← Back to blog
Web DevelopmentJuly 6, 2026·28 min read

DPDP Compliant Website Checklist India (2026 Technical Guide for SMBs)

Consent banners, contact forms, privacy notice, grievance officer, vendor DPAs, and Next.js patterns—practical DPDP website checklist for Indian SMBs. Not legal advice. 15 FAQs.

D

DigitalXBrand Team

Web Development

Rohan's D2C skincare brand in Pune launched a polished Next.js storefront in March 2026. Traffic grew. Meta ads ran. Then a customer emailed asking where the privacy notice was and how to withdraw marketing consent. Rohan searched for a dpdp compliant website checklist india and realised his agency had shipped analytics, a contact form, and a newsletter popup—but no documented consent flow, no grievance officer contact, and no data processing agreements with Mailchimp or Razorpay. Fixing it after launch cost ₹85,000 in legal review and two weeks of developer time.

The Digital Personal Data Protection Act, 2023 (DPDP Act) and its 2025 rules changed how Indian businesses must think about websites that collect personal data—names, phone numbers, emails, IP addresses, cookies used for profiling, and form submissions. This guide is a technical implementation checklist for SMB websites: consent banners, contact forms, privacy notices, grievance officers, vendor DPAs, and Next.js-specific patterns. It is not legal advice; work with qualified counsel for your entity's compliance obligations.

Not legal advice

DigitalXBrand is a web development agency, not a law firm. This article describes common technical patterns Indian SMBs implement on websites. Your obligations depend on whether you qualify as a Data Fiduciary, what data you process, sector rules (RBI, IRDAI, etc.), and upcoming enforcement timelines. Consult a privacy lawyer before relying on any checklist alone.

Compliance on a brochure site is lighter than on a site that profiles users for ads—but 'we only have a contact form' is not a free pass when you run Meta Pixel and session replay.

DigitalXBrand Development Team
  • Consent banner and cookie management patterns for Indian SMB sites
  • Privacy notice structure and where to publish it
  • Contact form, newsletter, and lead-capture technical requirements
  • Grievance officer: what to display and how to route requests
  • Vendor DPAs for hosting, email, analytics, CRM, and payments
  • Next.js App Router implementation notes with code examples
  • 15 FAQs for Google and AI search

Building or auditing your site?

DigitalXBrand implements privacy-aware Next.js and WordPress sites for Indian SMBs—with consent flows, form hardening, and documented vendor lists from day one.

Why DPDP Matters for Your Business Website

Most Indian SMB websites collect personal data even when founders do not think of themselves as 'tech companies.' A contact form stores name and phone. Google Analytics collects identifiers. WhatsApp click-to-chat logs numbers. Razorpay checkout captures billing details. Job application pages store résumés. Each flow triggers questions about notice, consent, purpose limitation, retention, and grievance redressal under India's framework.

The penalty exposure for significant breaches can reach ₹250 crore under the Act—far beyond what a ₹3 lakh marketing site budget can absorb. Smaller businesses face reputational risk first: customers, enterprise buyers, and payment partners increasingly ask for privacy posture before signing contracts. A documented website checklist reduces sales friction and audit surprises.

📈 Technical vs legal work

Developers implement notice pages, consent UI, form routing, and audit logs. Lawyers interpret fiduciary obligations, draft privacy policies, and review DPAs. This guide sits in the implementation layer—what your engineering team or agency should ship before go-live.

Who This Checklist Applies To

  • Brochure sites with contact forms and Google Analytics
  • E-commerce stores on WooCommerce, Shopify, or custom Next.js
  • SaaS marketing sites with demo request forms and product analytics
  • Coaching institutes, clinics, and professional services collecting leads
  • Agencies rebuilding client sites that must hand over compliance-ready assets

If you are also budgeting ongoing compliance and updates, pair this guide with our website maintenance cost in India breakdown so AMC scope includes privacy-related plugin and dependency updates.

DPDP Compliant Website Checklist India (Master Overview)

Use this master checklist in sprint planning. Each section below expands into implementation detail.

Pre-launch DPDP website checklist

  • Privacy notice published at /privacy-policy (or equivalent) with data categories, purposes, retention, rights, grievance contact
  • Consent mechanism before non-essential cookies and marketing tags load
  • Contact forms collect only fields necessary for stated purpose
  • Form submissions stored securely; access limited to authorised staff
  • Grievance officer name and contact published (email + postal address per rules)
  • Data Processing Agreements signed with hosting, email, analytics, CRM, payment vendors
  • Cookie and consent preferences persisted and honourable on return visits
  • Third-party scripts blocked until consent where required
  • Audit log or documented process for erasure and correction requests
  • Children's data: no knowing collection under 18 without verifiable parental consent
  • Cross-border transfer disclosures if vendors process data outside India
  • Version date on privacy notice; change log when practices update

💡 Ship compliance with performance

Heavy consent managers can hurt Core Web Vitals if loaded synchronously. Defer non-essential scripts and load your consent layer after LCP-critical content. See our Core Web Vitals checklist for measurement patterns.

Measure consent banner impact on LCP and INP after implementation.

Under the DPDP framework, consent must be free, specific, informed, and unambiguous for processing personal data beyond what is strictly necessary. On websites, that translates into clear notice before you fire analytics pixels, retargeting tags, heatmaps, or embedded social widgets. Essential cookies—session auth, cart state, load balancing—typically do not need the same opt-in, but documenting the distinction matters.

  • Display on first visit before non-essential scripts execute (prior consent model)
  • Offer Accept, Reject, and Manage Preferences—not a dark-pattern 'Accept only' wall
  • Link to full privacy notice from the banner
  • Separate toggles for analytics, marketing, and functional third parties where feasible
  • Persist choice in a first-party cookie or localStorage with documented expiry
  • Re-prompt when privacy policy version changes materially
  • Work on mobile viewports without hiding reject options
  • Support Hindi or regional language if that is your primary audience (recommended for trust)

Pre-ticked boxes fail

Default-on analytics consent is a common agency shortcut. For DPDP-aligned implementations, non-essential processing should remain off until the user affirmatively opts in. Document this behaviour in your privacy notice.

CategoryExamplesTypical consent
Strictly necessarySession ID, CSRF token, cart cookieNo opt-in required; disclose in notice
FunctionalLanguage preference, consent storageOften bundled; disclose clearly
AnalyticsGA4, Plausible self-hostedOpt-in before load (recommended)
MarketingMeta Pixel, Google Ads tagsExplicit opt-in
Embedded mediaYouTube, Instagram embedsOpt-in or click-to-load facade
Cookie categories for Indian SMB websites
  • CookieYes, Cookiebot, or iubenda—SaaS CMPs with India-focused templates (verify DPA with vendor)
  • Osano or Termly—policy generators plus banner widgets; legal review still required
  • Klaro (open source)—self-hosted consent manager for Next.js and WordPress
  • WordPress: Complianz, CookieYes WP plugin, or custom block with script blocking
  • Next.js: @cookiehub or custom React consent context + next/script strategy=lazyOnload

SaaS consent tools process visitor IP addresses and consent logs—their DPA must be in your vendor folder. Self-hosted Klaro reduces third-party exposure but shifts security patching to your team; factor that into annual maintenance.

Script Blocking Architecture

The failure mode is a beautiful consent banner that does nothing—GA4 still loads in layout.tsx before the user clicks. Implement a consent gate at the tag manager or script injection layer.

  1. Inventory all third-party scripts in a spreadsheet (name, purpose, data sent, vendor country)
  2. Classify each as essential or consent-required
  3. Wrap consent-required scripts in a conditional loader tied to consent state
  4. Use Google Tag Manager consent mode v2 signals if you must keep GTM
  5. Verify with browser devtools Network tab: no google-analytics.com before accept
  6. Re-test after every marketing plugin update

💡 YouTube and maps embeds

Replace heavy iframes with thumbnail + click-to-load patterns. Users who never play the video never trigger Google's embed cookies—better for privacy and Core Web Vitals.

Regulators and enterprise customers may ask how you demonstrate consent. Store: timestamp, policy version, categories accepted, anonymised visitor token (not unnecessary PII). SaaS CMPs usually provide export; custom builds need a lightweight server log or database table.

  • Log consent events server-side when possible (harder to tamper than client-only)
  • Retain consent logs per your lawyer's advised period—often aligned with limitation periods
  • Do not store full IP in consent logs unless necessary; hash or truncate if analytics requires it
  • Include consent version in privacy policy footer: 'Last updated: 1 July 2026 — v2.1'

When to Show Notice vs Banner

The privacy notice is the full legal document. The banner is the just-in-time summary and consent capture point. Both must align: if the banner says 'we use cookies for analytics,' the notice must name GA4, retention period, and opt-out path. Mismatches create regulatory and customer-trust problems.

