How We Scan

What the DPDPA Scanner checks, how findings are categorised, and what a compliance score does — and does not — mean. Findings cover both DPDPA legal obligations and global privacy best practices.

Scope: external surface only

The scanner examines only what is externally observable about your website or Android APK — the same information a regulator, researcher, or user could observe without access to your internal systems. It does not audit:

Internal data processing systems or databases
Data Processing Agreements (DPAs) with vendors
Employee training records or organisational policies
Data Protection Impact Assessments (DPIAs)
Records of Processing Activities (RoPA)
Server-side data retention or deletion logic

Those areas require a human compliance consultant or internal audit. The scanner is the starting point: it surfaces what can be found from the outside and maps every finding to the exact DPDPA provision and statutory penalty exposure.

What we check

Security headers

Your site's HTTP response headers are checked against Rule 6 (technical security safeguards). Four headers are evaluated:

Header	What we look for	DPDPA rule
`Content-Security-Policy`	Present; quality of policy assessed separately	Rule 6(c)
`Strict-Transport-Security`	Present with sufficient max-age	Rule 6(a)
`X-Frame-Options`	Present, or equivalent CSP directive	Rule 6(g)
`X-Content-Type-Options`	`nosniff`	Rule 6(g)

Cookies and network behaviour

Your site is visited in a clean, isolated browser session with no prior cookies or state. All network activity — cookies set, third-party requests made, data transmitted — is captured before any user interaction. The same capture is repeated after a consent interaction. The difference between the two sessions is the basis for consent compliance findings.

Third-party tracker classification

Every third-party network request is classified against a database of known tracking services, mapping each to its category (advertising, analytics, social media, fingerprinting) and country of headquarters. This determines cross-border transfer exposure and whether data sharing occurred before consent was obtained.

Consent banner

The page is analysed for consent UI before any interaction. We check for:

Presence of a consent notice before data collection begins
A reject or decline option at least as prominent as the accept option
Granular purpose controls rather than accept-all only
Support for Indian language scripts
Dark patterns — pre-selected options, misleading button labelling
Whether consent can be withdrawn after it is given

Canvas and device fingerprinting

Page scripts are monitored for use of browser APIs in patterns consistent with device fingerprinting — techniques that identify a user without cookies. Detection covers canvas-based, audio-based, and hardware enumeration approaches.

Privacy notice completeness

We locate your privacy policy and check it against the elements required by the DPDPA. Each check determines whether the required language is present — not whether the legal wording is correct. The provisions checked include:

Element	DPDPA provision
Purposes of data collection stated	Section 5(1)
Data retention periods disclosed	Rule 8
How to withdraw consent explained	Section 6(4)
Data Principal rights described (access, correction, erasure)	Section 11
Policy available in an Indian language	Section 5(3)
Grievance officer or contact disclosed	Section 13
Grievance response timeline committed	Rule 14
Data Fiduciary identity and address	Section 5(1)
Cross-border data transfer disclosed	Rule 15
Children's data handling addressed	Section 9
Breach notification procedure stated	Rule 7
DPBI complaint mechanism referenced	Rule 3(c)
Policy is a standalone document, not embedded in Terms	Rule 3(1)

Limitation: Privacy notice checks identify the presence of required language, not its legal adequacy. A policy that addresses an obligation in unusual phrasing may be flagged as missing it; a policy with boilerplate text that matches patterns but is substantively inadequate may pass. Legal review of policy wording is outside this tool's scope.

Personal data collection and consent

Your site and key linked pages are checked for forms collecting sensitive personal data (what US frameworks call PII) — identity details, contact information, financial data, and government-issued identifiers. A finding is raised when sensitive fields are present without an adjacent consent mechanism or link to the privacy notice.

Child protection signals

The site is checked for age verification UI, parental consent flows, and content signals associated with child-directed services. Because child-directed status cannot be confirmed from external observation alone, findings here are advisory and do not reduce your score.

Android APK

APK scans perform static analysis of the app package — declared permissions, embedded third-party SDKs, and data transfer indicators. This is manifest and bytecode analysis only; runtime behaviour and actual data transmitted by the app are not assessed.

DPDPA compliance vs. global best practices

The scanner's primary framework is the Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025. Every finding that affects your score maps to a specific section of the Act or a numbered Rule, with the exact statutory text shown in the report.

