Privacy Policy and Terms of Use in India: A Founder’s Guide to India’s New Data Law

A comprehensive guide for founders and businesses operating a website, app, or online service in India

Introduction

Almost every website has a Privacy Policy and Terms of Use — and almost every one of them was copy-pasted from a generator, a competitor’s site, or a template downloaded years ago and never looked at again. This is one of the most under-examined compliance gaps in Indian business today, precisely because these documents feel like a formality rather than a live legal exposure.

That perception is no longer accurate, and arguably never was. India’s data protection framework has just undergone its most significant change in the country’s legal history — the Digital Personal Data Protection Act, 2023, with its Rules now formally in force and penalties running into hundreds of crores. At the same time, the enforceability of Terms of Use has become genuinely contested in Indian courts, with real cases turning on whether a business’s clickwrap mechanism, dispute resolution clause, or limitation of liability actually holds up. This article sets out, comprehensively, why these two documents matter, the distinct legal frameworks that govern each, the risks of getting them wrong, and what the current law actually requires.

Two Different Documents, Two Different Legal Jobs

The first thing most businesses get wrong is treating a Privacy Policy and Terms of Use as roughly interchangeable — two flavours of the same “legal boilerplate” page. They are not. They serve entirely different legal functions, are governed by different statutes, and fail in different ways.

A Privacy Policy is a regulatory compliance document. Its job is to disclose, transparently, what personal data a business collects, why, how it’s used, who it’s shared with, and what rights an individual has over it. In India, having one is mandatory for any business or intermediary handling personal or sensitive personal data — it isn’t optional, and it isn’t primarily a contract with the user; it exists to satisfy statutory disclosure obligations and reduce regulatory exposure.

Terms of Use (or Terms & Conditions) is a private contract. Its job is to define the rules of engagement between the platform and the user — acceptable use, intellectual property rights, limitation of liability, dispute resolution, and termination rights. Unlike a Privacy Policy, having Terms of Use is not, strictly speaking, mandated by a specific statute for most businesses — but without one, a business has no contractual basis to act against a user who scrapes its data, abuses its platform, infringes its IP, or causes it commercial harm.

Getting this distinction right matters because the two documents are policed differently: a defective Privacy Policy is primarily a regulatory risk (fines, orders, breach liability); a defective Terms of Use is primarily a contractual risk (unenforceability precisely when a business needs it most — mid-dispute).

The Privacy Policy: Legal Foundation

The Current Regime — IT Act, Section 43A, and the SPDI Rules, 2011

Until the DPDP Act’s substantive provisions come fully into force, India’s operative data protection framework remains Section 43A of the Information Technology Act, 2000, read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). Under Rules 4 and 5, any body corporate that collects, receives, possesses, stores, deals with, or handles sensitive personal data or information — financial information, health data, biometric data, passwords, sexual orientation, and similar categories — is required to publish a privacy policy, provide it to the individual before collection, and obtain consent for the specific purpose of collection.

The New Regime — the DPDP Act, 2023 and the DPDP Rules, 2025

This is the framework that will govern Indian data privacy going forward, and every business should understand its phased rollout, because the compliance runway is shorter than most founders assume:

  • Phase I (13 November 2025 — already in force): Establishment of the Data Protection Board of India (DPBI), the regulator that will hear complaints, investigate breaches, and impose penalties, with appeals lying to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
  • Phase II (13 November 2026): Provisions relating to Consent Managers — registered intermediaries that let individuals give, manage, and withdraw consent across platforms — become operational.
  • Phase III (13 May 2027): The substantive core of the Act comes into force — notice and consent requirements, data principal rights, breach notification obligations, and the specific duties of “Significant Data Fiduciaries.”

Despite full enforcement being over a year away, 2026 is explicitly the “build year” — the DPDP Rules require businesses to have their governance, consent architecture, and breach-response systems tested and ready well before the compliance deadline, not scrambled together at the last moment.

Key obligations businesses should be designing for now:

  • Standalone, itemised privacy notices — the DPDP Rules require notices to be clear and separate from general Terms of Service, explaining what data is collected and why, with an accessible mechanism for withdrawing consent that is as easy as giving it.
  • Breach notification with no materiality threshold. Unlike the EU, UK, or Australian regimes, the DPDP framework currently provides no threshold for what counts as a reportable breach — on a strict reading, any personal data breach must be notified to the Data Protection Board and to affected individuals, with a detailed follow-up report due to the Board within 72 hours.
  • Consent for children requires verifiable parental or guardian consent, and processing a child’s data for tracking, behavioural monitoring, or targeted advertising is restricted, with limited carve-outs for essential services like healthcare and education.
  • Data retention obligations — the DPDP Rules now require all Data Fiduciaries to retain personal data and associated processing logs for at least one year, and impose specific erasure timelines for e-commerce, social media, and online gaming platforms above certain user thresholds.
  • Grievance resolution within 90 days — a firm outer limit, tightened from the more flexible timeline originally proposed in the draft Rules.
  • Cross-border data transfer restrictions apply only to government-notified countries or territories — a comparatively lighter-touch approach than the GDPR, but one businesses cannot assume will stay static.