Consent banner QA before launch

  • Reject all → zero marketing/analytics network requests in first 5 seconds
  • Accept all → expected tags fire once, not duplicated
  • Manage preferences → partial accept works (analytics on, marketing off)
  • Return visit → prior choice respected without re-banner unless policy version bumped
  • Clear cookies → banner reappears appropriately
  • Screen reader can reach reject and manage buttons
  • Banner does not cover entire viewport on 320px mobile

Privacy Notice: Structure and Publication

Every Indian business website that collects personal data should publish a privacy notice accessible from the footer on every page—typically /privacy-policy. The notice is lawyer-drafted content hosted on your site; developers own the template, routing, version display, and last-updated metadata.

Sections Your Privacy Notice Should Cover

  • Data Fiduciary identity: legal entity name, registered address, contact email
  • Categories of personal data collected (contact, billing, usage, device, cookies)
  • Purposes of processing for each category
  • Lawful basis: consent, legitimate uses as applicable—legal team defines wording
  • Sources of data (direct from user, automatically from browser, from partners)
  • Third parties and processors (hosting, email, analytics, payments) with general description
  • Cross-border transfers if vendors store data outside India
  • Retention periods or criteria (e.g. 'lead data: 24 months after last contact')
  • Data principal rights: access, correction, erasure, grievance, nomination
  • How to exercise rights (email, form link, postal address)
  • Grievance officer details (name, email, address, response timeline expectation)
  • Children's data statement
  • Changes to policy: how users will be notified
  • Optional: cookie table mirroring your consent manager categories

🔥 Plain language wins

Indian regulators and customers respond better to readable notices than 40 pages of imported GDPR boilerplate. Lawyers should localise; developers should not hide the notice behind login walls or PDF-only downloads.

Technical Implementation Checklist

Privacy notice page

  • Route exists: /privacy-policy (or /legal/privacy) returns 200, indexed only if you want it in search
  • Footer link on all templates including checkout and thank-you pages
  • Last updated date visible at top, synced with CMS or git when content changes
  • Print-friendly layout; no broken anchors on mobile
  • Available in same languages as consent banner if multilingual site
  • Linked from contact form microcopy: 'See our Privacy Policy'
  • Version archived: previous policy PDF or git history for audit trail

For Next.js sites, store policy markdown in the repo or a headless CMS with review workflow. WordPress sites should use a dedicated page—not a post that can be accidentally deleted from the blog index.

Grievance Officer: Website Requirements

The DPDP rules require appointing a Grievance Officer for Data Fiduciaries. Even if you are assessing whether your SMB qualifies, publishing a clear grievance contact on the website is best practice—it reduces support chaos and shows enterprise buyers you have a process.

  • Publish Grievance Officer full name (or role title if name rotation is documented internally)
  • Dedicated email: grievance@yourcompany.com or privacy@yourcompany.com—not a personal Gmail
  • Indian postal address for written complaints (registered office or principal place of business)
  • Expected response timeframe stated in notice (legal team sets; often 'within X days')
  • Separate from general sales inbox so requests are tracked and not lost in lead spam
  • Optional: /privacy-request web form that creates a ticket in your helpdesk

🎯 Operational routing

Forward grievance@ to a small privacy queue in Zoho Desk, Freshdesk, or a shared Google Group with two owners. Auto-reply acknowledging receipt with ticket ID. Developers implement the form and SPF/DKIM; operations owns the SLA.

Handling Access, Correction, and Erasure Requests

When a data principal emails asking to delete their contact form submission, your team needs a runbook—not ad hoc database edits.

