Sample report — illustrative only

DPDPA Readiness Assessment

acmecorp.in  ·  Scanned 12 May 2026  ·  Ref DPDP-A1B2C3D4

C Grade
58 / 100
High regulatory exposure — immediate remediation required in 3 categories
Consent
42
Tracking
55
Privacy Notice
61
Data Collection
70
Security
78
Maximum penalty exposure: up to ₹250 Crore per violation under the DPDP Act, 2023. The Data Protection Board of India levies penalties per incident — a site with multiple violations faces compounded exposure. See penalty schedule →
2 Critical
4 High
3 Medium
1 Low
3 Advisory
Findings (5 of 13 shown — full report unlocks all)
Pre-consent tracking by 5 third parties detected
Critical Section 6(1) Up to ₹250 Crore exposure

Five tracking services loaded and sent data to external servers before the user interacted with the consent banner. This is a direct violation of Section 6(1), which requires free, specific, informed, and unambiguous consent before any personal data is processed. Pre-consent tracking is the single highest-penalty finding a DPDPA scan can surface — the Data Protection Board has signalled this as a priority enforcement area.

Trackers active before consent
Google Analytics (_ga, _gid) Meta Pixel (fbp, _fbq) LinkedIn Insight Tag Hotjar (hjid, _hjSession) Mixpanel (mp_*)
All 5 fired network requests to external servers during the pre-consent capture phase. GA4 and Meta Pixel additionally set cookies that persist across sessions.
DPDP Act 2023 Section 6(1) — Consent
"A Data Fiduciary shall request the consent of a Data Principal in such a manner that the request is presented separately from any other matter, is in clear and plain language, specifies each purpose of processing... and allows the Data Principal to give consent to the processing of her personal data for one or more specified purposes."
Processing personal data (including behavioural tracking via cookies) before consent is given violates this provision. Consent must be obtained before, not after, the data is collected.
Penalty: up to ₹250 Crore per violation
Configure a consent-first tag firing architecture Moderate 2–3 weeks
  • Move all 5 tracking scripts from direct page injection into Google Tag Manager (or equivalent). Configure each tag with a consent trigger: fire only when the custom event consent_granted is pushed to the data layer. This is the standard GDPR/DPDPA pattern — no tracking library needs to change, only the firing logic.
  • For Google Analytics 4: enable GA4's built-in Consent Mode v2. Set analytics_storage: 'denied' as the default state on page load, and update to 'granted' only after the user accepts. GA4 will model conversion data for the consent-denied window, so you will not lose attribution entirely.
  • For Meta Pixel: use Meta's Advanced Matching with consent gating. Do not load the fbq('init', ...) call until post-consent. The Conversions API (server-side) is a compliant alternative that processes data only after consent is logged.
  • For Hotjar: Hotjar natively supports consent-mode integration via hj('optOut') / hj('optIn'). Call optOut on page load as the default; call optIn only on consent acceptance.
  • After making these changes, re-run this scan to verify zero pre-consent network requests to all 5 domains. The scan captures pre-consent network traffic at the packet level — partial fixes that still leak query parameters or referrer data will be flagged.
dev marketing legal
Consent banner has no reject option — dark pattern detected
Critical Section 6(4) Up to ₹250 Crore exposure

A consent banner is present, but it displays only an "Accept All" button. No "Reject All" or "Manage Preferences" option is visible without additional clicks. Section 6(4) of the DPDP Act requires that withdrawing consent be as easy as giving it — a single-click "Accept" with a multi-step or hidden "Reject" path is a dark pattern that invalidates any consent obtained through it. DPDPA consent obtained via a dark pattern is legally equivalent to no consent.

Banner analysis
Accept All — 1 click visible Reject All — not found Manage Preferences — buried under "Learn More" Pre-ticked purpose checkboxes detected
DPDP Act 2023 Section 6(4) — Withdrawal of consent
"A Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being equivalent to the ease with which she had given her consent..."
If accepting takes one click, rejecting must also take one click. Asymmetric prominence — large "Accept" vs. small or hidden "Reject" — is a dark pattern that invalidates consent under the Act.
Penalty: up to ₹250 Crore per violation
Add a visually equivalent Reject button to the consent banner Quick Win 1–2 days
  • Add a "Reject All" button directly on the banner's first view — same size, same visual weight as "Accept All". Do not place it behind a "Manage Preferences" or "Learn More" link. Both buttons must be on the same visible surface without scrolling.
  • Remove any pre-ticked purpose checkboxes from the preferences panel. Under DPDPA, consent must be active (an affirmative action by the user) — pre-ticked boxes or opt-out defaults are explicitly prohibited. Each purpose category must default to unchecked.
  • If using a Consent Management Platform, update the banner template in the CMP dashboard. Most CMPs provide a GDPR-equivalent configuration — enabling it also satisfies DPDPA's consent quality requirements.
  • After fixing the banner, verify with this scan that reject parity is confirmed: the scanner checks for Reject/Decline buttons in the first-view DOM and compares element prominence scores (size, position, colour contrast) between Accept and Reject.
dev design
No data breach notification procedure disclosed
High Section 8(6) / Rule 7 Up to ₹200 Crore exposure

