SARAL — Simple, Accessible, Rational, and Actionable — is the Government of India’s framework for privacy notices under the DPDP Rules 2025. It fundamentally changes how privacy notices work in India: companies still publishing dense legalese are non-compliant as of the November 2025 notification.
What SARAL stands for
- Simple: plain language, no legalese.
- Accessible: available in English plus the data principal’s preferred Indian language.
- Rational: itemized purposes, not bundled “we use your data to improve our services.”
- Actionable: a clear, easy mechanism to withdraw consent.
When and why it emerged
SARAL arrived as part of the DPDP Rules 2025, notified in November 2025. Its purpose is to make notices genuinely understandable to ordinary data principals — a reaction to the unreadable privacy policies that became the norm globally.
The four pillars explained
A SARAL notice lists each data category you collect, the specific purpose for each, who receives it, and how long it’s retained — in language a non-lawyer understands — and pairs that with a withdrawal mechanism as easy to use as the consent was to give.
What compliant notices look like
Structured, itemized, plain. Instead of paragraphs of conditions, a table or clear list: “Email address — to send you product updates — shared with [provider] — retained until you unsubscribe.” Repeat per category.
Multi-language requirements
Notices must be available in English and the data principal’s preferred language from India’s 22 scheduled languages. Geo-detecting Indian users and serving the right-language SARAL notice is becoming standard practice.
Practical rewriting guide
Inventory your data categories and purposes, rewrite each in plain language, translate to your priority Indian languages, and deploy via geo-detection with a withdrawal control. This unifies cleanly with SOC 2 Privacy — see the DPDPA cross-mapping playbook.
Related reading: