Skip to content
checkDPDP

Guide

Correct your website fast — five mistakes that fail every DPDP scan

We scan hundreds of Indian sites a week and the same five mistakes show up almost every time. None of them takes more than an afternoon to fix — but together they account for around 70 % of the Fail flags on a typical first scan.

18 Jun 2026 · 6 min read

Most Indian websites fail their first DPDP scan in predictable ways. The good news: the top five findings are also the cheapest to correct. Fix these and your scanner score moves 25–45 points without any structural change to your site.

**Mistake 1 — Trackers firing before consent.** Google Analytics, Meta pixel, Hotjar, intercom, chat widgets — all loading on first request. Under DPDP Section 6 these need prior consent. Fix: move every non-essential script tag into a consent-gated loader. Most CMPs (Complianz, CookieYes, Tsaaro, the checkDPDP banner builder) emit a JavaScript event when the user accepts each category; wire your scripts to that event. Time to fix: 2–3 hours including QA.

**Mistake 2 — Pre-ticked consent boxes.** Preference centre opens with analytics and marketing already ON. DPDP requires unambiguous consent — a pre-tick is the textbook example of what does NOT count. Fix: default every non-essential category to OFF in your CMP config. Time to fix: 5 minutes — it is a single toggle in every major CMP.

**Mistake 3 — Accept-only banners.** Big green Accept button, with Reject buried behind a 'Manage' link. DPDP requires balanced choices; an asymmetric UI is treated as confused consent. Fix: equal visual weight for Accept and Reject at the top level. Time to fix: 10 minutes if your CMP supports a 'Reject all' primary button (most do; if not, change CMP).

**Mistake 4 — No Grievance Officer in the footer or notice.** Section 5 of the DPDP Act requires a findable Grievance Officer for Data Principal complaints, with a contact mechanism. Most Indian SMB sites have neither. Fix: add a name (the founder is fine), an email like grievance@yourdomain.in, and a 30-day response SLA. Put it in the privacy notice AND the site footer. Time to fix: 15 minutes including footer template edit.

**Mistake 5 — HTTPS without HSTS, or HTTPS missing on subdomains.** Many sites serve HTTPS on the apex but http:// on staging/blog/admin subdomains. Section 8(5) safeguards sit in the ₹250 cr penalty band — security is the highest-stakes finding category. Fix: Cloudflare free tier with 'Always Use HTTPS' on plus 'Automatic HTTPS Rewrites' covers the basic case in 30 minutes. Add Strict-Transport-Security with a 6-month max-age once you are confident every subdomain serves HTTPS. Time to fix: 30–60 minutes.

Fix all five and re-run the scanner the same day. Most Indian SMB sites jump from the 40s to the high 70s on the first re-scan after this checklist — the band where the Data Protection Board treats you as 'cooperating with safeguards in place', not 'wilful'. The remaining gap to 100 is mostly DPIA + vendor inventory + India-residency work, which is genuinely a multi-week programme — but the visible-from-the-browser failures close in a single afternoon.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts