Should Do Next

A practical, non-legal primer for Indian startups: what the DPDP Act expects, why it matters, and a 30-day checklist you can actually ship.

By AccordKit Team
4 min read
TL;DR

The DPDP Act isn't asking for magic. It expects clear notice, real user choice, reasonable security, and the ability to prove what happened. This post is a builder's checklist, not legal advice.

What is the DPDP Act (in one paragraph)?

India's Digital Personal Data Protection (DPDP) Act sets baseline duties for anyone handling personal data. In practice: be clear about why you collect data, get and honor consent for non-essential uses, keep data secure, let people withdraw or correct, and don't keep data forever.

Why it matters now

  • Risk: fines and takedowns aren't theoretical anymore.
  • Trust: your customers now expect control and plain language.
  • Ops: doing the basics early is cheaper than fire-drills later.

The essentials (for product + engineering)

1) Notice, then choice

Give a simple notice (what/why) and offer affirmative consent for non-essential purposes. Don't hide controls.

2) Gate non-essential scripts

Analytics/marketing should load only after consent. Necessary stuff (auth, checkout, security) keeps running.

3) Keep an audit-ready history

Log each allow/deny/change/withdraw with timestamp and categories. Append-only. You should be able to export a CSV for an audit.

4) Respect withdrawals

When consent is changed/withdrawn, stop non-essential processing, and log the event.

5) Limit retention

Set a time-to-live (e.g., 13–24 months) and purge on a schedule.

6) Reasonable security

Use least-privilege access, RLS or equivalent, and off-the-shelf monitoring. Encrypt at rest/transit.

7) Data principal rights

Provide a simple email path for access/correction/erasure requests. Respond within a reasonable SLA.

8) Children

If your product targets minors, avoid behavioural tracking and talk to counsel about parental consent. (This post doesn't cover age-gating.)

9) Cross-border

Be ready to say where data is processed and keep an eye on government restrictions.

A 30-day checklist you can actually ship

Week 1 — visibility & copy

List all scripts/cookies on your site(s); tag as Necessary / Functional / Analytics / Marketing.
Update your Privacy page in plain language: purposes, withdrawal method, contact, retention.
Add a grievance mailbox (e.g., grievances@yourdomain.com) that reaches your support inbox.

Week 2 — consent & control

Show a banner with clear choices (allow/deny/category toggles).
Gate analytics/marketing until consent (one small condition around your loaders).
Add a "Change settings" link in your footer or account menu.

Week 3 — proof & retention

Log each decision append-only (timestamp, categories, version).
Build a CSV export by date range.
Set a retention policy (TTL) and a nightly purge job.

Week 4 — operations

Create a 1-page incident runbook (who triages, who notifies, 72h target for serious issues).
Add simple monitors and health checks; alerts to a shared inbox.
Train the team: what to do for withdraw/erase requests.

Common mistakes (easy to avoid)

  • Firing analytics before consent ("we'll fix it later").
  • Treating "Necessary" as toggleable (it isn't; explain it instead).
  • Editable logs (auditors dislike mutability).
  • No way to change consent later.
  • Keeping data forever "just in case".

If you want a head start

There are lightweight tools that give you a bilingual banner and an audit-ready consent log you can export in minutes. Pick whatever fits your stack and budget.