DPDP Compliance for E-Commerce: Complete Guide for Online Sellers

India's e-commerce market crossed $160 billion in 2025, powered by roughly 350 million online shoppers and close to six lakh active seller storefronts. If you operate anywhere in this ecosystem, from a Shopify-powered D2C brand to a multi-seller marketplace listing thousands of SKUs, you are sitting on a mountain of personal data that the DPDP Act 2023 now regulates.

What I hear from founders in this sector is consistent: they know the law exists, they know enforcement is coming by May 2027, but they do not know where DPDP actually touches their operations. The answer, it turns out, is almost everywhere. From the moment a customer lands on your product page to the year you decide to delete their purchase history, every step involves personal data that the Act has an opinion about.

This guide breaks down exactly how the DPDP Act applies to Indian e-commerce businesses, what you need to change, and where most online sellers are getting it wrong. For a comparison of how these obligations differ from other sectors, see our DPDP compliance by industry overview.

Key Takeaways

• Every e-commerce entity that determines the purpose of collecting customer data is a Data Fiduciary under the DPDP Act 2023, regardless of whether it operates a marketplace, a standalone store, or a social commerce channel.
• Consent under Section 6 must be granular and purpose-specific. Bundled "I agree to everything" checkboxes on checkout pages are non-compliant.
• The DPDP Rules 2025 impose a three-year data retention ceiling for e-commerce platforms with more than two crore registered users, measured from the user's last interaction.
• Processing children's data (under 18) for targeted advertising or behavioural profiling is prohibited under Section 9, with penalties up to 200 crore.
• E-commerce businesses face a dual regulatory framework: the DPDP Act governs data privacy, while the Consumer Protection (E-Commerce) Rules 2020 govern trade practices. Compliance requires addressing both.

Why Does DPDP Matter Specifically for E-Commerce?

The volume question answers itself. A mid-sized Indian e-commerce store processing 5,000 orders per month collects names, phone numbers, email addresses, shipping addresses, payment metadata, and browsing behaviour from every transaction. Layer in marketing tools, analytics integrations, review platforms, and logistics partners, and a single customer journey generates personal data across eight to twelve systems before the package reaches the doorstep.

Section 2(t) of the DPDP Act defines "personal data" as any data about an individual who is identifiable by or in relation to such data. That definition captures almost everything in your e-commerce stack: customer profiles, order histories, IP addresses logged by your analytics, UPI IDs captured by your payment gateway, and the phone numbers your delivery partner collects at the last mile.

Here is a practical frame for thinking about it. If you run an online business in India, you are processing personal data at three distinct layers:

Layer	Examples	DPDP Relevance
Customer data	Name, email, phone, address, order history, payment details, browsing behaviour	Direct consent obligations under Section 6
Seller/vendor data	Names, bank details, GST numbers, contact information of sellers or suppliers	Fiduciary obligations under Section 8
Employee/contractor data	HR records, payroll, background checks	Legitimate uses under Section 7

Each layer carries its own consent requirements, retention rules, and compliance obligations. Most e-commerce businesses I speak with are focused entirely on the first layer and have not considered the second or third at all.

Who Counts as a Data Fiduciary in E-Commerce?

This is the first question every marketplace founder asks, and the answer is less straightforward than it appears.

Under Section 2(i), a Data Fiduciary is any person who alone or in conjunction with others determines the purpose and means of processing personal data. In the e-commerce context, this typically means:

Marketplace operators (Flipkart, Amazon India, Meesho, Myntra) are Data Fiduciaries for all customer data they collect through their platform: account registrations, search history, order data, payment information, recommendation engine inputs. They determine what data to collect and how to process it.

Sellers on marketplaces may also be Data Fiduciaries for data they independently collect and process. If a seller exports customer email addresses from the marketplace to run their own marketing campaigns, they have determined a new purpose for that data. That makes them a Data Fiduciary for that processing activity.

Standalone D2C brands operating their own Shopify, WooCommerce, or custom storefront are clearly Data Fiduciaries. They control the entire data lifecycle from collection to deletion.

Social commerce sellers on Instagram, WhatsApp Business, or Meesho's reseller network occupy a grey area. If you are collecting customer phone numbers in a personal WhatsApp chat and adding them to a broadcast list, you are determining the purpose of processing. The Act likely applies to you. The practical challenge is enforcement at this scale, but the legal obligation exists.

The critical point: being a seller on someone else's marketplace does not absolve you of Data Fiduciary obligations for data you independently process. I have spoken with sellers who assumed their marketplace handles all compliance. It does not. The marketplace handles compliance for data it processes through its platform. Data you extract, store separately, or use for your own purposes is your responsibility under Section 8.

