Overview
Country Delight isn’t just delivering milk; they are collecting a goldmine of your personal habits. Because they deliver to your doorstep daily, they know your exact home address, your phone number, your payment patterns, and even when you are on vacation.
Under the DPDP Act, Country Delight is a Data Fiduciary (the entity that decides why and how your data is processed). You are the Data Principal (the person the data belongs to). Because they handle “sensitive” information like your precise location and financial details, the bar for keeping that data safe and giving you control is very high.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
When you sign up for Country Delight, you usually see a checkbox or a line saying “By signing up, you agree to our Terms and Privacy Policy.” This is known as bundled consent, and under the new law, it is a big problem.
What the policy says: “By using our website or the App, you indicate that you understand, agree and consent to this Privacy Policy.”
What the law requires: Consent must be specific, informed, and unconditional. You should be able to agree to the milk delivery but say “No” to your data being used for unrelated marketing.
The problem: There is no “layered” consent. You can’t opt-out of tracking while still using the service. This “take it or leave it” approach is a direct violation of Section 6.
Section 7 — Certain Legitimate Uses ⚠️
The law allows companies to process data without explicit consent in very specific cases, like responding to a medical emergency or for government functions.
The problem: Country Delight, like many startups, often blurs the line between “service necessity” and “marketing.” If they use your data to show you ads for a new brand of ghee, they must have your clear consent; they cannot claim it is a “legitimate use” just because you are a customer.
Section 8 — Obligations of Data Fiduciary ⚠️
This section is about keeping your data safe and being accountable.
What the policy says: “We have in place appropriate technical and security measures to prevent unauthorized or unlawful access to or accidental loss of or destruction or damage to your information.”
What the law requires: If there is a data breach, the Data Fiduciary (Country Delight) must notify the Data Protection Board and the affected users (you).
The problem: Their policy is silent on breach notification. If a hacker gets your address and delivery schedule today, the current policy doesn’t clearly promise to tell you within a specific timeframe.
Section 9 — Data Retention 🔴
This is one of the weakest spots in the policy.
What the policy says: “We will only keep your information for as long as we are either required to by law or as is relevant for the purposes for which it was collected.”
What the law requires: Once the purpose is served (e.g., you delete your account or stop ordering), the company must erase the data.
The problem: “As long as relevant” is too vague. Does that mean 5 years? 10 years? Forever? The DPDP Act requires companies to have a clear expiry date for your data.
Section 11 — Rights of Data Principal 🔴
The law gives you “superpowers” over your data. You have the right to access, correct, or erase it.
The problem:
- There is no mention of the Right to Nominate. This is a new DPDP requirement where you can name someone to manage your data rights if you pass away or become incapacitated.
- While you can edit your profile, the policy doesn’t explain the simple process for asking Country Delight to delete every single log they have on you.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: They provide an email address for a Grievance Officer (e.g., info@countrydelight.in).
What the law requires: You must have a way to complain, and if the company doesn’t fix it, you have the right to go to the Data Protection Board of India.
The problem: Their policy doesn’t mention the Data Protection Board. It makes it seem like the company’s Grievance Officer is the final stop. Under DPDP, you have a legal path to escalate things to the government.
Section 16 — Cross-Border Data Transfer ✅
Most Indian startups use servers like AWS or Google Cloud, which might be located outside India.
The problem: The policy mentions sharing data with “third-party service providers.” Under Section 16, the government will list “restricted countries” where data cannot go. Country Delight’s policy doesn’t yet commit to restricting data flow based on these upcoming government “blacklists.”
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | Bundled consent may be declared invalid, stopping marketing operations. |
| Data Deletion | Critical | Keeping address/phone data indefinitely risks heavy fines for “over-retention.” |
| User Rights | Medium | Lack of a “nomination” feature is a technical non-compliance. |
| Breach Response | High | No public commitment to notify users of a hack. |
Recommendations
- Unbundle your consent: Give users checkboxes. Let them agree to “Delivery Updates” but opt-out of “Partner Marketing.”
- Add a “Right to Nominate”: Update your app settings so a user can add a family member as a data nominee.
- Set a “Kill Switch” for Data: Explicitly state that “If an account is inactive for 3 years, we will permanently delete all personal data.”
- Mention the DPB: Update the Grievance section to tell users they can contact the Data Protection Board of India if they aren’t satisfied with your response.
- Multi-language Notice: Since Country Delight serves people across India, the law requires the privacy notice to be available in Indian languages (like Hindi, Kannada, etc.) upon request.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.