Notice Obligations under the Digital Personal Data Protection Act, 2023: Clarity, Accessibility, and Multi-Language Requirements

Posted On - 25 September, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) mandates that before obtaining consent, a notice must be provided to the data principal. This notice is not a mere formality but a legal precondition for valid consent and a mechanism to uphold transparency and accountability.

The Act requires that notices be clear, accessible, and available in multiple languages to ensure that individuals, regardless of literacy or linguistic background, can understand how their data will be processed. This goes beyond global standards such as GDPR or CCPA, reflecting India’s linguistic diversity and digital inclusion goals.

This article analyses the statutory framework governing notices, explores the challenges in implementation, compares global practices, and highlights compliance strategies for businesses operating in India.

Introduction: The Role of Notice in Data Protection

Consent cannot be considered valid unless preceded by a clear and meaningful notice. The notice acts as the foundation of the information asymmetry correction between data fiduciaries (who control processing) and data principals (whose data is processed). The DPDP Act elevates the importance of notice by:

  • Mandating its provision before consent is sought.
  • Requiring notices to be multi-lingual, clear, and easily accessible.
  • Making failure to provide proper notice equivalent to invalid consent.
  • In essence, the notice is the gateway to lawful data processing in India.

Statutory Requirements for Notice under DPDP

Section 6 of the DPDP Act provides that:

  1. A notice must be given before seeking consent.
  2. The notice must inform the data principal of the personal data being collected, the purpose of processing, the rights of the data principal (access, correction, erasure, grievance redressal), and the contact details of a grievance officer.
  3. Notices must be clear, plain, and accessible.
  4. Notices must be available in English and all 22 official languages of India. This sets a high compliance bar, particularly for entities with pan-India operations.

Elements of a Valid Notice

1. Clarity

Legal jargon must be avoided. Technical terms must be explained in simple, consumer-friendly language. Example: Instead of “We process geolocation data for targeted behavioral advertising,” the notice should say, “We use your location to show you nearby restaurants and personalized offers.”

2. Accessibility

Notices must be easily retrievable, not buried in terms and conditions. Should be available at the point of data collection (e.g., app installation, website registration). Accessibility extends to format like large fonts, audio/video versions for semi-literate users, compatibility with assistive technologies.

3. Multi-Language Requirement

Notices must be provided in all 22 official languages under the Eighth Schedule of the Constitution. This requirement is unique to India and not seen in GDPR or other global frameworks. The rationale is to ensure inclusivity for India’s digitally expanding rural and semi-urban populations.

Practical Challenges in Implementing Notice Requirements

A. Multi-Language Burden

  • Translating legal and technical terms into 22 languages is costly and complex.
  • Maintaining consistency in meaning across languages is difficult.
  • Updates to notices must be rolled out across all translations simultaneously

B. User Experience (UX) Concerns

  • Overloading users with lengthy notices undermines clarity.
  • Designing notices that are both comprehensive and concise is a challenge.
  • Businesses must experiment with layered notices summary upfront, details available via expansion.

C. Operational Complexity

  • Multi-lingual notice creation requires specialized legal + linguistic expertise.
  • Companies must maintain audit trails of notices provided in each language version.
  • Smaller businesses and startups may face disproportionate compliance costs.

D. Dynamic Digital Environments

  • In-app purchases, IoT devices, and AI-powered platforms require real-time contextual notices.
  • Static notices are insufficient; businesses need adaptive and contextual disclosure mechanisms.

Comparison with Global Privacy Laws

GDPR (EU)

  • Requires notices to be concise, transparent, intelligible, and easily accessible.
  • Must be in “clear and plain language,” especially for children.
  • No multi-language mandate; language choice depends on target audience.

CCPA/CPRA (California)

  • Requires a “Notice at Collection,” explaining categories of data collected and purposes.
  • No multi-language requirement, but accessibility is required (e.g., for persons with disabilities).

LGPD (Brazil)

  • Notices must be clear, accessible, and specific, but no explicit language mandate.

PDPA (Singapore)

  • Requires clear, informed notice but allows flexibility in form and language.
  • India diverges significantly by mandating notices in all official languages, making it one of the strictest regimes in the world.

Sectoral Applications of Notice Obligations

Fintech & Banking

  • Notices must explain why financial data, PAN, Aadhaar, or KYC documents are collected.
  • Multi-lingual requirement particularly critical for rural banking and microfinance.
  • Challenge: Explaining complex financial risks in plain language across languages.

Healthcare & Health-Tech

  • Patients must be told why health records, diagnostic data, or genetic data are collected.
  • Accessibility critical in hospitals serving diverse populations.
  • Notices must cover treatment vs. research vs. marketing separately.

Ed-Tech & Children’s Data

  • Notices must be child-friendly and understandable by parents.
  • Parental consent must be preceded by clear explanation of data usage.
  • Inaccurate or vague notices may invalidate consent for minors.

E-Commerce & Retail

  • Notices must cover customer addresses, payment data, purchase history, and loyalty programs.
  • Challenge: Multi-lingual compliance in nationwide platforms with millions of users.

Social Media & Online Advertising

  • Notices must clarify tracking, profiling, and targeted advertising practices.
  • Must provide opt-out mechanisms in the same language as the notice.

Illustrations of Valid vs. Invalid Notices

Valid Notice

  • A fintech app displays a layered notice in English and the local language:
  • “We collect your Aadhaar details to verify your identity for loan approval.”
  • “We will not use your Aadhaar for marketing or sharing with advertisers.”

Invalid Notices

  • Overly Broad: “We collect your data to improve our services.” (too vague).
  • Buried Disclosures: Privacy notice hidden in lengthy terms and conditions.
  • Language Limitation: Notice available only in English, even for users in Hindi or Tamil-speaking regions.
  • Ambiguity: “We may share data with partners for business purposes” without specifying purpose.

Compliance Strategies for Businesses

A. Layered Notice Design: Present key points upfront (what data, why collected, rights available) and provide detailed explanations in expandable sections or separate links.
B. Technology Integration: Use AI-powered translation tools with legal vetting to manage multi-lingual obligations. Deploy voice-based or video notices for semi-literate populations.
C. Centralized Notice Management: Maintain a central repository of notices in all 22 languages. Automate updates to ensure simultaneous rollouts across languages.
D. Accessibility Enhancements: Ensure notices are mobile-optimized, screen-reader compatible, and visually accessible. Provide audio/video alternatives where literacy barriers exist.
E. Documentation & Audit Trails: Record when and how notices were displayed. Maintain logs proving that notices were provided in the language chosen by the user.

Risks of Inadequate Notices

  • Invalid Consent: Consent obtained without proper notice is legally void.
  • Regulatory Penalties: Fines up to ₹250 crore for each violation.
  • Consumer Distrust: Users may lose faith if notices are misleading or unclear.
  • Contractual Liability: Non-compliance may breach B2B contracts requiring DPDP adherence.

Conclusion & Key Takeaways

The notice requirement under the DPDP Act is not a procedural step but a substantive obligation central to the validity of consent and the legitimacy of data processing. Businesses must:

  • Ensure notices are clear, concise, and consumer-friendly.
  • Provide notices in all 22 official languages of India.
  • Make notices accessible across devices, formats, and literacy levels.
  • Maintain robust audit trails to demonstrate compliance.

India’s approach is stricter than global standards, reflecting its focus on inclusivity and digital empowerment. For businesses, investing in innovative notice frameworks is essential not only to comply with the law but also to foster trust in India’s digital ecosystem.

Contributed By – Aurelia Menezes