India’s DPDP Act: a practical checklist for digital publishers
High-level compliance framing for small teams: lawful bases, notices, retention, vendor oversight, and where to seek counsel.
May 10, 2026 · 10 min read
Scope and mindset
India’s Digital Personal Data Protection Act introduces obligations around personal data that publishers routinely touch: newsletter sign-ups, tip lines, analytics identifiers, advertising cookies, and HR records for freelancers. This checklist orients small newsrooms and indie blogs—it is not legal advice. Pair it with counsel familiar with your processes and any sector rules.
Map what you collect
Inventory forms on your site: contact pages, comment systems if enabled, partner widgets, and consent banners. Record categories (email, IP-derived geography, device identifiers), purposes (responding to readers, analytics, ads personalisation), and retention defaults. Ambiguity here propagates into vague privacy notices that regulators and platforms scrutinise.
Transparency and notices
Ensure your privacy policy names third-party processors readers encounter—advertising networks, analytics vendors, hosting/CDN providers—and summarises rights pathways where applicable. Update “last modified” dates when behaviour changes. Link the policy prominently near cookie choices and account flows.
Vendor contracts and subprocessors
Hosting and SaaS tools often process personal data on your behalf. Contractual language should cover processing purposes, deletion timelines, cross-border transfers if relevant, and breach notification expectations. Ad platforms may rely on separate consent frameworks in certain jurisdictions; align your banner choices with what actually loads.
Retention and minimisation
Avoid hoarding IP logs or abandoned drafts indefinitely. Align retention with investigative need and statutory limits where they exist. Pseudonymous analytics can reduce exposure while preserving aggregate insight.
Incident readiness
Maintain a lightweight playbook: who decides public disclosure, how backups are isolated, and how quickly credentials rotate after suspicion of compromise. Practice restores periodically—ransomware isn’t theoretical for media sites.
Closing reminder
Privacy regimes evolve; product teams change vendors faster than policies update. Schedule quarterly reviews of data maps and subprocessors. Consistency builds reader trust and reduces friction when partnering with advertisers or platforms.
Consult qualified counsel before relying on this overview for compliance decisions.