Comply DP

DPDP disclosure obligations methodology

How ComplyDP evaluates DPDP disclosure obligations from a company's public website. This page is our transparency and dispute baseline for published research.

Methodology version: 1.0 (April 2026). This methodology may be updated as the DPDP Rules are amended or as the Data Protection Board issues guidance. Reports published before a methodology update will be clearly marked with the methodology version used.

Dataset reference: April 2026

Rescans: Companies may request review via the dispute process below.

About this methodology

ComplyDP's check library was developed by Vipul Abhishek, who has practiced as an advocate in the past in the Supreme Court of India, and author of Comply DP: DPDP Enforcement 2027: Prepare Now or Pay Latter. The legal mappings in this methodology have been verified against the official Gazette publication of the DPDP Act 2023 and the DPDP Rules 2025.

1. What this audit is and is not

This audit is an external surface scan based entirely on publicly observable signals. It does not involve access to internal systems, backend infrastructure, data processing logs, or any non-public information.

Findings are generated using a combination of automated technical scanning (HTTP requests, browser-based cookie detection) and AI-assisted analysis of publicly available policy text. All findings are based on publicly accessible content and are reviewable against the source evidence cited in each report.

This report is not legal advice. It does not constitute a legal compliance assessment, audit, or certification under any law.

The findings reflect the state of publicly accessible content at the time of scanning. Companies update their policies regularly — results may change.

2. The check library

41 disclosure checks across 5 categories, each mapped directly to a specific provision of:

  • Digital Personal Data Protection Act 2023 (No. 22 of 2023, Gazette of India, 11 Aug 2023)
  • Digital Personal Data Protection Rules 2025 (G.S.R. 846(E), 13 November 2025)

Each check has:

  • A unique identifier
  • A direct section or rule reference
  • Pass / fail / partial / manual evaluation criteria
  • Penalty exposure derived from the Schedule to Section 33(1) of the Act

This report focuses exclusively on disclosure obligations — requirements that can be verified from a company's publicly accessible website without access to internal systems.

The full structured index with identifiers, titles, and legal references is published at /methodology/checks. Companies disputing a specific finding receive the full check definition as part of the dispute review.

Five disclosure categories

High-level grouping for the 41 disclosure checks in Section 2.

CategoryDPDP SectionsChecksWhat we check
Notice & DisclosuresSection 5, 614Privacy notices, readability, fiduciary identity, purpose disclosures, notice independence
Consent & CookiesSection 6, 711Cookie banners, consent granularity, withdrawal ease, pre-consent trackers, misleading clauses
Rights & GrievanceSection 11, 12, 138Grievance officer, DSR processes, rights portal, nomination rights, contact details
Children & GuardiansSection 94Parental consent, age verification, behavioural tracking restrictions, disability guardian consent
SecuritySection 8(5)1HTTPS enabled on the public website

3. How we evaluate

Each company is evaluated against 41 compliance checks derived from the DPDP Act 2023. Every check results in one of these statuses:

  • Pass — the company meets the requirement
  • Partial — partially met, needs improvement
  • Fail — not met
  • Manual — cannot be determined automatically
  • N/A — not applicable to this company

Checks are weighted by the DPDP Act's penalty tiers:

  • Rs. 250 Crore provisions → highest priority
  • Rs. 200 Crore provisions → high priority
  • Rs. 150 Crore provisions → medium priority
  • Rs. 50 Crore provisions → standard priority

Companies are ranked by the number of checks passed, with higher-penalty checks weighted more heavily in the ranking.

4. Penalty exposure calculation

Penalty amounts shown are maximum possible exposure per the Schedule to Section 33(1).

The Act says penalties "may extend to" the stated maximum. The Data Protection Board has full discretion under Section 33(2) based on nature, gravity, duration, data affected, repetition, gain or loss, mitigation, proportionality, deterrence, and likely impact.

Theoretical maximum exposure figures are illustrative only. Actual penalties may be significantly lower.

The Data Protection Board of India had not imposed any penalties under the DPDP Act as of the date of this dataset (April 2026). Penalty exposure figures should be read as the statutory maximum established by the Act, not as a prediction of enforcement outcomes.

Figures assume each failed check could represent a separate breach; the Board may treat related failures as a single breach.

5. Check statuses

PASS
Publicly observable evidence satisfies the requirement.
FAIL
The requirement is not met based on publicly observable evidence.
PARTIAL
Some elements present, some missing.
MANUAL REVIEW
Cannot be determined from public signals alone; requires internal verification.

6. Limitations

This disclosure-focused scan cannot assess:

  • Internal data processing practices
  • Technical security infrastructure beyond HTTPS
  • Employee training and procedures
  • Contractual arrangements with processors
  • Board-level data governance
  • Actual incident response capabilities
  • Historical compliance record

Cookie and tracker findings are based on automated scanning of the public website; mobile app behaviour, logged-in states, and server-side tracking are outside scope.

7. Dispute and correction process

If you believe a finding is incorrect:

  1. Submit a dispute from your company profile ("Dispute this finding") or open /dispute/<your-domain> on this site.
  2. Provide the specific check ID and your evidence.
  3. We aim to review within 7–10 working days.
  4. Corrections are applied to the published report where warranted.
  5. A correction notice may be appended to the report record.

We correct errors promptly. Our goal is accuracy, not adverse coverage. Browse companies · privacy@complydp.com

8. Out of scope for this report

This report covers disclosure obligations only — requirements verifiable from a company's public website. The following are not included:

  • Operational obligations (security safeguards, breach processes, processor contracts, retention procedures)
  • Significant Data Fiduciary (SDF) obligations under Section 10 — no SDF notifications have been issued as of April 2026
  • Cross-border transfer restrictions under Section 16 — pending Central Government notifications

Sample findings

Below are examples of how our checks produce findings, with actual evidence snippets.

Where findings include names of designated officers (grievance officers, nodal officers, DPOs), these are published by the company in their own privacy or grievance policies and are therefore already public information. ComplyDP does not publish personal contact details beyond what companies have self-disclosed.

Grievance Officer Details (Section 13(1))

"Grievance Officer: Mr. Rahul Sharma, Email: grievance@example.com, Response time: 30 days"

Source: example.com/privacy-policy

The privacy policy names a grievance officer with contact details and response timeline as required by the Act.

Breach Notification Policy (Section 8(6))

Source: example.com/privacy-policy

No mention of breach notification procedures, timelines, or obligations to notify the Data Protection Board found on any scanned page.

What this page does not include

  • Full text of Act sections (use official sources)
  • Technical implementation details of our scanner
  • Details about LLM or AI pipeline internals
  • Competitor comparisons
  • Unsubstantiated claims of being the only or first provider