  1. Verify identity to reasonable standard (email match, order ID, phone OTP—lawyer advises threshold)
  2. Search CRM, form DB, email logs, backups for the subject's data
  3. Delete or anonymise primary records; note downstream processors (Mailchimp, Razorpay) to notify
  4. Confirm completion to requester in writing
  5. Log the request: date, type, outcome, handler (without storing excessive PII in the log itself)
LocationData typeErasure consideration
Form DB / SupabaseName, email, messageDELETE row; vacuum backups per policy
Google Sheets zapLead exportRemove row; check revision history
MailchimpSubscriberUnsubscribe + delete member API
GA4Client IDGoogle's deletion tools; limited user-level erase
Server access logsIP, user agentRotation policy; may not be erasable per IP on request
WhatsApp BusinessChat historyManual delete; export before if legally required
Where personal data often hides on SMB sites

Privacy notice is mandatory for data collection. Terms of use govern site usage, liability, and IP. A standalone cookie policy helps if your consent manager links to it—but avoid duplicating contradictory text across three documents. Single source of truth for cookie categories should be the privacy notice or cookie policy, referenced by the banner.

  • /terms-of-service — website usage, disclaimers, governing law (lawyer-drafted)
  • /cookie-policy — optional if cookie table is inside privacy notice
  • /refund-policy — e-commerce; separate from privacy but linked in footer
  • Consistent footer legal cluster on every page

Contact Forms and Lead Capture

Contact forms are the most common personal-data collection point on Indian SMB websites. DPDP alignment is not only about adding a privacy checkbox—it is about data minimisation, secure transmission, storage, retention, and processor contracts for every tool that touches submissions.

Form Design and Data Minimisation

  • Collect only fields required for the stated purpose—do not ask for DOB on a generic enquiry form
  • Label each field; mark optional fields explicitly
  • State purpose above submit: 'We use your details to respond to your enquiry'
  • Link to privacy notice near the submit button
  • Separate consent checkbox for marketing if newsletters are optional—not bundled with enquiry
  • Avoid uploading sensitive categories (health, biometrics) unless legally justified and secured
  • Phone fields: +91 validation; do not auto-enrol in WhatsApp broadcasts without opt-in

🛡 Security basics

HTTPS only. Server-side validation. Rate limiting and honeypot or Turnstile/reCAPTCHA to reduce spam. Never email form data to personal Gmail as the only storage—use CRM or encrypted DB with access controls.

Submission Routing and Storage

PatternProsDPDP notes
API route → email (Resend, SES)Simple, low costEmail provider DPA; retention in mailboxes
API route → Google SheetsFast for foundersGoogle Workspace DPA; sheet access restricted
API route → CRM (Zoho, HubSpot)Sales workflowCRM DPA; field mapping documented
Serverless DB (Supabase, PlanetScale)Queryable, auditableHosting DPA; backup encryption
Third-party form SaaS (Typeform, Tally)No codeVendor DPA; data residency settings
Contact form patterns for Indian SMBs

Document in your privacy notice which processors receive form data. If you use Zoho CRM for a Bengaluru coaching institute, name Zoho and the purpose ('customer relationship management'). Update the notice when you add a new zap to Mailchimp.

Newsletter and Job Application Forms

  • Newsletter: double opt-in recommended; clear unsubscribe in every email; sync unsubscribe to site preferences if applicable
  • Job forms: résumés may contain sensitive personal data—secure upload (S3 presigned URL), virus scan, limited HR access, defined deletion after hiring cycle
  • File uploads: restrict MIME types and size; store outside public web root
  • Do not expose submission PII in URL query params on redirect (?email= leaks in analytics and referrer logs)

Vendor DPAs and Processor Inventory

When you use a processor (hosting, email, analytics, payments), a Data Processing Agreement or equivalent contractual clause is part of DPDP readiness. Your lawyer negotiates terms; your developer produces the vendor inventory so legal does not miss the CDN you forgot about.

Vendor inventory template

  • Vendor legal name and product
  • Categories of personal data shared
  • Purpose of processing
  • Data location (India, US, EU, Singapore)
  • DPA signed date and renewal
  • Sub-processors list if provided by vendor
  • Deletion/export API or process documented
  • Technical contact for security incidents

Common Website Vendors (India SMB Stack)

  • Hosting: Vercel, AWS Mumbai, DigitalOcean BLR, Hostinger IN, Cloudflare
  • Email transactional: Resend, Amazon SES, SendGrid, ZeptoMail (Zoho)
  • Analytics: Google Analytics 4, Plausible self-hosted, Microsoft Clarity
  • CRM: Zoho CRM, HubSpot, Freshsales
  • Payments: Razorpay, Cashfree, PayU
  • Chat: Intercom, Crisp, WhatsApp Business API providers
  • CDN / security: Cloudflare, Akamai

📈 Free tiers still process data

Cloudflare free plan, Google Analytics, and Meta Pixel are not 'free of compliance'—they process personal data. Each needs disclosure in your notice and often a DPA acceptance in the vendor dashboard.

Practical DPA Workflow for SMBs

  1. Developer exports vendor list from package.json, env vars, and tag manager
  2. Founder or counsel downloads standard DPAs from vendor trust portals
  3. Sign or click-wrap accept; store PDFs in a shared compliance folder
  4. Review annually and on every new integration
  5. Remove unused vendors (old Hotjar account still collecting data is a liability)

Agencies handing off sites should deliver the processor inventory as part of documentation—same category as our website ownership checklist recommends for analytics and hosting credentials.

Incident and Breach Readiness (Technical)

Developers should know who to call when form data leaks. Technical readiness: access logs, ability to rotate API keys, disable compromised forms, export affected records for legal notification assessment. Breach notification rules are legal obligations—your runbook connects engineering to counsel within hours, not days.

  • Maintain env secrets in vault—not committed to Git
  • Enable 2FA on all processor admin accounts
  • Quarterly review of form endpoint auth and CORS rules
  • Backup encryption at rest for databases holding leads

Next.js Implementation Notes

Many Indian SMBs moving to Next.js App Router need privacy patterns that work with server components, edge middleware, and third-party scripts. Below are production patterns DigitalXBrand uses—adapt with your counsel's requirements.

Store consent in a first-party cookie readable by middleware and client components. Gate analytics in a dedicated client component that mounts only after consent is known.

components/ConsentProvider.tsxtsx
"use client";

import { createContext, useContext, useEffect, useState } from "react";

type Consent = { analytics: boolean; marketing: boolean };

const ConsentContext = createContext<{
  consent: Consent | null;
  setConsent: (c: Consent) => void;
} | null>(null);

const COOKIE_NAME = "dxb_consent";

export function ConsentProvider({ children }: { children: React.ReactNode }) {
  const [consent, setConsentState] = useState<Consent | null>(null);

  useEffect(() => {
    const raw = document.cookie
      .split("; ")
      .find((r) => r.startsWith(COOKIE_NAME + "="))
      ?.split("=")[1];
    if (raw) setConsentState(JSON.parse(decodeURIComponent(raw)));
  }, []);

  const setConsent = (c: Consent) => {
    document.cookie = `${COOKIE_NAME}=${encodeURIComponent(
      JSON.stringify(c)
    )}; path=/; max-age=31536000; SameSite=Lax`;
    setConsentState(c);
  };

  return (
    <ConsentContext.Provider value={{ consent, setConsent }}>
      {children}
    </ConsentContext.Provider>
  );
}

export function useConsent() {
  const ctx = useContext(ConsentContext);
  if (!ctx) throw new Error("useConsent requires ConsentProvider");
  return ctx;
}
Simplified consent context pattern (illustrative—not production-complete)
components/AnalyticsLoader.tsxtsx
"use client";

import Script from "next/script";
import { useConsent } from "./ConsentProvider";

export function AnalyticsLoader() {
  const { consent } = useConsent();
  if (!consent?.analytics) return null;

  return (
    <>
      <Script
        src={`https://www.googletagmanager.com/gtag/js?id=${process.env.NEXT_PUBLIC_GA_ID}`}
        strategy="lazyOnload"
      />
      <Script id="ga4" strategy="lazyOnload">
        {`
          window.dataLayer = window.dataLayer || [];
          function gtag(){dataLayer.push(arguments);}
          gtag('js', new Date());
          gtag('config', '${process.env.NEXT_PUBLIC_GA_ID}', {
            anonymize_ip: true
          });
        `}
      </Script>
    </>
  );
}
Load GA4 only when analytics consent is true

💡 Server vs client

Privacy notice pages can be Server Components with static generation for speed. Consent banner and script loaders must be Client Components. Keep the banner bundle small to protect INP scores.

