BACK TO DPDP ACT
DPDP Act 2023

Section 5

Notice

THE STATUTE

Original Text

(1) The Data Fiduciary shall, before requesting the consent of the Data Principal, give her a notice containing the following, namely — (a) the personal data and the purpose for which such personal data is proposed to be processed; (b) the manner in which she may exercise her rights under this Act; (c) the manner in which she may make a complaint to the Board. (2) Where any personal data has been collected before the commencement of this Act without the requirement of consent under any law for the time being in force, such data may continue to be processed subject to the Data Principal being provided a notice as soon as reasonably practicable, in such manner as may be prescribed, of the personal data so collected and the purpose for which such personal data is to be processed.

Simplified

[DPDP Rules 2025 — Rule 3 operationalises this section; in force 13 May 2027] Section 5 is the notice obligation — the transparency foundation that makes meaningful consent possible. Before requesting consent, a Data Fiduciary must give the Data Principal a clear notice containing three elements: what personal data is proposed to be processed and the specific purpose; how the Data Principal can exercise their rights under the Act (access, correction, erasure, grievance redressal, nomination); and how the Data Principal can make a complaint to the Data Protection Board. The notice must be clear, plain-language, and available in any of India's Eighth Schedule languages — a significant localisation obligation for platforms with Hindi, Tamil, Bengali, Marathi, Telugu, and other regional language user bases. The DPDP Rules will specify the exact format and contents. Section 5(2) deals with existing data — personal data collected before the DPDP Act's commencement without consent (e.g., under IT Act SPDI Rules or other laws). Such data can continue to be processed, but the Data Fiduciary must provide a Section 5(1)-compliant notice 'as soon as reasonably practicable'. This grace period prevents an immediate deletion crisis for entities holding large pre-Act datasets, but it does not allow indefinite delay. The notice requirement in Section 5 is architecturally connected to consent under Section 6: a consent notice that does not satisfy Section 5's content requirements will produce invalid consent under Section 6(3) — since consent given on the basis of inadequate information is not genuinely 'informed'. Privacy notices that currently bury data use disclosures in thousands of words of legalese, or present them in English only to users who prefer regional languages, will need comprehensive restructuring.

Common Queries

Section 5(1) requires notice before requesting consent, which must itself happen before collecting personal data. So notice must precede both the consent request and the data collection.
A privacy policy can form part of the notice, but it must meet Section 5's specific content requirements — what data is collected, the purpose, how rights are exercised, and how to complain to the Board. Dense, jargon-heavy policies buried in terms and conditions are unlikely to comply.
Under Section 5(2), processing of pre-Act data collected without consent may continue, but the Data Fiduciary must provide a compliant notice to Data Principals as soon as reasonably practicable. This is a transitional obligation, not a permanent exemption.
Yes. Section 6(2) (read with Section 5) requires consent notices to be available in English or any Eighth Schedule language — meaning platforms must be ready to provide notice in Hindi, Tamil, Telugu, Bengali, Marathi, and the other 18 scheduled languages.

Legal Context

The IT Act's SPDI Rules 2011 required a 'privacy policy' but did not specify the language, format, or content in meaningful detail, and there was no enforcement. Section 5 raises the bar substantially: specific content, plain language, multilingual accessibility, and right-to-complain information are all mandatory elements of a valid notice.

Key Rules & Provisions

Notice must be given before requesting consent — reversing the common practice of bundling consent and notice.

Notice must include instructions for exercising rights and making Board complaints — not just data processing information.

Multilingual notice obligation — available in any Eighth Schedule language on request.

Legacy data can continue processing subject to retrospective notice obligation.

Rule 3 (DPDP Rules 2025, in force 13 May 2027): notice must be standalone and independently understandable — not bundled in T&Cs.

Rule 3: itemised description of personal data and specific purposes mandatory.

Rule 3: direct link to consent withdrawal required, ease of withdrawal must match ease of consent.

Related Case Laws

Shreya Singhal v. Union of India (2015)

(2015) 5 SCC 1
RELEVANCE

The Supreme Court's emphasis in Shreya Singhal on 'intelligible differentia' and clarity in legal obligations bears on Section 5's notice requirement — a notice that fails to inform the Data Principal of what data is collected and why is constitutionally insufficient as the basis for a meaningful consent.