Teardown5 min read

boAt's Privacy Policy vs the DPDP Act: The Best Policy We've Read Still Has Two Gaps

boAt has one of the best privacy policies among Indian consumer brands. It also leaked 7.5 million customer records. Both are true, and the gap between them is the whole DPDP lesson.

boAt has one of the best privacy policies we have read from an Indian consumer brand. It also leaked 7.5 million customers to the dark web. Both are true, and that gap is the thing most founders still do not get about DPDP.

What boAt gets right (and most D2C brands do not)

  • A named Grievance Officer with a real name, phone number, and address, not a contact form.
  • Separate consent for marketing, location, and cross-border transfer, not one buried checkbox.
  • DigiLocker verification for parental consent for under-18s, which is the actual DPDP standard rather than a lazy age gate.
  • A written commitment to notify the Data Protection Board after a breach.

This is genuinely ahead of the market. So this is not a "they are clueless" teardown. It is the opposite, which makes the two remaining gaps more instructive.

Gap 1: No retention period (Rule 8)

The policy says data is kept "as long as necessary" and deleted within a "legally mandated timeline". DPDP does not accept that. The law expects a number: a defined period, a trigger date, and a deletion schedule. "As necessary" is not a period. It is a gap an auditor will flag immediately.

Gap 2: English only (§5(3))

DPDP requires your notice to be available in English and the 22 Eighth Schedule languages. A buyer from Tamil Nadu or Maharashtra has the same right to understand what they are agreeing to as a buyer from Bengaluru. One language means valid consent for some of your users, but not all of them.

The part that actually matters: policy vs substance

boAt's policy promises "reasonable security safeguards". In March 2024, 7.5 million records (names, emails, phone numbers, and home addresses) showed up on a dark-web forum.

DPDP does not grade privacy policies. It grades what is behind them: the actual encryption, the access controls, the logs, and what you did in the 72 hours after something went wrong. A privacy policy is a promise. DPDP enforces the substance behind it.

If your policy is flawless and your database is open, you are not compliant. You are exposed, now with a written record of everything you promised and did not build. Do not start with the policy. Start with the safeguards, using our DPDP compliance checklist as the build order, and let the policy describe what is already true. The free Compliance Score below checks both.

Frequently asked questions

Is a good privacy policy enough for DPDP compliance?

No. The DPDP Act grades the substance behind the policy: security safeguards, consent records, retention execution, and breach response. A well-written policy backed by weak controls creates a written record of promises the company did not keep.

What languages must a DPDP privacy notice support?

Under §5(3), the privacy notice must be available in English and the 22 languages of the Eighth Schedule of the Indian Constitution, so users can give informed consent in a language they understand.

How should startups verify parental consent under DPDP?

For users under 18, §9 requires verifiable parental consent. DigiLocker-based verification, which boAt uses, is the kind of mechanism the framework contemplates; a simple self-declared age gate does not meet the standard.

Compliance Score

Where does your website stand against the DPDP Act?

Run a free Compliance Score: privacy policy, cookie consent, and retention posture, checked in 60 seconds. No signup.