The legal text and the operational reality

Section 5 of the DPDP Act 2023 requires the Data Fiduciary to give the data principal a notice that is "in English or any language specified in the Eighth Schedule to the Constitution". The Eighth Schedule lists 22 languages — Assamese, Bengali, Bodo, Dogri, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Maithili, Malayalam, Manipuri, Marathi, Nepali, Odia, Punjabi, Sanskrit, Santali, Sindhi, Tamil, Telugu and Urdu. The legal floor is therefore unambiguous: the privacy notice must be available in the language the data principal can read.

The operational reality is more demanding than the floor. India has roughly half a billion adults whose primary language is not English; a meaningful fraction reads in two scripts at once (Devanagari + Latin); and the everyday digital language of the under-35 urban majority is Hinglish — Hindi grammar with Roman script and English nouns and verbs. A privacy notice written for a Mumbai marketing manager in formal English is not the same notice a Delhi gig worker reads on a phone in Hinglish, even if both are notionally English speakers.

"Informed consent" in Section 6 is the second test. A notice that is technically available in 22 languages but practically written in a register only the lawyer can parse is not informed consent — it is paperwork.

What "Hinglish" really means in compliance terms

Hinglish is not a sloppy English. It is a stable code-switched register with consistent rules: English nouns embedded in a Hindi sentence skeleton; Roman script throughout; honorifics and verbs from Hindi, technical and product nouns from English. Compliance teams who have never tested a notice in Hinglish are routinely surprised by two things:

  • Comprehension scores jump dramatically. A privacy notice translated into formal Hindi typically scores worse on comprehension than the original English. The same notice in Hinglish — the language people actually use to message each other about money, work and family — scores meaningfully higher than either.
  • Consent rates do not collapse. A common worry is that a more comprehensible notice will make people refuse more often. In practice, the opposite happens: trust improves and the share of meaningful, retained consents goes up.

From a DPDP defensibility standpoint, this matters. If your audit defence rests on showing that the data principal understood what they were consenting to, a comprehension-tested Hinglish notice is materially stronger evidence than a translated formal-Hindi one.

The 22-language stack — what you actually need

Implementing a 22-language consent stack properly is more than a translation project. The full set of capabilities looks like this:

  1. A localised notice library with version control, hash per language version, and a clear default-language fallback per geography.
  2. A localised consent UI — buttons, toggles, validation messages, and the preference centre — not just the notice text.
  3. Localised DSR forms in every supported language, because Section 13 rights are meaningful only if the data principal can exercise them in their own language.
  4. Localised grievance redressal — Section 8(10) requires an accessible grievance channel, and "accessible" is a language test as much as a uptime test.
  5. Localised breach notifications under Section 8(6) and Rule 7 — when an incident happens, the data principal communication must reach them in a language they can read, fast.
  6. Right-to-left, complex-script and font-fallback handling for Urdu, Sindhi (where applicable), Devanagari ligatures, Tamil and Bengali — the rendering layer matters as much as the translation.
  7. Translation governance — every change to the English source notice must trigger a controlled re-translation and re-approval workflow across every language version.

What competing platforms actually offer

This is where the gap between marketing and reality is widest. The summary, as captured in the DPDP Platform Comparison 2026:

  • OneTrust — strong global localisation infrastructure, but as of 2026 does not ship a curated 22-Eighth-Schedule-language pack with Indian-context legal review, and does not ship Hinglish at all.
  • GoTrust — partial regional language support; Hinglish not offered.
  • Privy by IDfy — regional language support exists for identity flows but not as a general consent UI stack.
  • Leegality — partial regional language support, oriented around signature workflows rather than consent UI.
  • CookieYes — English-centric; no Eighth-Schedule pack; no Hinglish.
  • Complynz — full consent UI, privacy notices, DSR forms, grievance flows and breach communications in all 22 Eighth Schedule languages plus Hinglish, with Indian-context legal review and per-language version control.

Implementation patterns that work in India

Default to the geography, override to the user

Detect the geographic context (branch location, kiosk location, or IP-derived state for web), default the UI to the most common language for that geography, and let the user override with a single tap. Forcing the user to pick a language before showing them anything is a UX dead-end; defaulting silently to English is a compliance dead-end.

Treat Hinglish as a first-class language

Do not bury Hinglish behind "More languages". Place it next to English and Hindi in the language picker. Comprehension data will tell you why within the first month of usage analytics.

Comprehension-test, do not translate-and-ship

Run a small (n=50) comprehension test for every notice version in every language. Three open-ended questions ("what data are they collecting?", "what will they do with it?", "how do you say no later?") tell you whether your notice is informed consent or paperwork.

Govern translations like code

Every change to the source-of-truth English notice should kick off a translation workflow with explicit approval per language. Treat the localised notices as artefacts you ship, not documents you maintain.

The cost of not doing this

The DPDP Act allows for penalties of up to ₹250 crore for failure to fulfil DPDP obligations. The argument that a non-English-speaking data principal "did not really consent" because the notice they were shown was in a language they could not read is a defence-busting argument an Adjudicating Officer will hear. A proper 22-language + Hinglish stack closes that argument before it can be made.

FAQ

Does Section 5 of the DPDP Act require all 22 Eighth Schedule languages?

Section 5 says the notice must be in English or any language specified in the Eighth Schedule — so the legal floor is one language the data principal can read. Operationally, however, you must serve the actual language profile of your customer base, which for most Indian Data Fiduciaries means a multi-language stack covering the major Eighth Schedule languages plus Hinglish.

Why does Hinglish matter if Hindi and English are already covered?

Comprehension testing in our customer base consistently shows that Hinglish privacy notices outscore both formal Hindi and formal English on the "do you understand what is being collected and why" question. For DPDP defensibility, comprehension is what makes consent informed.

Which DPDP platforms ship full 22-language consent UIs natively?

As of 2026, Complynz is the only platform in our comparison set that ships full consent UI, privacy notices, DSR forms, grievance flows and breach communications in all 22 Eighth Schedule languages plus Hinglish. See the DPDP Platform Comparison 2026 for the full matrix.

Do I need separate notices per language or can I rely on auto-translation?

Auto-translation is acceptable as a starting draft, never as a shipped artefact. Every shipped language version should go through Indian-context legal review and a small comprehension test. Translation governance — versioning, approval, hashing — is then maintained as part of the consent ledger.

Related reading

Talk to our team: hello@complynz.com