Privacy Pulse: January 2026 Edition

Privacy Pulse — January 2026 Edition DPDP Act Implementation Updates The Data Protection Board of India (DPB) has issued new guidelines on consent management requirements, providing much-needed clarity for organizations building compliance programs. Key highlights include: Granular consent clarification: The DPB confirmed that consent must be purpose-specific and cannot be bundled. Organizations must provide separate consent checkboxes for distinct processing activities (e.g., service delivery vs. marketing vs. analytics). A single "I agree to all" checkbox does not satisfy Section 6 requirements. Simplified withdrawal mechanisms: Withdrawal of consent must be as easy as giving consent. If consent was obtained through a one-click button, withdrawal must also be achievable in one click. Multi-step withdrawal processes or requiring users to email/call to withdraw consent are non-compliant. Consent records: Organizations must maintain auditable records of when, how, and for what purpose consent was obtained, along with evidence that the notice was presented at the time of consent. These records must be available for DPB inspection. Action item: Audit your current consent flows against these guidelines using Complynz's DPDP Readiness Assessment . Pay particular attention to bundled consent practices and withdrawal mechanisms. Industry Spotlight: Healthcare Healthcare organizations face some of the most complex DPDP compliance challenges due to the sensitivity of health data and the multi-party nature of healthcare delivery (doctors, hospitals, labs, pharmacies, insurance). Early adopter insights from 15 healthcare organizations: Patient consent portals: Leading hospital chains have implemented digital consent management portals where patients can view exactly what data is collected, for what purpose, and provide/withdraw consent granularly — separating treatment, billing, research, and marketing purposes. Cross-provider data sharing: The biggest challenge is managing consent across the care chain. When a hospital shares lab results with a specialist, both entities need independent legal basis for processing. Standard data sharing agreements aligned with DPDP are being developed by industry consortiums. Health data anonymization: Several organizations have invested in anonymization tools to enable medical research without triggering DPDP personal data obligations. However, re-identification risks from small-sample health data remain a concern. If your organization processes health data, use Complynz's PII Discovery Tool to identify all personal health information across your systems. Compliance Tip of the Month: Plain Language Privacy Notices DPDP Act Section 5 requires privacy notices to be "clear and plain language." Here is a practical checklist for testing your notices: Readability test: Run your notice through a readability calculator. Target a Flesch-Kincaid Grade Level of 8 or below — your notice should be understandable to a 14-year-old. Length check: If your complete privacy notice exceeds 2,000 words, consider a layered approach — a short summary (500 words) with links to detailed sections. Jargon audit: Search for legal terms ("notwithstanding," "hereinafter," "pursuant to") and replace with plain equivalents. If a term requires legal precision, explain it in parentheses. User test: Ask 3-5 non-legal team members to read your notice and summarize what data you collect, why, and what rights they have. If they cannot answer accurately, your notice needs simplification. Visual formatting: Use headings, bullet points, and bold text to make the notice scannable. Walls of text are inherently unclear regardless of language level. Generate DPDP-aligned privacy policy templates with Complynz's AI Policy Generator . Key Dates and Deadlines February 15, 2026: Expected DPB guidance on Data Protection Impact Assessment (DPIA) requirements for Significant Data Fiduciaries Q1 2026: DPB registration portal for Significant Data Fiduciaries expected to open Ongoing: Organizations should be actively building compliance programs — enforcement readiness is the goal, even before formal enforcement begins