Skip to main content

E-Commerce

DPDP Compliance for E-Commerce Companies

Purchase histories, delivery addresses, and payment details across millions of transactions create a massive consent management challenge. Data principals can withdraw consent as easily as they gave it.

High Risk: High-volume consent management

350M+

Online shoppers in India (2025)

$83B

India e-commerce market size (2025)

250 Cr

Maximum DPDP penalty per incident

Obligations

Your DPDP Obligations as a E-Commerce Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to e-commerce operations.

High-Volume Consent Management

Section 6 requires consent for each processing purpose. With millions of customers, consent collection, storage, and withdrawal must be automated and auditable at scale.

Easy Consent Withdrawal

Section 6(4) mandates that withdrawing consent must be as easy as giving it. A one-click unsubscribe is not enough if the original consent covered multiple purposes.

Purpose Limitation

Section 5 restricts processing to stated purposes. Data collected for order fulfilment cannot be repurposed for marketing, recommendations, or third-party sharing without separate consent.

Data Retention Controls

Personal data must be deleted when the purpose is fulfilled. Order data retained beyond delivery completion requires a documented legal basis (warranty, tax compliance, dispute resolution).

Breach Notification

Section 8 mandates notification to the Board and affected customers. E-commerce platforms with millions of accounts face large-scale notification obligations in breach scenarios.

Third-Party Data Sharing

Logistics partners, payment gateways, and marketing platforms all receive personal data. Each third party is a data processor with its own DPDP obligations that you must govern.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Map data sharing chains

Identify all third parties receiving customer personal data across payments, logistics, and marketing.

Q3 2026

Consent management at scale

Deploy automated consent collection and withdrawal for millions of customer records.

Nov 2026

Consent Manager registration

Deadline to register with the Data Protection Board as a Consent Manager.

Q1 2027

Retention policy enforcement

Implement automated data retention and deletion workflows aligned with business justifications.

May 2027

Full DPDP enforcement

The Act is fully enforceable. High-volume platforms face proportionally higher risk exposure.

Penalty Exposure for E-Commerce Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Customer data breach (failure to implement safeguards) Up to ₹250 Cr
Failure to notify breach to Board and affected customers Up to ₹200 Cr
Failure to honour consent withdrawal or stated purpose Up to ₹50 Cr
Calculate your specific exposure

Recommended Plan

Scale for E-Commerce

Scale tier handles up to 2M data principals with the automated consent and retention management e-commerce platforms require.

Implementation

₹2,50,000 one-time

₹24,999 /month
  • Up to 2M data principals
  • Multi-tenant consent management
  • Advanced audit and compliance reporting
  • Dedicated account manager
  • DPA management

FAQ

E-Commerce compliance, answered.

Can we keep customer data after an order is delivered?

Only with documented legal basis. Order fulfilment data can be retained for warranty periods, tax compliance, or dispute resolution. Marketing-purpose retention requires separate ongoing consent.

Do logistics partners need separate DPDP compliance?

Yes. Each third party processing personal data on your behalf is a data processor under the DPDP Act. You must ensure they maintain appropriate safeguards and process data only for the stated purpose.

How does consent withdrawal work at scale?

Section 6(4) requires withdrawal to be as easy as consent, and Section 6(6) requires processing to stop once consent is withdrawn. For e-commerce, this means per-purpose withdrawal options (not just a blanket unsubscribe) with automated enforcement across all downstream systems.

Running trackers on your storefront? See what a DPDP-compliant cookie consent banner must do before a non-essential cookie fires.

Understand your e-commerce compliance position.

The free Compliance Vault Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.