The DPDP Act 2023 is the first comprehensive data-protection law most Indian product teams will build against. The full text is dense, but the obligations that bite at feature level are surprisingly concrete. If you're writing a PRD, these are the ones to internalise.
1. Consent has to be specific
Under §6(1), consent must be free, specific, informed and unambiguous, and limited to what each purpose needs. A single signup checkbox covering location, contacts and marketing all at once does not clear the bar. Split consent by purpose and make non-essential uses opt-in.
2. You can't keep data forever
§8(7) requires erasure once the specified purpose is served or consent is withdrawn. "Retained indefinitely so we can re-target later" is exactly the phrasing that fails review. Define a retention window per data type and an automated deletion path.
3. Notice at the point of collection
A clear notice has to accompany or precede the consent request, itemising the data and the purpose. This is a design problem as much as a legal one, it lives in your signup flow, not a buried policy page.
The cheapest time to fix a compliance gap is before the feature is built. The most expensive is after it ships.
None of this needs to slow you down. It needs to be checked at the moment intent is written down, which is exactly where Silcrow plugs in.
Back to all posts