At a glance
The DPDP Act doesn’t use the term “privacy policy” and doesn’t mandate one by that name — but it does require a clear notice at the point you collect a client’s personal data, and that notice does most of what a privacy policy is meant to do. A solo CA or tax consultant handling PAN, Aadhaar and financial documents needs a short written notice covering what’s collected, why, and how a client can reach you — whether on a website, in the engagement letter, or both.
Educational resource only. This explains the baseline notice requirement for solo CA and tax-consulting practices under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
The situation
Many small CA and tax-consulting practices assume a formal, website-hosted “privacy policy” is a big-company document — legal boilerplate that doesn’t apply to a one- or two-partner practice working mostly by referral. That assumption misreads what the DPDP Act actually asks for. The Act doesn’t care what the document is called or where it lives; it cares whether the client was told what’s being collected and why, in plain terms, before or at the point of collection.
Does a solo practice need a “privacy policy”?
Not by that name — but yes, functionally. The Act’s operative requirement is a notice (Section 5), not a named “privacy policy” document. A solo practitioner filing returns for forty individual clients has the same notice duty as a large firm; what differs is the format that makes sense — a large firm may publish a website privacy policy, while a solo practice may fold the same information into the engagement letter or intake form. Both satisfy the underlying requirement if the content is there.
What DPDP actually requires instead
The notice needs to cover a short, fixed set of things — not a lengthy legal document. At minimum:
- What personal data is being collected — e.g. PAN, Aadhaar, bank statements, Form 16, in plain terms.
- Why — the specific purpose (return filing, GST compliance, an audit engagement), not a vague “for our services.”
- How the client can reach you with a question or a request to access, correct or delete their data.
- How they can withdraw consent, where consent is the basis being relied on.
That’s the substance a “privacy policy” is usually trying to deliver. A one-paragraph notice on an intake form or in the engagement letter that covers these points does the job for a small practice; it doesn’t need to be a multi-page document modelled on a large company’s website policy.
Where the notice should live for a small practice
Pick one place a client will actually see it before or at the point they hand over documents — not several places that drift out of sync. Reasonable options:
- On the engagement letter, as a short clause, for practices that onboard formally.
- On an intake form (physical or digital) used when a new client shares documents.
- On a simple website page, if the practice has one and takes documents through it.
Whichever it is, keep the wording current with what the practice actually collects — a stale notice that describes an old process is close to no notice at all if a client can no longer tell what’s really being done with their data.
GST practitioners: does the same duty apply?
Yes, without exception — a GST practitioner filing returns and handling client GSTIN, invoices and turnover data is a Data Fiduciary the same way a CA is, and carries the identical notice duty. GST practice often involves an even wider spread of personal and business financial data than income-tax filing alone — monthly return data, e-way bills, input-tax-credit reconciliations pulling in vendor and customer details beyond just the client’s own — which if anything makes the “what’s collected and why” line in the notice more worth getting specific about, not less. A GST practitioner working purely on a retainer basis with no formal engagement letter should still fold the same notice content into whatever intake process exists — a simple authorisation form for GST portal access is a natural place for it to live.
Digital Signature Certificates: a notice point most practices miss
A client’s Digital Signature Certificate (DSC) — the USB token used to sign income-tax returns, audit reports, GST filings and MCA submissions — is personal data in its own right, and handling it deserves its own line in the notice, not just a mention of “documents.” Since January 2021, Class 3 DSCs (the highest-security class, issued after video verification) are the standard for these filings, and many practices end up holding a client’s DSC token temporarily to file on their behalf — a genuine convenience that also means the practice is physically holding a device that can legally sign documents as that client. Worth naming specifically in the notice: that the DSC may be collected for filing purposes, how it’s stored between uses (ideally in a locked drawer or safe, not a shared desk drawer), and that it’s returned or the practice confirms it isn’t used beyond the specific engagement. A generic “we handle your documents securely” line doesn’t really cover a token that can legally act as the client’s signature.
If the practice uses a client portal
A client portal is convenient for document exchange, but it adds a vendor to the notice — the portal provider is processing the same PAN, Aadhaar and financial documents the practice is, and clients should know that. Increasingly, small practices use a third-party client-portal tool (for document upload, e-signature, or status tracking) rather than email or WhatsApp. That’s a genuine security improvement over scattered email threads, but it does mean a client’s documents are sitting with a software vendor, not just the practice itself — worth a line in the notice naming that a portal is used, and confirming the practice has satisfied itself the vendor handles the data securely (encryption, access controls) as part of choosing that tool in the first place, the same due diligence any Data Processor relationship needs.
FAQ
Is a “privacy policy” a legal requirement under the DPDP Act?
Not by that specific name. The requirement is a notice at collection covering what’s collected, why, and how to reach you — a privacy policy is one common way of delivering it, not the only way.
Can the notice just be a clause in the engagement letter?
Yes, for a solo or small practice this is often the most practical route — it just needs to actually cover what’s collected, why, and the contact/withdrawal points.
Does a practice with no website still need to give notice?
Yes — the notice obligation isn’t tied to having a website. An intake form or the engagement letter covers it equally.
What happens if the practice’s notice is outdated?
An outdated notice that no longer reflects what’s actually collected doesn’t satisfy the requirement — update it whenever the practice changes what it asks clients for.
Does a GST practitioner need a separate notice from a CA doing income-tax work?
Not a separate legal requirement — the same notice duty applies — but the “what’s collected and why” content should reflect GST-specific data (GSTIN, e-way bills, vendor/customer detail) if that’s genuinely what the practice handles.
Should the notice mention that the practice sometimes holds a client’s Digital Signature Certificate?
Yes — a DSC is personal data that can legally sign documents as the client, so it deserves a specific mention: that it may be collected for filing, how it’s stored, and that it isn’t used beyond the specific engagement.