What Consent Obligations Apply to Online Sellers?

Section 6 of the DPDP Act is where e-commerce businesses face the most visible compliance challenge. Consent must be free, specific, informed, unconditional, and demonstrated through a clear affirmative action.

Here is what that means for a typical e-commerce checkout flow:

Before the Act: A single "I agree to the Terms of Service and Privacy Policy" checkbox at checkout, often pre-ticked. Customer clicks "Place Order" and everything, from order fulfilment to marketing emails to third-party data sharing, is covered by that one blanket consent.

After the Act: Each distinct purpose requires its own consent signal. Order fulfilment is one purpose. Marketing communications are another. Sharing data with analytics platforms is a third. Behavioural profiling for personalised recommendations is a fourth. A customer must be able to consent to order fulfilment (necessary for the transaction) while declining marketing emails and recommendation profiling.

The practical implications for your checkout page:

1. Separate consent toggles for each processing purpose that goes beyond fulfilling the actual order
2. No pre-ticked boxes. Every consent signal must be an affirmative action by the customer
3. Clear language explaining what data you collect and why, for each purpose, in plain language accessible in English or any Eighth Schedule language
4. Equal ease of withdrawal. If consent takes one click to give, withdrawal must take one click too (Section 6(4))
5. A standalone privacy notice (Section 5) that is accessible before or alongside the consent request, not buried three links deep in your footer

One area where I see consistent confusion: marketing consent is not a legitimate use under Section 7. Some sellers assume that because a customer voluntarily shared their email during checkout, sending promotional emails is covered. It is not. Checkout data was provided for order fulfilment. Marketing is a separate purpose that requires separate consent.

How Does DPDP Handle Data Retention for E-Commerce?

This is where the DPDP Rules 2025 get specific about e-commerce, and it caught many in the industry by surprise.

For e-commerce platforms with more than two crore (20 million) registered users, the DPDP Rules 2025 impose a three-year data retention ceiling. The clock starts from the date of the user's last interaction with the platform. If a customer has not logged in, made a purchase, or interacted with your platform for three years, you must delete their personal data after sending a 48-hour notice.

For smaller e-commerce businesses below that threshold, the general principle from Section 8(7) applies: erase personal data once the purpose for which it was collected has been fulfilled, unless another law requires longer retention.

This creates a practical tension with other regulations. GST law requires transaction records for six years. Income tax records may need to be retained for six to eight years. Consumer protection law requires maintaining records for dispute resolution. The DPDP Act acknowledges this: if another law mandates longer retention, that requirement prevails.

Here is a retention framework that accounts for these overlapping requirements:

Data Category	DPDP Retention Rule	Other Legal Requirement	Practical Approach
Order transaction records	Erase when purpose fulfilled	GST: 6 years; Income Tax: 6-8 years	Retain for 8 years, then auto-delete
Customer account profiles	3 years from last interaction (for 2cr+ platforms)	None mandatory	Delete or anonymise after 3 years of inactivity
Marketing consent records	Duration of consent + reasonable proof period	None mandatory	Retain 3 years after consent withdrawal
Browsing/clickstream data	Erase when purpose fulfilled	None mandatory	14-26 months based on analytics platform
Payment information (stored)	Erase after transaction completion	PCI-DSS standards; RBI guidelines	Do not store full payment details; rely on payment processor
Customer support tickets	Erase when purpose fulfilled	Consumer Protection Act: until dispute resolution period expires	Retain 2 years post-resolution

The 48-hour notice requirement before deleting inactive user data is particularly relevant for e-commerce. You need a mechanism to contact inactive users (email, SMS, app notification) 48 hours before purging their data. If the user re-engages within that window, the retention clock resets.

What About Children's Data in E-Commerce?

Section 9 of the DPDP Act introduces restrictions that will force significant changes in how e-commerce platforms handle younger users.

The age threshold is 18, not 13 (as under COPPA in the US) or 16 (as under GDPR). Every user under 18 is a "child" under DPDP, and their data receives additional protections:

• Verifiable parental consent is required before processing a child's data (Section 9(1))
• Behavioural monitoring of children is prohibited (Section 9(2))
• Targeted advertising directed at children is prohibited (Section 9(3))

For e-commerce, this means:

Age verification at account creation. You need a mechanism to determine whether a user is under 18. The DPDP Rules 2025 allow for age-appropriate verification methods, but the implementation specifics are still the subject of industry debate.

