DPDP Compliance for E-Commerce: Cookie Consent, Marketing Data, and Cross-Border Transfers
How the DPDP Act 2023 affects e-commerce operations in India, from cookie consent and marketing communications to cross-border data transfers and customer rights.
E-Commerce Collects More Personal Data Than Almost Any Other Sector
Every transaction on an e-commerce platform generates a data trail. A single purchase involves the collection of names, shipping addresses, billing addresses, email addresses, phone numbers, payment instrument details, and order history. That is the minimum. The actual volume is significantly higher.
Beyond transactional data, e-commerce platforms routinely collect browsing behaviour (pages viewed, time spent, scroll depth), search queries, device identifiers, IP addresses, location data, wishlist contents, cart abandonment patterns, and communication preferences. Marketing systems layer on demographic inferences, purchase propensity scores, and segment classifications. Loyalty programmes add another tier of behavioural tracking.
Under the DPDP Act 2023, every one of these data points constitutes personal data when it can identify a living individual. Every act of collection, storage, use, or sharing constitutes processing. This means every customer interaction on your platform is a data processing activity governed by the Act, with penalties reaching Rs 250 crore per violation.
The operational reality for e-commerce businesses is straightforward: if your platform handles Indian customer data (and it does), the DPDP Act applies to every part of your technology stack, every third-party integration, and every marketing workflow.
Cookie Consent and Tracking Under DPDP
The DPDP Act does not contain a standalone “cookie law” in the way the EU’s ePrivacy Directive does. There is no section dedicated specifically to browser cookies or tracking technologies. However, the Act’s consent requirements apply to any processing of personal data, and cookies that collect or facilitate the collection of personal data fall squarely within that scope.
What Tracking Activities Require Consent
Any cookie or tracking mechanism that processes personal data requires a lawful basis under the DPDP Act. This includes:
- Analytics cookies that track individual user behaviour and can be linked to identifiable users (via login, email capture, or device fingerprinting)
- Retargeting pixels from platforms like Meta, Google Ads, and programmatic ad networks that build user profiles across sites
- Session tracking that associates browsing behaviour with a customer account
- Personalisation engines that use individual purchase history or browsing patterns to generate recommendations
Strictly necessary cookies (session management, shopping cart persistence, authentication state) that are essential for the service the user has requested may fall under the “legitimate uses” provisions of the Act. But this does not extend to analytics, advertising, or behavioural tracking.
How This Differs from EU Cookie Requirements
| Aspect | EU (GDPR + ePrivacy) | India (DPDP Act 2023) |
|---|---|---|
| Cookie-specific legislation | Yes (ePrivacy Directive) | No dedicated cookie law |
| Consent trigger | Storing/accessing data on device | Processing personal data |
| Pre-consent blocking | Required (no cookies before consent) | Not explicitly mandated, but consent must precede processing |
| Cookie categories | Granular (necessary, functional, analytics, marketing) | Not prescribed, but purpose-specific consent required |
| Enforcement body | National DPAs | Data Protection Board of India |
Practical Implementation
For Shopify, WooCommerce, and custom-built platforms, the implementation path is:
- Audit every tracking script loaded on your site. Document what data each collects and whether it constitutes personal data.
- Implement a consent mechanism that captures affirmative, specific consent before non-essential tracking activates. Pre-ticked boxes and implied consent through continued browsing do not meet the DPDP standard.
- Block tracking scripts until consent is obtained. Loading a Meta Pixel before the user consents to marketing tracking creates a compliance exposure.
- Maintain consent records with timestamps, the specific purposes consented to, and the version of the consent notice presented.
Marketing Communications and Consent
E-commerce platforms rely on direct marketing channels: email campaigns, SMS promotions, push notifications, and increasingly, WhatsApp Business messages. Each of these channels involves processing personal data for a specific purpose, and the DPDP Act requires valid consent for each.
Purpose Limitation Is Absolute
Consent given for one purpose does not extend to another. This is not a guideline; it is a statutory requirement.
A customer who provides an email address during checkout has consented to receiving order confirmations, shipping updates, and transaction-related communications. That consent does not extend to promotional newsletters, abandoned cart emails, product recommendation campaigns, or re-engagement sequences. Each of these requires separate, specific consent.
| Communication Type | Purpose | Separate Consent Required? |
|---|---|---|
| Order confirmation | Transaction fulfilment | No (necessary for service) |
| Shipping updates | Transaction fulfilment | No (necessary for service) |
| Promotional newsletter | Marketing | Yes |
| Abandoned cart email | Marketing | Yes |
| Product recommendations | Marketing | Yes |
| SMS promotions | Marketing | Yes |
| WhatsApp Business offers | Marketing | Yes |
| Push notifications (deals) | Marketing | Yes |
Withdrawal Must Be Frictionless
The Act mandates that withdrawing consent must be as straightforward as giving it. If a customer subscribed to marketing emails with a single checkbox, unsubscribing must be achievable in a comparable number of steps. Forcing customers through multi-screen preference centres, requiring them to email support, or imposing “processing periods” of several days violates this requirement.
Every marketing message must include a clear, functional withdrawal mechanism. For email, this means an unsubscribe link. For SMS, a STOP keyword. For push notifications, a direct path to notification settings. For WhatsApp Business, a block or opt-out option.
When consent is withdrawn, processing must stop. Not after the current campaign finishes. Not after the batch send completes. It must stop.
Cross-Border Data Transfers
E-commerce platforms in India rarely operate on purely domestic infrastructure. Payment processing runs through Stripe, Razorpay (with international settlement partners), or PayPal. Storefronts sit on Shopify (Canada/US), AWS (global), or Google Cloud. Marketing flows through Mailchimp, Klaviyo, or HubSpot, all US-headquartered. Analytics runs on Google Analytics. Customer support may route through Zendesk or Freshdesk with global data centres.
Every one of these integrations involves transferring Indian customer data outside India. The DPDP Act addresses this directly.
The Transfer Framework
The Act permits cross-border transfers of personal data to any country, except those specifically restricted by the Central Government through official notification. As of the date of this article, no such restricted country list has been published. However, the framework is designed so that the government can restrict transfers to specific jurisdictions at any time.
This creates a compliance obligation that is prospective, not just current. E-commerce businesses must:
- Maintain an inventory of all cross-border data flows, documenting which personal data categories are transferred, to which countries, through which processors, and for what purposes.
- Monitor government notifications for any additions to the restricted country list.
- Include transfer provisions in vendor contracts that address what happens if a destination country becomes restricted.
- Assess whether alternative domestic infrastructure exists for critical processing activities, as a contingency.
The practical risk for e-commerce businesses using global SaaS platforms is that a government notification could require rapid migration of specific data flows. Platforms that have documented their data flows and identified domestic alternatives will be in a significantly stronger compliance position than those that have not.
Customer Rights and E-Commerce Operations
The DPDP Act grants Data Principals (customers) specific rights that directly affect how e-commerce platforms operate. These are not optional features. They are legal obligations with enforcement timelines.
Right to Information
Customers have the right to know what personal data you hold about them and how it is being processed. For e-commerce, this encompasses:
- Account profile data (name, email, phone, addresses)
- Order history and transaction records
- Browsing and search behaviour (if tracked)
- Marketing segment classifications
- Data shared with third-party processors
- Consent records and their status
Your platform must be able to compile and deliver this information upon request.
Right to Correction
Customers can request correction of inaccurate or incomplete personal data. Shipping addresses, phone numbers, names, and other profile fields must be correctable through a clear mechanism, and corrections must propagate to any third parties with whom the data was shared.
Right to Erasure
This is where e-commerce operations face a genuine tension. Customers have the right to request erasure of their personal data. However, e-commerce platforms have legitimate and legal reasons to retain certain records: tax compliance (GST invoices must be retained for prescribed periods), consumer protection obligations, fraud prevention records, and financial audit trails.
The resolution is purpose-based retention. Data required for legal compliance may be retained for the duration mandated by the relevant law, but it must be segregated and not used for any other purpose. Data that has no continuing legal basis for retention must be erased upon request.
Right to Grievance Redressal
Every Data Fiduciary must provide a grievance redressal mechanism. For e-commerce platforms, this means a designated contact or channel through which customers can raise data protection concerns. Responses must be provided within the timeframe prescribed by the Act. Routing data protection queries through a general customer support queue without designated handling procedures does not satisfy this requirement.
Third-Party Data Processors
An e-commerce platform is a Data Fiduciary. The payment gateway, logistics partner, email marketing platform, analytics provider, and every other service that processes customer data on your behalf is a Data Processor. The DPDP Act places specific obligations on this relationship.
Contractual Requirements
Data Processors must only process personal data in accordance with the Data Fiduciary’s instructions and for the purposes specified. This means your contracts with every third-party service that handles customer data must include:
- The specific purposes for which data may be processed
- Data security obligations
- Restrictions on further sharing or sub-processing
- Breach notification requirements
- Data deletion or return provisions upon contract termination
Breach Liability
When a Data Processor experiences a data breach affecting your customers’ personal data, the obligation to notify the Data Protection Board and affected Data Principals falls on you as the Data Fiduciary. You cannot delegate this obligation away through contract terms.
