# What Is the SARAL Approach to Privacy Notices? (The November 2025 Mandate) | AttriEdge

Home / Articles / Glossary / What Is the SARAL Approach to Privacy Notices? (The November 2025 Mandate) Serial V-03 Classification GLOSSARY Domain DPDPA Owner H. Attri What Is the SARAL Approach to Privacy Notices? (The November 2025 Mandate) SARAL, Simple, Accessible, Rational, Actionable, is the government's framework for privacy notices under DPDP Rules 2025. How it changes notice design and consent flows. SARAL , Simple, Accessible, Rational and Actionable, is the Government of India’s framework for privacy notices under the DPDP Rules 2025. It fundamentally changes how privacy notices work in India: companies still publishing dense legalese are non-compliant as of the November 2025 notification. What SARAL stands for Simple: plain language, no legalese. Accessible: available in English plus the data principal’s preferred Indian language. Rational: itemized purposes, not bundled “we use your data to improve our services.” Actionable: a clear, easy mechanism to withdraw consent. When and why it emerged SARAL arrived as part of the DPDP Rules 2025, notified in November 2025. Its purpose is to make notices genuinely understandable to ordinary data principals, a reaction to the unreadable privacy policies that became the norm globally. The four pillars explained A SARAL notice lists each data category you collect, the specific purpose for each, who receives it, and how long it’s retained, in language a non-lawyer understands and pairs that with a withdrawal mechanism as easy to use as the consent was to give. What compliant notices look like Structured, itemized, plain. Instead of paragraphs of conditions, a table or clear list: “Email address, to send you product updates, shared with [provider], retained until you unsubscribe.” Repeat per category. Multi-language requirements Notices must be available in English and the data principal’s preferred language from India’s 22 scheduled languages. Geo-detecting Indian users and serving the right-language SARAL notice is becoming standard practice. Practical rewriting guide Inventory your data categories and purposes, rewrite each in plain language, translate to your priority Indian languages and deploy via geo-detection with a withdrawal control. This unifies cleanly with SOC 2 Privacy, see the DPDPA cross-mapping playbook . Related terms V-10 a Multi-Entity Workspace The US-HQ + Offshore Compliance Pattern V-09 Identity Sprawl The Hidden Reason Your Security Reviews Fail V-08 the 2,000-Filing Churn India GCC Operational Scaling Explained V-07 the Compliance Automation Gap Where Automation Stops From the register V-10 GLOSSARY What Is a Multi-Entity Workspace? The US-HQ + Offshore Compliance Pattern V-09 GLOSSARY What Is Identity Sprawl? The Hidden Reason Your Security Reviews Fail V-08 GLOSSARY What Is the 2,000-Filing Churn? India GCC Operational Scaling Explained V-07 GLOSSARY What Is the Compliance Automation Gap? Where Automation Stops Chain of custody. Drafted by H. Attri · Filed July 2, 2026 · One specimen of the evidence discipline AttriEdge operates for clients. Frequently asked questions Do we need to rewrite our privacy policy? For Indian users, yes. A dense legalese policy is non-compliant under SARAL. You need a plain-language, itemized notice covering each data category, purpose and recipient, often served as a distinct version to Indian users. What languages must we support? English plus the data principal's preferred Indian language, drawn from the 22 scheduled languages. In practice, English plus Hindi and 2–3 major regional languages, with geo-detection serving the right version. Can we serve different notices to different user geos? Yes, geo-detecting Indian users and serving the SARAL-compliant notice is becoming standard practice, while other regions see your existing policy. What about existing users, re-consent required? Where your prior consent or notice doesn't meet DPDPA's standard, re-notice and (for consent-based processing) re-consent are prudent. Treat the SARAL rollout as a re-consent moment for Indian users. Penalties for non-SARAL notices? Non-compliant notice and consent practices fall under DPDPA's penalty regime (up to ₹250 crore for serious breaches). Beyond fines, non-SARAL notices undermine the lawful basis for your processing. Talk to the operator. This document is one slice of the work AttriEdge does for US SaaS companies with India GCCs. If your situation needs the operating layer, start with a 90-minute diagnostic. Book your $999 diagnostic &rarr;