No personalised recommendations for minors. If a user's account indicates they are under 18, you cannot use their browsing history, purchase data, or preference signals to serve personalised product recommendations. Generic, non-targeted category browsing is fine. Algorithmic personalisation is not.

Parental consent workflows. A teenager buying a book or a pair of earphones on your platform needs their parent or guardian to consent to the data processing involved. This is operationally challenging; the industry is watching how major platforms implement this.

The penalty for violating children's data provisions is up to 200 crore per instance. For e-commerce platforms with significant traffic from users under 18 (fashion, gaming accessories, stationery, electronics), this is the highest-risk compliance area under DPDP.

How Does DPDP Interact with E-Commerce Consumer Protection Rules?

This is a dimension that most DPDP compliance guides overlook, and it matters greatly for online sellers.

The Consumer Protection (E-Commerce) Rules, 2020, already impose data-adjacent obligations on e-commerce entities: transparent pricing, grievance redressal mechanisms, disclosure of seller identity, and restrictions on misleading listings. These rules operate under the Consumer Protection Act, 2019, a separate law from the DPDP Act.

The two frameworks overlap in several areas, creating a dual compliance burden:

Requirement	Consumer Protection Rules 2020	DPDP Act 2023	Implication
Grievance redressal	Appoint a grievance officer; resolve complaints within 60 days	Designate a person to handle data principal complaints (Section 13)	You may need two separate grievance channels, or one channel that handles both consumer complaints and data subject requests
Consent for marketing	No specific consent requirement for marketing, but restrictions on "dark patterns"	Explicit, granular consent required for marketing communications (Section 6)	DPDP sets the higher bar; comply with DPDP and you exceed the Consumer Protection standard
Data display	Sellers must display certain information publicly (GSTIN, legal name, address)	Display of seller data is permissible but its collection and storage must follow DPDP	Ensure that the mandatory public display of seller information does not conflict with your internal data minimisation practices
Record keeping	Maintain records of all transactions for dispute resolution	Erase data when purpose is fulfilled (Section 8(7))	Retain transaction records for the Consumer Protection dispute resolution window; erase other data per DPDP retention rules
Cancellation/return	Customer can cancel within specified periods; platform must process refunds	Customer can withdraw consent for data processing at any time (Section 6(4))	Consent withdrawal does not retroactively affect completed transactions, but you must stop future processing

The practical takeaway: if you are building a compliance programme for your e-commerce operation, treat DPDP and Consumer Protection as parallel tracks. Address both in your privacy notice, your grievance mechanism, and your data retention policies.

Where Do E-Commerce Businesses Typically Get Compliance Wrong?

After speaking with dozens of founders and compliance officers in the e-commerce space, I see the same five mistakes repeated:

Mistake 1: Treating consent as a one-time event. Many platforms capture consent at sign-up and never revisit it. But consent under DPDP is purpose-specific. If you launch a new loyalty programme, add a recommendation engine, or start sharing data with a new logistics partner, you need fresh consent for each new purpose. Pre-existing consent does not extend to purposes that did not exist when it was granted.

Mistake 2: Ignoring third-party data flows. Your analytics platform, your email service provider, your CRM, your logistics API, your payment gateway: every integration that accesses personal data makes that vendor either a Data Processor (acting on your instructions) or a Data Fiduciary (making independent decisions about the data). Section 8(2) requires a valid contract with every Data Processor. Most e-commerce businesses I have spoken with have no idea how many third parties touch their customer data. The median estimate from those conversations is eight to fifteen integrations per store. The number is often higher once you count all the JavaScript tags loading on your checkout page.

Mistake 3: Storing payment data unnecessarily. If your payment gateway (Razorpay, Cashfree, PhonePe) handles the transaction, you do not need to store card numbers, UPI IDs, or bank details in your own database. Data minimisation under DPDP means collecting only what is necessary for the stated purpose. Let the payment processor handle what they are built to handle. Your obligation is to have a contract with them (Section 8(2)) and to ensure they meet the security safeguard requirements.

Mistake 4: No mechanism for handling data subject requests. Section 11 gives every customer the right to know what personal data you hold about them. Section 12 gives them the right to have it corrected or erased. The DPDP Rules 2025 set a 90-day response window. If a customer emails you asking "What data do you have on me?" and you have no process for answering, that is a compliance failure. You do not need a complex portal for day one. You need a documented process, a dedicated email address, and someone accountable for responding within 90 days.

Mistake 5: Forgetting seller data. Marketplace operators and aggregators collect seller KYC data, bank details, GST documentation, identity proofs, and communication records. This is personal data under the Act. Seller onboarding flows need consent mechanisms. Seller data needs retention policies. Seller grievance rights need a channel. This is easy to overlook when your compliance effort is focused on customers, but the Act makes no distinction: all Data Principals have the same rights.

