Online Shopping and the DPDP Act

To understand the gravity of consequences arising out of the DPDP Act for e-commerce companies in India, let’s look into a hypothetical scenario.

A Bengaluru-based fashion e-commerce company was running a retargeting campaign. Their ad tech partner was serving highly specific ads to users based on browsing behaviour on the platform, including searches for plus-size clothing and maternity wear. A consumer who bought from the platform noticed the targeted ads appearing on unrelated apps, and traced the data flow back. The company had shared behavioural data with a few ad networks through a data management platform without ever disclosing this in their privacy notice. This is a widely accepted marketing practice for Indian e-commerce companies to reach out to customers who made purchases or even just browsed their e-commerce site/app.

From November 2026 onwards, this marketing practice becomes a DPDP Act violation, with penalties reaching up to Rs 250 crore.

The Digital Personal Data Protection Act creates binding rules for every organisation in India that collects and processes digital personal data of Indian citizens.

For e-commerce platforms, the personal data of customers or website visitors is valuable. A few pieces of personal data that is often used by e-Commerce websites includes, but not limited to:

• Customer contact information (phone, email, delivery address)

• Customer profiles

• purchase histories

• browsing patterns

• wishlists

• payment instruments, and

• device identifiers

What the DPDP Act Actually Says

The DPDP Act governs digital personal data, which means any information that can identify a person and exists in digital form.

For an e-commerce platform, this covers almost every data point collected from the moment a visitor lands on your e-commerce website or shopping app.

The DPDP Act assigns two roles. Your platform is the Data Fiduciary, the entity that decides why and how data is collected. Your customer is the Data Principal, the individual whose data you hold. The Fiduciary carries the obligations. The Principal holds the rights. The imbalance of power is acknowledged in the law, which is why the obligations tilt heavily toward the Fiduciary.

Penalties under the DPDP Act range from Rs 50 crore for failing to maintain reasonable security safeguards up to Rs 250 crore for failing to notify the Data Protection Board and affected individuals in the event of a breach. These are per-violation figures, not aggregate annual caps. A single badly handled breach notification can attract multiple violations simultaneously.

The Act also creates a new category called Significant Data Fiduciaries. Platforms likely to qualify include those with large user bases, those processing sensitive data, and those whose operations present risk to national security or public order. If your platform gets designated, additional obligations kick in: mandatory Data Protection Impact Assessments, appointment of a Data Protection Officer, and periodic audits by an independent data auditor.

Getting Consent Right for E-Commerce Customers

E-commerce platforms collect data at multiple touchpoints: account creation, guest checkout, wishlist saves, newsletter signups, app installs, and payment processing. Each of these is a separate consent moment, and the DPDP Act treats them differently.

For account creation, consent must be sought through a clear, plain-language notice before any data is collected. The notice must explain what data is being collected, for what purpose, and who it will be shared with. Importantly, the notice cannot be buried in a 7-page terms of service document. It must be presented in a way that a person can actually read it before consenting.

Guest checkout creates a specific problem. Many platforms collect the same data as a registered user but display no consent notice because there is no registration flow. The DPDP Act does not provide a guest checkout exemption. If you are collecting a name, phone number, delivery address and email for order fulfilment, you still need a consent notice.

Pre-ticked consent boxes are not valid consent under the Act. Consent must be a clear affirmative action.

The Act provides for deemed consent in specific situations that are relevant to e-commerce: fulfilling a contract with the customer, complying with a legal obligation, and responding to a medical emergency. Order processing falls under contract fulfilment and does not require a separate consent. But sending that customer a promotional email about a new product launch is not contract fulfilment and does require explicit consent.

Handling minors: The DPDP Act prohibits processing personal data of children under 18 without verifiable parental consent. It also prohibits tracking or behavioural monitoring of children. For e-commerce platforms with youth-oriented product categories, this is not a theoretical concern. Age verification cannot be a simple self-declaration checkbox. Platforms need to think seriously about what verification mechanism actually satisfies the Act's intent, and document that decision.

Data Minimisation for E-Commerce Platforms

Pull up your current user registration form. Count every field. Now ask honestly: which of these fields is actually necessary to create an account and place an order?

Indian e-commerce platforms have historically over-collected because data was free to gather, cheap to store, and potentially valuable to monetise. The DPDP Act changes that calculus. Every data field you collect is now a liability. If you cannot articulate a specific, current processing purpose for a field, you should not be collecting it.

