Skip to Content

Making Our Own Website DPDP Compliant

Our own company website collects a small amount of personal data:

  • Name
  • Email address
  • Questions submitted through the contact form

We also use a cookie consent banner and have a published Privacy Policy page.

The Challenge (Before Compliance)

Even with minimal data collection, there were risks:

  • No clear record of user consent for cookies.
  • Uncertainty about where contact form data was being stored.
  • Privacy Policy needed to be aligned with actual practices.

Without compliance, even a simple site like ours could face:

  • User mistrust (“Where does my data go?”)
  • Non-compliance with DPDP requirements (valid consent, clear purpose, and user rights).

Our Approach (Steps Taken)

  1. Data Flow Audit
    • Mapped the contact form → checked where the data goes.
      • For many small sites, contact form submissions are usually:
        • Sent to your email inbox (e.g., Gmail/Outlook).
        • Or stored in your form plugin / website backend (e.g., WordPress database, Google Forms, Airtable, etc.).
    • In our case: submissions go directly to our business email inbox and are not stored permanently in the backend.
  2. Privacy Policy Update
    • Clearly mentioned:
      • What data we collect (name, email, questions).
      • Why we collect it (to respond to user queries).
      • Where it’s stored (email inbox, not shared with third parties).
      • User rights (delete/update request process).
  3. Cookie Banner Setup
    • Configured to:
      • Ask for consent before non-essential cookies load.
      • Work across browsers and devices.
      • Keep a log of consents.
  4. Consent & User Rights
    • Added clear consent text on the contact form.
      Example: “By submitting, you agree for us to use your details to respond to your query.”
    • Added a contact email for data deletion/withdrawal requests.

The Result (After Compliance)

  • Website now has a transparent Privacy Policy, matching our actual data practices.
  • Valid cookie consent is obtained and logged.
  • Users know where their data goes (email inbox) and how they can request deletion.
  • We reduced risk of DPDP non-compliance and built more user trust.

Key Takeaway

Even a simple website that only collects names and emails needs DPDP compliance. By auditing, updating our policies, and setting up consent mechanisms, we created a blueprint that any small business can follow.

DPDP ACT IN BREIF

Why Navigating the DPDP Act Was Easier Than We Thought

When the Digital Personal Data Protection (DPDP) Act came into effect, the reaction across India was mixed. Some saw it as a long-overdue step toward safeguarding our personal information. Others saw it as a mountain of legal and technical complexity.

Honestly, at first glance, it does look intimidating pages of legal language, unfamiliar terms, and plenty of “what if” questions.

But here’s the surprising truth: understanding the DPDP Act, at least at a basic level, isn’t as overwhelming as it seems.

The First Impression Problem

Most of us are used to skimming past “Terms & Conditions” and privacy policies. So when a new data protection law comes along, our instinct is to assume it’s going to be the same hard to read, harder to understand.

And yes, the official text is formal. But once you strip away the jargon, the DPDP Act is essentially about respecting people’s data. It’s not just for corporations or tech giants  it’s for anyone handling personal information.

Breaking It Down

If you focus on the core ideas, the Act becomes clearer:

  • Consent matters. People should know and agree to how their data is used.
  • Collect only what’s needed. Don’t store more personal info than necessary.
  • Protect what you hold. Keep personal data safe from leaks and misuse.
  • Be transparent. Let people know how their data is managed.

When framed like this, it stops feeling like an impossible legal hurdle and starts feeling like basic good practice.

Why It’s Simpler Than We Fear

The DPDP Act isn’t asking us to reinvent the wheel  it’s asking us to be intentional. In many cases, it’s about refining what we already do:

  • Checking forms to make sure they only ask for essential details.
  • Being upfront in privacy notices.
  • Using strong passwords, encryption, and secure storage methods.

The biggest barrier is often not the law itself, but the hesitation to start learning about it.

The Human Side of It

At its heart, the DPDP Act is a trust building tool. Whether you’re a small shop owner, a non-profit volunteer, or a freelancer handling customer information, following these principles sends a clear message:

“Your privacy matters to me.”

And in today’s digital world, trust is worth more than ever.

A Starting Point for Anyone

If you’re unsure where to begin, here are three easy steps:

  1. Read a plain language summary of the Act before diving into the legal text.
  2. Identify where you handle personal data  even a simple contact form counts.
  3. Make one small improvement this week, like updating your privacy notice or adding encryption to your files.

Small steps add up fast.

The Takeaway

The DPDP Act may look like a challenge from the outside, but once you take the first step, it becomes far less intimidating. The law isn’t here to trip us up  it’s here to help everyone create safer, more respectful spaces online and offline.

And the sooner we embrace that, the sooner we can turn compliance from a chore into a point of pride.