The privacy notice contains no mention of a breach notification procedure. Rule 7 requires every Data Fiduciary to notify both affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of a personal data breach. The 72-hour breach notification obligation applies from Day 1 of the DPDPA — it is already in force. Failure to disclose this obligation in the privacy notice, and failure to notify within 72 hours when a breach occurs, both attract separate penalties.

Privacy policy keyword scan — breach notification
breach — not found security incident — not found 72 hours — not found data protection board — not found
DPDP Rules 2025 Rule 7 — Breach notification procedure
"Upon becoming aware of a personal data breach, a Data Fiduciary shall, without delay and in any case within seventy-two hours of becoming aware, notify the Board and each affected Data Principal of such breach..."
This obligation is in force from Day 1 — it is not part of the phased timeline. Any breach occurring now must be reported within 72 hours. Disclosing the procedure in your privacy notice demonstrates readiness and is required by the Rules.
Penalty: up to ₹200 Crore (Section 8(6))
Add a breach notification paragraph and internal response plan Quick Win 2–3 days
  • Add a "Security & Breach Notification" section to your privacy notice: "In the event of a personal data breach that is likely to affect your rights or interests, we will notify you and the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under Rule 7 of the DPDP Rules 2025. Notification will be sent to the email address associated with your account and will include the nature of the breach, categories of data involved, likely impact, and the remedial steps we are taking."
  • Internally, establish a breach response runbook: (a) detection and containment within the first 6 hours; (b) impact assessment and legal review within 24 hours; (c) DPBI notification and user notification before the 72-hour window closes. Assign a named person responsible for triggering this runbook.
  • Prepare a notification template in advance. When a breach occurs, you will not have time to draft a compliant notice from scratch. The template should include placeholders for: breach date/time, data categories affected, number of principals affected, immediate containment steps, and remediation actions.
legal security management
Privacy notice missing 4 required elements
High Section 5(1) / Rule 3 Up to ₹200 Crore exposure

The privacy notice was found and is accessible, but fails 4 of the 15 DPDPA-specific checks. Section 5(1) requires the notice to contain specific elements before or at the time of data collection. Each missing element is a separate gap — regulators typically assess notice compliance holistically, but each omission independently contributes to penalty exposure.

Failed checks (4 of 15)
Grievance officer contact — not found Data retention periods — vague ("reasonable time") Data Principal rights — not described DPBI complaint link — not found
11 of 15 checks passed: purposes specified ✓, withdrawal instructions ✓, fiduciary identified ✓, standalone document ✓, breach notification ✗ (separate finding), multilingual ✗ (separate finding), and 6 others.
DPDP Act 2023 Section 5(1) — Notice by Data Fiduciary
"Every Data Fiduciary shall give to the Data Principal... a notice containing a description of personal data sought to be collected and the purpose of processing of such personal data; the manner in which she may exercise her rights under the provisions of this Act..."
Notice must be given before or at the time of collection. A notice that omits required elements — even if otherwise comprehensive — is a deficient notice under the Act.
Penalty: up to ₹200 Crore
Update privacy notice with 4 missing sections Quick Win 2–3 days
  • Grievance Officer: Add a named Grievance Officer with full name, designation, business email, and postal address. A named individual is required — a generic support email does not satisfy Rule 9. Example: "Grievance Officer: Priya Sharma, Data Protection Lead, grievance@acmecorp.in, 4th Floor, Prestige Tower, MG Road, Bengaluru 560001."
  • Retention periods: Replace "reasonable time" with specific per-category durations. Example: "Account data: 3 years from last login. Transaction records: 7 years (statutory requirement under the Companies Act). Marketing preferences: 1 year from collection or until withdrawn."
  • Data Principal rights: Add a "Your Rights" section describing: right to access a summary of data held, right to correct inaccurate data, right to erasure, right to withdraw consent, and right to nominate a person to exercise these rights on your behalf. Include the request mechanism (email address or form URL) and the response timeline (30 days).
  • DPBI complaint link: Add a paragraph: "If your grievance is not resolved within 30 days, you may appeal to the Data Protection Board of India at dpboard.gov.in." This is a Rule 3(c)(iii) mandatory disclosure — it is the regulatory escalation path for Data Principals whose complaints you fail to resolve.
legal management
Security headers not configured — 2 of 4 missing or weak
Medium Rule 6 / Section 8(5) Up to ₹250 Crore exposure