Common over-collection patterns in Indian e-commerce:

• Date of birth collected at registration when it serves no current purpose beyond birthday marketing, which itself requires consent

• Gender collected even when the product catalogue is not gender-differentiated

• Alternate phone number collected at checkout when the primary number is sufficient for delivery coordination

• Occupation and income bracket collected for credit products but retained in the main customer profile indefinitely

• Device location accessed at app install rather than only when needed for delivery services

The practical standard is: collect the minimum data necessary to fulfil the specific purpose at hand. If you are processing a delivery, you need the delivery address, a contact number, and a payment confirmation. You do not need the customer's browsing history from three months ago to ship a package.

For recommendation engines, the data minimisation question becomes more complex. Behavioural data is the fuel for personalisation. The Act does not prohibit using behavioural data for recommendations, but it does require that the collection of that data was consented to, that the customer was told it would be used for personalisation, and that they can withdraw that consent.

Purpose Limitation, and Your Recommendation Engine

This is the section where most Indian e-commerce platforms are currently non-compliant, often without knowing it.

Purpose limitation means that data collected for one reason cannot be used for a different reason without fresh consent. The implications for a typical e-commerce platform are significant.

Scenario 1 -- The shared ad network: A customer provides their email address to receive order updates. That email is also uploaded to a lookalike audience on a social media advertising platform. This is a purpose violation. Order updates and advertising audience creation are different purposes. Fresh consent is needed.

Scenario 2 -- The cross-sell campaign: Purchase data from the apparel section is used to target customers with offers from the platform's new grocery vertical. The data was collected in one business context and is being used in a different one. Fresh consent required.

Scenario 3 -- The data broker arrangement: The platform shares anonymised purchase pattern data with an FMCG brand for consumer research. Even with anonymisation, if the data was not collected with research as a disclosed purpose, this is a violation.

Scenario 4 -- The fintech partnership: The platform uses transaction history to pre-approve customers for a buy-now-pay-later product offered by a partner NBFC. Using transactional data to make creditworthiness inferences and share them with a third-party financial institution requires explicit, specific consent.

The revenue implications are real. Many of these practices are significant monetisation streams for large platforms. The compliance answer is not to eliminate them but to build proper consent architecture that makes them lawful.

Section 4: Confidentiality of Customer Data

E-commerce platforms share data with an ecosystem of third parties: payment gateways, logistics partners, warehousing companies, customer support vendors, cloud infrastructure providers, marketing automation tools, and ad tech partners. Each of these is a point of potential data leakage.

The DPDP Act holds the Data Fiduciary responsible for data processed by third-party Data Processors. If your logistics partner leaks a customer database, you bear liability even though the breach happened in someone else's systems. This changes how vendor contracts need to be written.

Common confidentiality risks specific to e-commerce:

• Call centre agents with access to full customer profiles including purchase history, addresses and contact numbers, with no role-based access restriction

• Seller/merchant portals on marketplace platforms where sellers can see buyer contact details that should be masked

• Analytics dashboards shared with brand partners that include customer behavioural data beyond what was disclosed to customers

• Return pickup data shared with third-party logistics providers who retain it beyond the service period

The Consumer Protection (E-Commerce) Rules, 2020 already impose obligations on e-commerce platforms around grievance redressal and seller accountability. The DPDP Act layers data protection obligations on top of these. The two frameworks operate in parallel.

Technical Security Measures

The Act requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. It does not prescribe a specific technical standard, but the Data Protection Board will evaluate what is reasonable in the context of the scale, nature of data processed, and sophistication of the organisation.

For platforms processing under 1 lakh users: TLS encryption in transit, encrypted databases, multi-factor authentication for admin access, quarterly access reviews, and a documented incident response procedure.

For platforms processing 1 lakh to 50 lakh users: All of the above, plus data classification framework, automated anomaly detection on database queries, penetration testing at least annually, and vendor security assessments.

For large platforms above 50 lakh users: Enterprise-grade SIEM implementation, real-time breach detection, dedicated security operations, Data Protection Impact Assessments before any new data-intensive feature launch, and formal third-party audits.

Specific to e-commerce: payment card data is already governed by PCI-DSS, which sits alongside the DPDP Act. If you are storing any payment instrument data, PCI-DSS compliance is a floor, not a ceiling.

Organisational Measures

Technical safeguards without organisational structure fail. The DPDP Act requires internal governance to make compliance sustainable.

Grievance Officer: All e-commerce platforms must designate a Grievance Officer whose contact details are published on the platform. This person handles complaints from Data Principals about how their data is being processed. Existing consumer grievance mechanisms and data grievance mechanisms are separate obligations.

