Can we keep customer data after an order is delivered?

Only with documented legal basis. Order fulfilment data can be retained for warranty periods, tax compliance, or dispute resolution. Marketing-purpose retention requires separate ongoing consent.

Do logistics partners need separate DPDP compliance?

Yes. Each third party processing personal data on your behalf is a data processor under the DPDP Act. You must ensure they maintain appropriate safeguards and process data only for the stated purpose.

How does consent withdrawal work at scale?

Section 6(6) requires withdrawal to be as easy as consent. For e-commerce, this means per-purpose withdrawal options (not just a blanket unsubscribe) with automated enforcement across all downstream systems.

E-Commerce

DPDP Compliance for E-Commerce Companies

Purchase histories, delivery addresses, and payment details across millions of transactions create a massive consent management challenge. Data principals can withdraw consent as easily as they gave it.

High Risk: High-volume consent management

350M+

Online shoppers in India (2025)

$83B

India e-commerce market size (2025)

250 Cr

Maximum DPDP penalty per incident

Obligations

Your DPDP Obligations as a E-Commerce Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to e-commerce operations.

High-Volume Consent Management

Section 6 requires consent for each processing purpose. With millions of customers, consent collection, storage, and withdrawal must be automated and auditable at scale.

Easy Consent Withdrawal

Section 6(6) mandates that withdrawing consent must be as easy as giving it. A one-click unsubscribe is not enough if the original consent covered multiple purposes.

Purpose Limitation

Section 5 restricts processing to stated purposes. Data collected for order fulfilment cannot be repurposed for marketing, recommendations, or third-party sharing without separate consent.

Data Retention Controls

Personal data must be deleted when the purpose is fulfilled. Order data retained beyond delivery completion requires a documented legal basis (warranty, tax compliance, dispute resolution).

Breach Notification

Section 8 mandates notification to the Board and affected customers. E-commerce platforms with millions of accounts face large-scale notification obligations in breach scenarios.

Third-Party Data Sharing

Logistics partners, payment gateways, and marketing platforms all receive personal data. Each third party is a data processor with its own DPDP obligations that you must govern.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Map data sharing chains

Identify all third parties receiving customer personal data across payments, logistics, and marketing.

Q3 2026

Consent management at scale

Deploy automated consent collection and withdrawal for millions of customer records.

Nov 2026

Consent Manager registration

Deadline to register with the Data Protection Board as a Consent Manager.

Q1 2027

Retention policy enforcement

Implement automated data retention and deletion workflows aligned with business justifications.

May 2027

Full DPDP enforcement

The Act is fully enforceable. High-volume platforms face proportionally higher risk exposure.

Penalty Exposure for E-Commerce Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Large-scale data breach Up to ₹250 Cr

Failure to honour consent withdrawal Up to ₹200 Cr

Processing beyond stated purpose Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Scale for E-Commerce

Scale tier handles up to 2M data principals with the automated consent and retention management e-commerce platforms require.

Implementation

₹1,50,000 one-time

₹14,999 /month

Up to 2M data principals
Multi-tenant consent management
Advanced audit and compliance reporting
Dedicated account manager
DPA management

Start with a free assessment Compare all plans

Resources

Essential Reading for E-Commerce

Deep dives into the DPDP provisions most relevant to your sector.

Consent Management

Consent Management Under the DPDP Act: What Indian Businesses Must Implement

The DPDP Act 2023 makes consent the legal foundation for data processing. This is what valid consent requires, how withdrawal works, and what your systems must support.

7 min read min read

Implementation Guides

DPDP Compliance Checklist for Indian Businesses

A structured checklist covering every obligation under the DPDP Act 2023. Use this to audit your current compliance posture and prioritise remediation.

8 min read min read

Data Principal Rights

Data Principal Rights Under the DPDP Act: What Your Customers Can Demand

The DPDP Act 2023 grants individuals enforceable rights over their personal data. Every Indian business must build systems to honour these rights within defined timelines.

7 min read min read

Understand your e-commerce compliance position.

The free DPDP Gap Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist