The DPDP asks for proof. The proof isn't there yet.
We investigated 107 Indian company websites. The question is not who passes and who fails. It is whether any company can demonstrate readiness with evidence — right now.
What DPDP readiness actually requires
India's data protection law (DPDP) does not ask companies to fill out a form. It asks them to prove — with evidence — that they tell you what data they collect, ask your permission before collecting it, only use it for the reason they said they would, name every outside company that touches your data, and actually answer when you ask them about it. Tracker disclosure gaps — where a tracker runs but the policy never mentions it — are warning signs. Session replay running without clear notice is another. Readiness is not a checkbox. It is a trail.
Notice
Tell people what data you collect and why — before you collect it.
Many websites start tracking the moment the page loads. You don't see any privacy notice until the tracking has already started.
Consent
Ask permission for each thing separately. Saying yes to analytics does not mean saying yes to ads.
Many sites put everything into one 'I agree' button. Some say that just visiting the website means you agreed to everything. Some lump email, SMS, and WhatsApp together.
Purpose limitation
Only use someone's data for the reason you told them you would use it.
We found analytics, advertising, screen recording, and identity-matching tools all running on the same pages. The policies don't explain which tool is used for what.
Vendor disclosure
Name every outside company that touches your users' data. If a tracker runs on your site but your policy doesn't mention it, that is a warning sign.
59% of the websites we checked had trackers running that were not named anywhere in their privacy policy.
Grievance response
Give people a way to complain. When someone asks 'what data do you have on me?' — actually answer them.
Some companies answered our emails directly. Others sent us to a different form, a different team, or just never replied. This is the first thing a regulator will check.
Evidence trail and readiness
Be able to show what data you collect, which outside companies see it, and that the user actually said yes.
46 sites record your visits. When screen recording, analytics, ads, and your account data all sit on the same page, the system design makes linkability easy — connecting the dots to figure out who you are. The question is not about whether companies intend to misuse data — it is whether they can prove they don't.
What readiness looks like
Some companies in our investigation looked much better: few or no trackers, cookie consent that asks you separately for each thing, complaint channels that actually replied, and policies that matched what the website actually does. These are not certifications — they are examples of what good looks like, from the same investigation.
Being ready starts with knowing what is happening on your own website. Our investigation suggests that gap is still wide.
This is not a compliance certification. State of Privacy is a public investigation. We observe, capture, and report. For DPDP risk assessment or evidence-based consultancy, contact Meridian Bridge Strategy.
Request the full evidence brief
Request access to the public brief
A manually reviewed public briefing, not an automatic download.