BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) CONSENT

Rule 3

Notice

Practical Note

Rule 3 is the consent notice rule — the single most operationally impactful rule for most businesses. Every Data Fiduciary collecting personal data must provide a privacy notice meeting Rule 3's requirements before or at the time of collection. The Central Government will issue standard templates for common use-cases ('Specified Purposes'). Using a government template may simplify compliance significantly — watch for template notifications.

THE STATUTE

Original Text

(1) The notice referred to in sub-section (1) of section 5 shall — (a) be an itemised list of personal data sought to be collected and the purpose of processing such personal data; (b) describe the rights of the Data Principal under the Act, along with a summary of the manner in which the Data Principal may exercise such rights, including the contact details of the Data Fiduciary or its Data Protection Officer, as the case may be, for receiving a request from the Data Principal; (c) describe the manner in which the Data Principal can make a complaint to the Board; (d) for processing of personal data for any of the specified purposes, the notice shall be in such form and contain such information as may be specified by the Central Government by notification in the Official Gazette; (2) A Data Fiduciary shall ensure that the notice referred to in sub-rule (1) is — (a) in clear and plain language; (b) in the languages specified in the Eighth Schedule to the Constitution that are specified by the Central Government; (c) accessible to persons with disabilities in accordance with the Rights of Persons with Disabilities Act, 2016.

Analysis & Details

Rule 3 operationalises the consent notice requirement in DPDP Act Section 5. Every Data Fiduciary must, before requesting consent, provide a privacy notice that: (a) lists each category of personal data being collected and the specific purpose for each; (b) explains the Data Principal's rights (access, correction, erasure, grievance, nomination) and how to exercise them, with contact details; (c) explains how to complain to the Data Protection Board of India. The notice must be in clear, plain language — not legal boilerplate. Critically, it must be available in Indian languages as specified by the Central Government (from the Eighth Schedule languages), and accessible to persons with disabilities. The 'itemised list' requirement is significant: a single catch-all statement ('we collect your data to improve services') is insufficient. Each category of data and each purpose must be identified separately. For 'Specified Purposes' (purposes for which the Government issues standard templates), the notice must follow the prescribed template format — this is a standardisation mechanism intended to improve transparency across common use-cases like financial services, healthcare, and e-commerce. Compared to GDPR Articles 13/14, Rule 3 is simpler in some respects (no requirement to disclose legal basis, recipients, retention periods, or automated decision-making information) but stricter in others (multi-language accessibility, disability access). The absence of a legal basis disclosure requirement reflects DPDP's binary framework — only consent and legitimate use, not GDPR's six-basis system.

GDPR Parallel

Articles 13 & 14 (Information to be provided to data subjects)

IT Act Impact

Rule 3 replaces the notice requirements of IT Act Rule 5 (SPDI Rules 2011) for digital personal data. The SPDI Rules' privacy policy requirements cease to apply once Rule 3 is in force. SPDI Rule 5's requirement to obtain written consent (allowing email-based consent) is superseded by the DPDP consent framework.

Common Queries

A DPDP-compliant notice under Rule 3 must include: (1) an itemised list of each category of personal data being collected and the specific purpose for each; (2) a description of the Data Principal's rights under the Act and how to exercise them, with contact details; (3) the manner for filing a complaint with the Data Protection Board. The notice must be in plain language, in accessible languages as specified by the Government, and accessible to persons with disabilities.
For 'Specified Purposes' — categories designated by the Central Government — yes. The Government will issue standardised notice templates for common use-cases. Using the prescribed template for those purposes satisfies Rule 3. For other purposes, businesses must draft their own compliant notice meeting the itemised list and accessibility requirements.
GDPR Article 13 requires more disclosures: legal basis, data recipients, retention period, cross-border transfer information, automated decision-making details, and the right to object. DPDP Rule 3 is simpler — it requires only the itemised data/purpose list, rights information, and complaint procedure. However, DPDP adds requirements GDPR lacks: multi-language availability and disability accessibility. Businesses already GDPR-compliant will need to adapt notices (not just translate) for DPDP.
Rule 3 is effective from 13 May 2027. From that date, any Data Fiduciary collecting personal data must provide the Rule 3-compliant notice at or before the time of requesting consent under Act Section 6. Businesses should begin redesigning their privacy notices well before May 2027 to allow testing, translation, and accessibility compliance.

Key Rules & Provisions

Itemised list format required — each data category and purpose must be separately identified.

Multi-language requirement — in Eighth Schedule languages as specified by Central Government.

Accessibility requirement — notices must comply with Rights of Persons with Disabilities Act 2016.

Government templates for Specified Purposes — simplifies compliance for common use-cases.

No requirement to disclose legal basis (unlike GDPR Article 13(1)(c)).