The Penalties Are Not Symbolic

The DPDP Act’s financial penalties are significant enough to change board-level risk calculus: up to ₹250 crore for failing to implement reasonable security safeguards to prevent a data breach, up to ₹200 crore for failing to notify the Board or affected individuals of a breach or for mishandling children’s data, and up to ₹50 crore for lesser violations — with penalties potentially accruing per instance of non-compliance. Recent industry survey data underscores how unprepared most organisations currently are: nearly 70% of organisations report limited familiarity with the Act and its Rules, 71% struggle to interpret the law’s requirements, and only around 38% have actually classified their personal data or identified their third-party processors — meaning the overwhelming majority of Indian businesses currently operating with a stale, generic Privacy Policy have real, unaddressed exposure heading into 2027.

Terms of Use: Legal Foundation and Enforceability

The Contract Law Basis

A Terms of Use document is, in law, a contract — and is governed by the same essential requirements as any other contract under Section 10 of the Indian Contract Act, 1872: a lawful offer and acceptance, lawful consideration, free consent, competent parties, and a lawful object. Two provisions deserve particular attention for online platforms:

  • Section 11 renders contracts with minors and persons of unsound mind void — a real issue for any consumer platform, since a significant share of internet users are minors, and Indian law offers no comprehensive statutory framework (comparable to the US’s COPPA) specifically addressing age verification for online contract formation. In the absence of clear statutory guidance, businesses are left relying on self-declaration mechanisms, which courts have not yet definitively tested.
  • Section 23 voids agreements with an unlawful object or that are opposed to public policy — relevant to overly broad liability waivers or unconscionable clauses.

The Information Technology Act, 2000 supplements this framework: Section 4 gives electronic records the same legal recognition as paper documents, and Section 10A confirms that a contract is not unenforceable merely because it was formed electronically — the statutory foundation that makes “click to accept” mechanisms legally viable in India at all.

Clickwrap vs. Browsewrap: Why the Mechanism Matters

Indian courts distinguish, in substance if not always in explicit terminology, between two mechanisms of online consent:

  • Clickwrap agreements require an affirmative act — the user must actively click “I Agree” after being shown (or given clear access to) the terms — before proceeding.
  • Browsewrap agreements impose terms merely by virtue of a user browsing or using the site, without any affirmative acceptance step, typically via a footer link few users ever click.

Indian jurisprudence has consistently trended toward enforcing clickwrap mechanisms while treating browsewrap as considerably weaker. The Supreme Court’s ruling in Trimex International FZE Ltd. v. Vedanta Aluminium Ltd. (2010) remains the foundational authority — holding that electronic contracts are valid where the parties clearly manifested intent to be bound, regardless of the medium, and that the IT Act’s recognition of electronic records extends full contractual validity to properly formed online agreements. This was reinforced in Avitel Post Studioz Ltd. v. HSBC PI Holdings (Mauritius) Ltd. (2020), where the Supreme Court affirmed that email and digital communications can form binding contracts, and in the Karnataka High Court’s reasoning in Karnataka Power Transmission Corporation Ltd. v. M/s. Deepak Cables (India) Ltd., which emphasised that clear intention to be bound — evidenced through the parties’ electronic correspondence — is what ultimately determines enforceability.

The Delhi High Court’s decision in World Wrestling Entertainment, Inc. v. M/S Reshma Collection & Ors. (2013) is particularly relevant for platform operators, recognising that a website’s own Terms of Use can establish the jurisdiction in which disputes over online interactions are governed — meaning a well-drafted governing-law and jurisdiction clause in a Terms of Use document is not boilerplate; it can genuinely determine where a business can be sued, or where it can sue.

The Limits of “You Clicked, So You’re Bound”

Enforceability is not absolute, and Indian courts have shown a willingness to strike down unfair terms even where a user technically clicked “I agree.” The Supreme Court’s ruling in LIC of India v. Consumer Education and Research Centre established that unfair, unreasonable, or unconscionable clauses in standard-form contracts — particularly where there is unequal bargaining power between the parties — can be struck down regardless of formal consent, a principle reaffirmed in National Seeds Corporation Ltd. v. M. Madhusudhan Reddy (2012). For any consumer-facing platform, this means a Terms of Use document cannot simply be a maximally aggressive liability shield copy-pasted from a US template — clauses that are wildly one-sided are a real candidate for being struck down precisely when a business needs them enforced.

A further, currently unresolved tension is emerging between contract law and the DPDP Act: the DPDP Act’s consent-centric framework requires consent that is free, specific, informed, unconditional, and unambiguous, and — critically — as easy to withdraw as it is to give. A single, bundled clickwrap acceptance covering both a Terms of Use and a Privacy Policy, common in current practice, sits uneasily against this granular, purpose-specific consent standard, and businesses should expect this to be an active area of scrutiny as DPDP enforcement approaches in 2027.

The Real Risks of Getting This Wrong

  1. Direct regulatory penalties under the DPDP Act — up to ₹250 crore for security failures, ₹200 crore for breach notification failures, accruing per instance, once the Act’s substantive provisions take full effect.
  2. Loss of intermediary “safe harbour” protection. Under Section 79 of the IT Act, intermediaries (platforms hosting third-party content) are shielded from liability for user-generated content — but this protection is conditional on compliance with due diligence requirements, including publishing rules, regulations, and a privacy policy. A business without a proper Privacy Policy risks losing this liability shield entirely, at exactly the moment it’s needed to defend against a claim arising from something a user posted or did on the platform.
  3. An unenforceable Terms of Use means no real recourse. Without a properly formed, clickwrap-based Terms of Use, a business has a materially weaker position to act against data scraping, platform abuse, IP infringement, or a user causing commercial harm — the contractual basis for that action simply may not exist.
  4. E-commerce-specific disclosure failures. The Consumer Protection (E-Commerce) Rules, 2020 impose specific mandatory disclosure obligations on e-commerce entities — return, refund, exchange, and grievance redressal mechanisms, and clear seller information — that a generic, non-customised Terms of Use frequently fails to address, exposing the platform to action by the Central Consumer Protection Authority for unfair trade practices.
  5. Investor and acquirer due diligence exposure. A stale or non-compliant Privacy Policy and Terms of Use is an increasingly common flag in legal due diligence for fundraising or M&A — sophisticated investors and acquirers now specifically check data governance readiness, particularly for any business handling meaningful volumes of consumer data, given the scale of DPDP penalties now on the table.
  6. Breach response failure. Given the DPDP Rules’ strict, no-threshold breach notification requirement and 72-hour reporting window, a business without a designated grievance officer, an internal incident-response process, or accurate data-flow mapping will struggle to meet its notification obligations even if it wants to comply — turning a technical failure into a compounding regulatory one.

What a Genuinely Compliant Set of Documents Actually Needs

Privacy Policy — at minimum:

  • Clear disclosure of what personal and sensitive personal data is collected, the purpose of collection, and third parties it may be shared with.
  • A designated Grievance Officer (a requirement carried over from the SPDI Rules regime and reinforced under the DPDP framework) with published contact details.
  • A clear, accessible mechanism for consent withdrawal, data access, correction, and erasure requests — genuinely as easy to use as the original consent mechanism.
  • Specific provisions for children’s data, including verifiable parental consent where applicable.
  • Retention timelines and the specified purpose for which data is held, consistent with DPDP Rules requirements.

Terms of Use — at minimum:

  • A genuine clickwrap acceptance mechanism — an affirmative “I Agree” action, with the terms clearly accessible before acceptance, not merely a footer link.
  • Clear definitions of the platform, services, and user obligations.
  • A properly drafted governing law and dispute resolution clause — specifying Indian law, the seat and mechanism for arbitration or litigation, consistent with current best practice on arbitration clause drafting.
  • Limitation of liability and indemnification clauses that are reasonable and proportionate — not maximally aggressive boilerplate vulnerable to being struck down as unconscionable.
  • IP ownership and licensing terms, and a clear, procedurally fair termination and suspension mechanism.
  • Age and competency provisions addressing Section 11 of the Contract Act, with a genuine (not purely cosmetic) age-verification step where the platform’s content or services warrant it.

Conclusion

A Privacy Policy and Terms of Use are not the same document wearing two names, and treating them as interchangeable boilerplate is precisely how businesses end up exposed on both fronts at once — a Privacy Policy that doesn’t hold up to DPDP scrutiny, and a Terms of Use that doesn’t hold up in a dispute. With the DPDP Act’s Data Protection Board already operational, its penalty regime running into hundreds of crores, and Indian courts increasingly willing to test the actual fairness and formation of online agreements rather than accepting a click at face value, 2026 is genuinely the year for businesses to treat these documents as what they are: a live compliance and contractual asset, not a one-time template exercise from years ago.

This article is intended for general informational purposes and does not constitute legal advice. Businesses should have their specific Privacy Policy, Terms of Use, and underlying data-handling practices reviewed against their actual operations before relying on this overview.

If your business needs its Privacy Policy and Terms of Use reviewed, drafted, or brought in line with the DPDP Act ahead of the 2027 compliance deadline, feel free to reach out to VNC Corporate & Legal, Advocates & Solicitors.