The HTTP response headers were checked against Rule 6's requirement for "reasonable security safeguards". Two headers are absent or configured below minimum standards, leaving the site vulnerable to script injection and clickjacking attacks — both of which can directly result in personal data exfiltration, creating compounded liability under Section 8(5).

Header audit results
Content-Security-Policy — not set Strict-Transport-Security — max-age 5184000 (60 days, min 1 year required) X-Frame-Options — DENY ✓ X-Content-Type-Options — nosniff ✓
Add CSP header and extend HSTS max-age to 1 year Quick Win 1 day
  • Content-Security-Policy: Add a CSP header via your web server or CDN. A safe starting policy for a site using Google Tag Manager, GA4, and Razorpay: default-src 'self'; script-src 'self' https://www.googletagmanager.com https://checkout.razorpay.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com;. Use report-only mode first to catch violations without breaking the site.
  • HSTS: Update the Strict-Transport-Security header to max-age=31536000; includeSubDomains (365 days). The current 60-day max-age means users are only protected for 2 months after their last visit. For Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
dev infrastructure
🔒
Canvas fingerprinting detected on 3 pages
High · Section 6(1) · ₹250 Crore exposure · Remediation: 1–2 weeks
🔒
Privacy policy not available in any Indian language
Medium · Section 5(3) / Rule 3(1) · ₹200 Crore exposure · Remediation: 2–3 weeks
🔒
4 PII forms collecting email and phone without visible consent notice
High · Section 6(1) · ₹250 Crore exposure · Remediation: 1 week
🔒
Consent banner does not support multilingual display
Medium · Rule 3(1) · ₹200 Crore exposure · Remediation: 3–5 days
🔒
Advisory: Foreign trackers in 3 countries — monitor Rule 15
Info · Rule 15 · Advisory only · Rule 15 not in force until May 2027
🔒
Advisory: Consent Manager registration deadline — 13 November 2026
Info · Rule 4 · Advisory only · Verify CMP vendor registration status
🔒
Advisory: Platform signals suggest possible Significant Data Fiduciary classification
Info · Rule 13 / Section 10 · Advisory only · Annual DPIA + DPO obligations if notified
8 more findings with full legal citations, step-by-step remediation, and effort estimates The full paid report includes every finding above plus all remaining findings — each with exact statutory text, evidence details, team assignments, and phased fix timelines. Includes PDF export.
Phased remediation roadmap
1
Quick wins — immediate risk reduction
Week 1
4 issues fixable in 1–2 days each — resolve these first for maximum risk reduction at minimum cost. 3 are privacy notice edits that can be batched into a single document update session with your legal team.
Add Reject All button to consent banner (1 day, design)
Update privacy notice: grievance officer, DPBI link, data rights, retention schedule (2 days, legal)
Add breach notification paragraph to privacy notice (1 day, legal)
Configure HSTS max-age to 1 year + add Content-Security-Policy header (1 day, dev)
2
Moderate — consent architecture and tracking
Weeks 2–4
3 issues requiring development effort — technical consent gate implementation and PII form updates. Estimated 2–3 engineer-days total.
Implement consent-first tag firing via Tag Manager for all 5 pre-consent trackers (3 days, dev + marketing)
Add consent notice to 4 PII collection forms — inline disclosure or banner acknowledgement (2 days, dev)
Add Hindi translation of privacy notice (Rule 3(1) mandatory language) (3 days, legal + translation)
3
Significant — fingerprinting and multilingual consent
Weeks 4–8
2 issues requiring vendor engagement or product decisions. Coordinate with your analytics and CMP vendors.
Remove or gate canvas fingerprinting — identify the script, assess if it's a vendor SDK or custom code, remove or consent-gate it (1–2 weeks, dev + vendor)
Add multilingual consent banner (Hindi mandatory, regional language recommended) — CMP configuration or custom implementation (2–3 weeks, dev + design + translation)

See your site's full report

Free summary in minutes. Full report with all findings, legal citations, remediation steps, phased roadmap, and PDF export — ₹4,499 + GST.

Scan your site now →
No login required for free scan · Full compliance deadline: 13 May 2027