DPDP Compliance for E-commerce Companies

E-commerce is one of the most data-intensive industries. From the moment a visitor lands on your website to post-purchase support, you collect personal data at every step — browsing behavior, account details, shipping addresses, payment information, purchase history, and communication preferences. India's DPDP Act 2023 regulates all of this data, and e-commerce companies that fail to comply face penalties up to INR 250 crore.

This guide covers the specific DPDP compliance challenges facing e-commerce businesses and provides a practical roadmap for implementation.

Personal Data E-commerce Companies Collect

A typical e-commerce operation processes personal data across multiple touchpoints:

• Website browsing — IP addresses, cookies, browsing history, product views, search queries
• Account creation — Name, email, phone number, date of birth
• Checkout and orders — Shipping address, billing address, payment card details, UPI ID
• Customer support — Chat transcripts, email exchanges, phone call recordings
• Marketing — Email engagement data, SMS delivery receipts, push notification tokens
• Analytics — Session recordings, heatmaps, conversion funnels, A/B test participation
• Reviews and feedback — Customer names, ratings, review content
• Loyalty programs — Purchase history, reward points, preferences

Every one of these data points is "digital personal data" under the DPDP Act and must be processed lawfully.

Key Compliance Areas

Consent Before Cookies and Tracking

Most e-commerce websites deploy numerous tracking technologies:

• Google Analytics or similar analytics platforms
• Facebook Pixel, Google Ads conversion tracking
• Retargeting and remarketing pixels
• Session recording tools (Hotjar, Clarity)
• Personalization engines
• A/B testing platforms

Under the DPDP Act, deploying these scripts without informed, specific consent from Indian visitors is a violation. You need a consent banner that:

• Appears before any non-essential tracking scripts load
• Presents separate consent options for analytics, marketing, and personalization
• Blocks tracking scripts until consent is granted
• Provides easy withdrawal via a persistent "Privacy Preferences" link

Learn more in our consent management guide.

Privacy Policy for E-commerce

Your privacy policy must be tailored to e-commerce data flows. Key elements include:

• Itemized data categories — List every type of data collected (not just "personal information")
• Purpose for each category — Order fulfillment, customer support, marketing (with separate consent), analytics
• Third-party sharing — Payment processors, shipping partners, marketing platforms, analytics providers
• Retention periods — How long you keep order data, account data, and marketing data
• Rights and grievance mechanism — How customers can access, correct, or delete their data

Checkout Consent vs Marketing Consent

A critical distinction for e-commerce: collecting data to fulfill an order may fall under legitimate uses (processing necessary to perform a contract), but using that same data for marketing requires separate consent.

Example: A customer provides their email address during checkout to receive order confirmations. This is necessary for order fulfillment. However, adding that email to your marketing newsletter list requires separate, explicit consent under Section 6. A pre-ticked "Subscribe to newsletter" checkbox does not meet the standard.

Data Retention Challenges

E-commerce companies face tension between data retention requirements:

• Tax compliance — GST records must be retained for specified periods
• Consumer protection — Order records needed for warranty and return handling
• Fraud prevention — Transaction histories needed to detect and prevent fraud
• DPDP Act — Data must be deleted when no longer needed for the stated purpose

The solution is a clear retention schedule: keep order and tax data for the legally required period, delete marketing and analytics data when consent is withdrawn, and implement automated cleanup for data past its retention period.

Customer Rights Requests

E-commerce customers can submit rights requests under Sections 12-14:

• Access — "What data do you have about me?" — You must provide a summary of all personal data and processing activities
• Correction — "My address is wrong" — You must update inaccurate data
• Erasure — "Delete my account and data" — You must delete data not required for legal retention
• Grievance — "I am unhappy with how you handle my data" — You must have a grievance mechanism

With potentially millions of customers, you need automated workflows to handle these requests at scale within the 30-day deadline (Section 13(3)).

Marketplace-Specific Considerations

If you operate a marketplace (connecting buyers with third-party sellers), the compliance picture is more complex:

Shared Data Fiduciary Responsibilities

Both the marketplace and the seller may be joint Data Fiduciaries for order data. You need clear data sharing agreements that define:

• Which party is responsible for consent collection
• How rights requests are routed and fulfilled
• Who maintains the audit trail
• Data deletion responsibilities when a seller leaves the platform

Seller Data

You are also a Data Fiduciary for seller personal data — names, bank details, tax IDs, contact information. Sellers have the same rights as customers under the DPDP Act.

Third-Party Logistics

Sharing customer addresses and phone numbers with logistics partners makes those partners Data Processors. Ensure appropriate contractual protections.

Payments and Financial Data

E-commerce platforms handling payment data face additional scrutiny:

• PCI DSS compliance remains mandatory for card data handling
• RBI guidelines on payment data storage and tokenization apply alongside the DPDP Act
• Payment data should be processed by PCI-compliant payment gateways rather than stored directly
• Consent for saving payment methods for future use must be explicit and withdrawable

Cross-Border E-commerce

If you sell to Indian customers from outside India, or if you are an Indian e-commerce company using international service providers:

• The DPDP Act's extraterritorial scope means foreign e-commerce platforms with Indian customers must comply
• Data transfers outside India are permitted unless the destination country is specifically restricted by the government
• For a comparison with EU requirements, see our DPDP vs GDPR guide

Practical Implementation Roadmap

Phase 1: Immediate Actions (Week 1-2)

1. Deploy a consent banner on your website that blocks non-essential tracking until consent is granted
2. Update your privacy policy to meet Section 5 notice requirements
3. Add newsletter consent as a separate, unchecked opt-in during checkout
4. Create a privacy settings page where customers can manage consent preferences

Phase 2: Backend Integration (Week 3-4)

1. Implement rights request workflows — intake form, routing, SLA tracking, fulfillment
2. Audit third-party scripts and SDKs for data collection practices
3. Update data processor agreements with logistics, payment, and marketing partners
4. Set up automated data retention policies and cleanup processes

Phase 3: Ongoing Compliance (Ongoing)

1. Monitor consent rates and optimize banner UX
2. Track rights request metrics — volume, response time, SLA compliance
3. Regular audits of data collection practices and third-party processors
4. Staff training on DPDP requirements and internal procedures

How DPDP Comply Helps E-commerce

DPDP Comply is built to handle the scale and complexity of e-commerce data operations:

• Consent banner — Lightweight JavaScript widget that integrates with any e-commerce platform (Shopify, WooCommerce, custom builds)
• Script blocking — Conditionally load analytics and marketing scripts based on consent state
• Per-purpose consent — Separate tracking for essential, analytics, marketing, and personalization
• Rights request management — Automated workflow with 30-day SLA tracking under Section 13(3)
• Audit trails — Immutable, append-only records of every consent event
• API access — Integrate consent checking into your checkout flow and backend processes

Get Started Free and deploy a compliant consent banner on your store today. View Pricing for plans that scale with your business.