However, several findings go beyond the letter of the DPDP Act and reflect global privacy best practices followed by responsible organisations worldwide — standards drawn from GDPR, ISO/IEC 27001, NIST Privacy Framework, and common industry norms for online services. These include:

Dedicated cookie policy page. A separate /cookie-policy listing cookie categories, vendor names, and retention periods is not explicitly mandated by DPDPA but is standard practice under GDPR and a clear expectation when regulators audit consent quality.
Cookie disclosure in the privacy notice. Describing cookie and tracking technology use in the privacy policy is global best practice and directly strengthens the validity of consent obtained through a banner.
Security headers. HTTP response headers like Content-Security-Policy and HSTS are not enumerated in the DPDP Rules but are standard security hygiene recognised by OWASP and NIST, and satisfy Rule 6's requirement for "reasonable security safeguards".
Consent banner granularity and reject parity. The DPDP Act requires free and specific consent; offering a "reject all" button as prominent as "accept all" is the practical implementation of that standard — as established by GDPR enforcement precedent — even though the Rules don't prescribe button sizes.
Breach notification language in the privacy notice. Documenting your 72-hour breach response commitment in the notice is best practice for demonstrating preparedness, even if the Act's obligation is on the Data Fiduciary rather than the notice itself.

Why this matters: India's data protection regime is newer than GDPR, CCPA, or PDPA. As the DPBI establishes enforcement precedent, it will draw heavily on how equivalent regulators in other jurisdictions have interpreted consent, notice, and security obligations. Organisations that align with global best practices today are better positioned for stricter enforcement tomorrow — and build greater user trust in the meantime.

In the report, findings that go beyond the strict text of DPDPA are labelled accordingly, so you can distinguish between a statutory obligation and a recommended best practice.

How findings are scored

Every finding is assigned a severity (critical, high, medium, or low) and maps to one of five compliance categories. Your overall score is a weighted average of category scores — each category starts at 100 and is reduced based on the severity of findings within it. Consent and tracking carry more weight than security because they represent the core obligations of the DPDPA.

Findings tagged as informational (advisories) do not affect your score. These cover obligations that are conditional — applying only to Significant Data Fiduciaries, child-directed services, or organisations above regulatory thresholds that cannot be confirmed from external observation.

Score	Grade	Interpretation
80–100	A	Few observable gaps; address remaining findings before the deadline
60–79	B	Moderate gaps; prioritise high-severity findings
40–59	C	Significant gaps; remediation plan needed
20–39	D	Serious gaps across multiple categories
0–19	F	Critical gaps; immediate action required

What a score is not

The score is not a legal opinion, not a regulatory clearance, and not a guarantee of DPDPA compliance. It is a snapshot of externally observable gaps on the day of the scan. Internal compliance — data processing records, vendor agreements, employee training, breach response procedures — is entirely outside this tool's scope.

Not a DPBI filing. Submitting a scan does not constitute a compliance declaration to the Data Protection Board of India.
Not legal advice. Findings, citations, and remediation guidance are informational. For a legal opinion on your DPDPA obligations, consult a qualified lawyer or compliance professional.
Not a pass/fail. A high score means the externally observable gaps we can detect are limited — not that your organisation is fully compliant. A low score means there are observable issues worth fixing — not that penalties are imminent.

Penalty amounts

All penalty figures shown are statutory maxima under the DPDP Act's penalty schedule. The Data Protection Board of India has full discretion to determine actual penalties based on the severity of the violation, number of individuals affected, evidence of remediation, and other factors.

The maximum figures (up to ₹250 crore for consent violations; up to ₹200 crore for notice failures) are the legislative ceiling — not a baseline or a likely outcome for a first-time compliance gap by an SMB taking corrective action.

Known limitations

Bot-protected sites. Some websites block automated scanning. Where this occurs, the scan result will note that the site was partially inaccessible and findings may be incomplete.
Dynamically loaded content. Consent banners or privacy notices that appear only after a delay or require specific user interaction beyond a page visit may not be evaluated.
Transliterated Indian languages. Indian-language content written in Latin script is not detected as an Indian language. Detection applies to native scripts only.
Link reachability. We check for the presence of policy language referencing grievance mechanisms, DPBI complaint links, and consent withdrawal — but do not verify that referenced URLs are live or that described processes function correctly.
APK runtime behaviour. APK analysis is static. What data an app actually transmits at runtime is not assessed.