A Practical Compliance Roadmap for E-Commerce Businesses

If you are an e-commerce founder or CTO reading this in early 2026, you have roughly 15 months before the May 2027 enforcement deadline. Here is a phased approach that accounts for the operational realities of running an online business:

Months 1-2: Discovery and mapping

• Run a complete data audit covering customer data, seller data, employee data, and all third-party integrations
• Map every data flow from collection to deletion, including which third parties touch personal data
• Classify your lawful basis for each processing activity (consent vs. legitimate use)

Months 3-6: Infrastructure build

• Implement granular consent mechanisms on your website, app, and any offline-to-digital collection points
• Draft and publish a standalone privacy notice in English, Hindi, and languages relevant to your customer base
• Review all vendor contracts and negotiate Data Processing Agreements with every processor
• Implement or verify security safeguards: encryption, access controls, logging, and backup per the DPDP Rules 2025

Months 7-10: Operationalise

• Build a Data Subject Request intake process (even a simple email-plus-spreadsheet system works initially)
• Implement automated data retention and deletion policies
• Train customer support, marketing, and engineering teams on DPDP basics
• If you serve users under 18, implement age verification and parental consent workflows

Months 11-15: Test and harden

• Run a tabletop breach response exercise
• Audit your consent records: can you prove when each customer consented and for what purpose?
• Review your analytics, CRM, and ad tech integrations for compliance gaps
• Prepare your breach notification process: 72 hours is not as long as it sounds when a real incident hits

The order matters. I have seen e-commerce businesses jump straight to installing consent banners without first understanding what data they collect, where it flows, or what consent they actually need. That is like building a roof before pouring the foundation. Start with the data audit. Everything else follows from there.

Frequently Asked Questions

Does the DPDP Act apply to sellers on marketplaces like Amazon or Flipkart?

Yes. Under Section 2(i) of the DPDP Act 2023, any entity that determines the purpose and means of processing personal data is a Data Fiduciary. If you, as a marketplace seller, independently collect, store, or use customer data (for example, exporting email lists for marketing campaigns or storing customer phone numbers for direct outreach), you are a Data Fiduciary for that data and must comply with all obligations under Section 8. The marketplace is a separate Data Fiduciary for data it processes through its own platform.

What is the data retention limit for e-commerce businesses under DPDP?

As of February 2026, the DPDP Rules 2025 specify a three-year data retention ceiling for e-commerce platforms with more than two crore (20 million) registered users. The period is measured from the user's last interaction with the platform. A 48-hour notice must be sent before deleting inactive user data. For smaller platforms, the general rule under Section 8(7) applies: erase personal data once its purpose has been fulfilled, unless another law (GST, Income Tax) requires longer retention.

Can e-commerce platforms still send promotional emails after DPDP?

Only with explicit consent. Under Section 6 of the DPDP Act 2023, marketing communications are a separate processing purpose from order fulfilment. A customer's consent to process data for delivering their order does not extend to sending promotional emails, SMS campaigns, or WhatsApp marketing. You need separate, opt-in consent for marketing, and the customer must be able to withdraw it with the same ease with which they granted it.

How does DPDP affect personalised product recommendations?

Personalised recommendations based on user behaviour (browsing history, purchase patterns, click data) constitute processing of personal data for a specific purpose. You need consent for this purpose under Section 6. For users under 18, Section 9(2) prohibits behavioural monitoring entirely, which means personalised recommendations driven by tracking individual behaviour are not permitted for minors, regardless of consent.

What penalties do e-commerce businesses face for DPDP non-compliance?

The DPDP Act 2023 specifies per-violation maximum penalties: up to 250 crore for security failures leading to a data breach, up to 200 crore for failure to notify the Data Protection Board and affected individuals of a breach, up to 200 crore for children's data violations, and up to 50 crore for failures related to consent, notice, data retention, or accuracy obligations. These are ceilings; the Data Protection Board has discretion to set actual penalty amounts.

Start Your E-Commerce Compliance Journey

This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.

Running an e-commerce business means processing personal data at a scale and velocity that few other industries match. Every order, every customer interaction, every marketing campaign, and every logistics handoff involves data the DPDP Act now governs. Starting your compliance journey with a clear understanding of what data you hold and where it flows is the single most valuable step you can take today. ComplyZero helps Indian e-commerce businesses automate consent management, generate privacy notices in 22 Indian languages, and manage data subject requests, all designed for the speed at which online sellers operate.

Join the waitlist ->