Contact Form API Route

app/api/contact/route.tstypescript
import { NextResponse } from "next/server";
import { z } from "zod";

const schema = z.object({
  name: z.string().min(2).max(100),
  email: z.string().email(),
  phone: z.string().max(15).optional(),
  message: z.string().min(10).max(2000),
  marketingConsent: z.boolean().optional(),
});

export async function POST(req: Request) {
  const body = await req.json();
  const parsed = schema.safeParse(body);
  if (!parsed.success) {
    return NextResponse.json({ error: "Invalid input" }, { status: 400 });
  }

  const { name, email, phone, message, marketingConsent } = parsed.data;

  // Persist to DB or CRM — never log full PII to stdout in production
  // await saveLead({ name, email, phone, message, marketingConsent });

  return NextResponse.json({ ok: true });
}
Minimal contact handler with validation and rate limiting hook

Add Turnstile or reCAPTCHA verification server-side. Log submission metadata (timestamp, success) without storing message body in application logs. Wire marketingConsent to CRM tags only when true.

Privacy and Legal Pages in App Router

  • app/privacy-policy/page.tsx — MDX or CMS content with lastUpdated frontmatter
  • Footer in app/layout.tsx linking to legal routes
  • metadata export with accurate title/description for SEO (no keyword stuffing)
  • generateStaticParams if policies are locale-specific (/en/privacy, /hi/privacy)
  • sitemap.ts includes legal URLs with sensible changeFrequency: yearly

Middleware and Headers

Security headers support privacy indirectly: Strict-Transport-Security, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy limiting camera/mic. middleware.ts can enforce HTTPS redirects. Do not use middleware to block Indian users from GDPR-style flows—design one coherent experience for your primary market.

next.config.ts (headers excerpt)typescript
const securityHeaders = [
  { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
];

// export default { async headers() { return [{ source: "/:path*", headers: securityHeaders }]; } };
Security headers in next.config

Environment Variables and PII

  • RESEND_API_KEY, CRM tokens, DB URLs in server-only env—never NEXT_PUBLIC_ unless truly public
  • Redact PII from Sentry or error tracking breadcrumbs
  • Vercel deployment: restrict team access; enable audit log on Pro plans
  • Preview deployments: disable real form endpoints or use sandbox CRM

🚀 Performance + compliance

Lazy-load consent and analytics after LCP. A DPDP retrofit that tanks Core Web Vitals hurts SEO and conversions—measure before and after with our vitals checklist.

Target LCP under 2.5s on 4G after adding consent layer.

WordPress Quick Cross-Reference

WordPress SMB sites should use a consent plugin with script blocking, disable user enumeration, restrict wp-json exposure if not needed, and store form data in GDPR-aware plugins (Fluent Forms, Gravity with retention settings). Update plugins monthly—unpatched form plugins are a common breach vector. Maintenance AMC should include privacy plugin updates; see typical AMC pricing in our maintenance guide.

90-Day Implementation Roadmap

  1. Week 1: Vendor and script inventory; legal kickoff for privacy notice and grievance officer appointment
  2. Week 2–3: Implement consent banner with real script blocking; publish privacy notice
  3. Week 4: Harden contact forms; sign DPAs for top five processors
  4. Week 5–6: Erasure request runbook; staff training on grievance inbox
  5. Week 7–8: QA consent on mobile; performance test against Core Web Vitals
  6. Week 9–12: Annual review calendar; AMC scope includes compliance-related updates

Frequently Asked Questions

15 answers to the most searched questions about dpdp compliant website checklist india—formatted for featured snippets and AI search.