Data Protection Officer: Required only if your platform is designated a Significant Data Fiduciary. For large platforms, this designation is very likely. The DPO must have expertise in data protection law and practice, must be based in India, and must report to the highest level of management.

Staff training: Every employee or contractor who handles customer data needs role-appropriate training. A customer support agent's training needs are different from a data engineer's, which are different again from a business analyst's.

Vendor contracts: Every contract with a Data Processor must include clauses specifying the purpose of processing, data security standards, breach notification timelines, data return or deletion obligations at contract end, and audit rights.

Customer (Data Principal) Rights in e-Commerce

Every customer whose data you hold has the following rights under the DPDP Act, and your platform needs a functional process to honour them.

Right to access: A customer can ask what personal data you hold about them and how it is being used. For an e-commerce platform, this covers purchase history, browsing data, saved payment methods, delivery addresses, customer support tickets, and marketing preferences. You need a mechanism to compile this on request.

Right to correction: If a customer says their address is wrong, they can demand you correct it. Simple for structured data. More complex for behavioural inferences drawn from that data.

Right to erasure: When a customer withdraws consent or the processing purpose no longer exists, they can request deletion. For e-commerce, this intersects directly with retention obligations. Order data may need to be retained for accounting purposes. But browse history, wishlist data, and marketing profiles have no such retention justification.

Right to withdraw consent: A customer must be able to withdraw consent as easily as they gave it. If consent was given through a checkbox, withdrawal must also be a checkbox, not a support ticket to a call centre.

It is recommended for e-Commerce websites to build a self-service Data Principal Rights portal within the account settings. It is also recommended to log every request and every response for audit trail.

Record Retention and Disposal

The DPDP Act's core retention principle is to erase personal data when the purpose for which it was collected is fulfilled and there is no legal obligation to retain it.

For e-commerce, the conflict is with tax and accounting law. The Income Tax Act requires transaction records to be maintained for 8 years. The GST framework has its own record-keeping requirements. These are legal retention obligations that override the DPDP erasure principle for that specific data.

But here is where platforms make a mistake. They retain everything indefinitely because some data has a legal retention basis. Transaction records need to be kept. That does not mean browsing histories, wish lists, abandoned cart data, and marketing profiles also need to be kept. Retention policies must be data-type specific, not platform-wide.

For physical records such as KYC documents collected for age verification or payment processing, shredding machines and documented destruction logs are not optional. For digital records: deletion must be cryptographic erasure or verifiable overwrite, not just removal from the active database with the data still sitting in a backup.

Action Plan for E-Commerce Compliance

Start with these three actions this week.

• Audit every third-party data-sharing arrangement your platform has. List every entity receiving customer data, what data they receive, and whether that sharing was disclosed in your consent notice at the time of collection. Identify the gaps.

• Review your consent flows on the mobile app and web for account creation and guest checkout. Confirm that consent notices are present, readable, and specific. Remove pre-ticked boxes.

• Assign a named owner for Data Principal rights requests and draft a response procedure before a request arrives, not after.

Frequently Asked Questions

Does the DPDP Act apply to international e-commerce platforms selling to Indian customers?

Yes. The DPDP Act applies to any entity processing digital personal data of persons in India, regardless of where that entity is incorporated. An international platform with Indian users must comply with the Act.

If a customer deletes their account, do we need to delete all their data?

You must delete data for which no other retention basis exists. Transaction data subject to GST or income tax retention requirements can be retained for the legally mandated period. Browsing history, marketing profiles, and wishlist data should be deleted.

Are cookies on our website covered by the DPDP Act?

Cookies that collect personal data, including identifiers that can be linked to an individual, are covered. Tracking cookies used for behavioural advertising require consent under the Act. Technically necessary cookies for session management may fall under deemed consent for contract fulfilment, but this should be reviewed with legal counsel.

What is the breach notification timeline under the DPDP Act?

The DPDP Rules require notification to the Data Protection Board and to affected Data Principals in the event of a personal data breach. The specific timeline is set in the Rules and is expected to align with the existing CERT-In 6-hour reporting obligation. Both frameworks apply simultaneously.

Loooking for DPDP Act Compliance?

Bellwether's consultants have worked with over e-commerce and online retail companies across the globe to help achieve data privacy compliance with global data protection regulations like the DPDP Act.

Request for a free 1-1 meeting with an expert DPDP Act Consultant.