What is a DPDP compliant website checklist India?+
A DPDP compliant website checklist for India covers technical and operational items: published privacy notice, consent before non-essential cookies and marketing tags, secure contact forms with data minimisation, grievance officer contact details, vendor Data Processing Agreements, retention and erasure processes, and security basics (HTTPS, access control). Legal interpretation requires qualified counsel.
Does the DPDP Act apply to small business websites in India?+
If your website collects personal data from individuals in India—contact forms, accounts, analytics identifiers, cookies used for profiling—you likely have obligations under the DPDP framework. Scope and fiduciary classification depend on volume, purpose, and sector rules. SMBs should implement baseline notice and consent patterns and seek legal advice for their situation.
Do I need a cookie consent banner on my Indian website?+
If you use non-essential cookies or scripts that process personal data (GA4, Meta Pixel, embedded YouTube), you should obtain informed, unambiguous consent before loading them. Essential session and security cookies are typically disclosed in your privacy notice without the same opt-in requirement.
What must a privacy policy include for an Indian SMB website?+
Typically: data fiduciary identity and contact, data categories and purposes, sources, processors/third parties, retention, principal rights (access, correction, erasure, grievance), grievance officer details, children's data statement, cross-border transfer disclosures if applicable, and policy update process. A lawyer should draft final text.
Who is a Grievance Officer and do I need one on my website?+
Under DPDP rules, Data Fiduciaries appoint a Grievance Officer to address complaints from data principals. Publish their name (or role), email, and Indian postal address on your privacy notice and optionally a dedicated contact page. Route grievance@ email to a tracked queue, not a single employee's inbox.
How should contact forms comply with DPDP?+
Collect only necessary fields, link to the privacy notice, obtain separate marketing consent if applicable, transmit over HTTPS, validate server-side, limit storage access, define retention, and ensure DPAs exist with email/CRM processors. Avoid storing submissions only in a developer's personal Gmail.
What is a Data Processing Agreement (DPA) for website vendors?+
A DPA is a contract where a processor (hosting, email, analytics, CRM, payments) agrees to handle personal data only on your instructions, with security, sub-processor rules, and breach assistance. Download DPAs from vendor trust portals and maintain an inventory of all processors your website uses.
Is Google Analytics allowed under DPDP in India?+
GA4 can be used if disclosed in your privacy notice, consent is obtained where required, and Google's DPA is accepted. Many Indian SMBs implement opt-in before GA4 loads. Consider lighter analytics (self-hosted Plausible) if you want simpler consent UX—still requires notice and security.
How do I implement DPDP consent in Next.js?+
Use a client-side consent context storing preferences in a first-party cookie, gate next/script and third-party tags on consent flags, load analytics with strategy lazyOnload after opt-in, publish privacy routes as static pages, and handle forms via validated API routes with minimal logging. Avoid firing tags in root layout before consent.
Can I copy a GDPR privacy policy for my Indian website?+
GDPR templates miss India-specific grievance officer requirements, legitimate use concepts under DPDP, and local entity details. Use them only as a starting point for your lawyer to localise—not as a plug-and-play legal document.
What are penalties for website privacy non-compliance in India?+
The DPDP Act provides significant financial penalties for certain violations, including data breach failures. SMBs also face customer trust, payment partner, and enterprise sales risks. Technical compliance reduces exposure but does not replace legal counsel.
Do I need consent for WhatsApp chat buttons on my site?+
Clicking WhatsApp may share phone number and message content with Meta. Disclose this in your privacy notice. If the button pre-fills marketing tracking parameters, treat it as marketing tech and align with consent choices.
How long can I keep contact form data under DPDP?+
Retention should be defined by purpose—not 'forever.' Common practice: active leads 12–24 months, then delete or anonymise unless a longer period is legally required or the customer has an ongoing relationship. Document periods in your privacy notice.
Is this guide legal advice?+
No. DigitalXBrand provides web development guidance. Privacy law application is fact-specific. Work with a qualified Indian privacy lawyer for policies, fiduciary classification, breach notification, and DPA negotiation.
What should I do this week to make my website more DPDP-ready?+
Inventory all scripts and form destinations, publish or update your privacy notice with grievance contact, implement opt-in consent before analytics/marketing tags, sign vendor DPAs, secure form endpoints, and schedule a legal review. Budget ongoing updates in your website maintenance plan.

Conclusion: Build Privacy Into the Stack

DPDP compliance on an SMB website is solvable engineering plus legal documentation—not a last-minute banner from a plugin marketplace. Consent that actually blocks tags, forms that minimise data, a findable privacy notice, a working grievance contact, and signed vendor DPAs form the technical foundation Indian customers and partners increasingly expect.

Retrofitting costs more than building right the first time. If you are launching or rebuilding, include this checklist in your agency brief alongside ownership and performance requirements.

🎯 Related reading

Pair privacy implementation with performance monitoring, maintenance budgeting, and ownership controls so your site stays compliant and portable after launch.

Continue with these guides from DigitalXBrand.

Need a privacy-aware website build?

DigitalXBrand ships Next.js and WordPress sites for Indian SMBs—with consent flows, secure forms, documented vendor lists, and GST invoicing. Bengaluru-based team.

Tags

DPDPPrivacyConsent ManagementNext.jsWordPressComplianceIndiaSmall Business

Last updated: July 6, 2026 · Written by DigitalXBrand Team

Continue reading

Ready to put these insights into action?

Tell us about your project and we'll help you plan, design, and ship.

Start a conversation