This means your vendor management process must include:
- Breach notification clauses that require processors to inform you without unreasonable delay
- Incident response coordination procedures that define who does what and when
- Regular security assessments of processor practices (particularly for payment gateways and logistics partners handling addresses and phone numbers)
| Processor Category | Common Examples | Data Types Handled |
|---|---|---|
| Payment gateways | Razorpay, Stripe, PayU | Card details, UPI IDs, transaction data |
| Logistics partners | Delhivery, Blue Dart, Shiprocket | Names, addresses, phone numbers |
| Email/SMS marketing | Mailchimp, Klaviyo, MSG91 | Email, phone, purchase history |
| Analytics | Google Analytics, Mixpanel | Browsing behaviour, device data |
| Customer support | Zendesk, Freshdesk | All customer interaction data |
| Cloud infrastructure | AWS, GCP, Azure | All stored data |
Building DPDP Compliance into Your E-Commerce Platform
Compliance is not a single implementation. It is an operational discipline that must be embedded into your platform architecture, vendor relationships, and team processes.
Data Inventory: Map Every Flow
Before implementing any compliance controls, you must know what data you collect, where it goes, and why. The following table provides a starting framework for e-commerce platforms:
| Data Flow | Data Categories | Purpose | Storage Location | Cross-Border? | Consent Required? |
|---|---|---|---|---|---|
| Account registration | Name, email, phone | Account creation | Primary database | Depends on hosting | Yes |
| Checkout | Billing/shipping address, payment data | Order fulfilment | Database + payment gateway | Likely (payment processor) | Transactional (no separate consent) |
| Marketing signup | Email, preferences | Promotional communications | Email platform | Likely (Mailchimp, Klaviyo) | Yes (specific to marketing) |
| Analytics tracking | Browsing behaviour, device data | Site optimisation | Analytics platform | Yes (Google Analytics) | Yes |
| Retargeting | Browsing behaviour, purchase signals | Advertising | Ad platforms | Yes (Meta, Google) | Yes |
| Customer support | All interaction data | Issue resolution | Support platform | Depends on platform | Transactional |
| Loyalty programme | Purchase history, points, preferences | Rewards programme | Database/platform | Depends | Yes (specific to programme) |
Consent Management Integration
Your platform needs a consent management layer that:
- Captures granular, purpose-specific consent at the point of data collection
- Maintains auditable records of all consent actions (grants, modifications, withdrawals)
- Propagates consent status to downstream systems (marketing platforms, analytics, ad networks)
- Supports consent withdrawal with the same ease as consent granting
- Presents consent notices in clear, plain language
This is not a one-time project. It is infrastructure that must be maintained as your data processing activities evolve.
Cookie Banner Implementation
Deploy a consent mechanism that blocks non-essential cookies and tracking scripts until the user provides affirmative consent. The implementation must:
- Load before any tracking scripts execute
- Present clear categories of tracking with their purposes
- Record the user’s consent choices with timestamps
- Respect those choices on subsequent visits
- Provide a persistent mechanism to modify preferences
Privacy Notice Requirements
Your privacy notice must be specific to your actual data processing activities, not a generic template. It must disclose the categories of data collected, the purposes for each, the third parties with whom data is shared, cross-border transfers, retention periods, and the mechanisms for exercising Data Principal rights. Review and update it whenever your data processing activities change.
Vendor Assessment Checklist
Before onboarding any new third-party service that will process customer data:
- Does the vendor’s data processing agreement meet DPDP requirements?
- Where is data stored and processed (which countries)?
- What security measures does the vendor implement?
- What are the vendor’s breach notification procedures and timelines?
- Can data be deleted or returned upon contract termination?
- Does the vendor use sub-processors, and if so, under what controls?
Take the First Step
The DPDP Act is not a future concern for e-commerce businesses. It is a current operational requirement. The volume and sensitivity of data that e-commerce platforms process makes this sector one of the most exposed to enforcement action.
Understanding your current compliance position is the starting point. Run your free DPDP Gap Assessment to identify where your e-commerce operations stand today, what gaps exist, and what needs to change. The assessment takes under five minutes and produces a detailed compliance report.
For a comprehensive view of DPDP obligations specific to your sector, visit the E-Commerce Industry Guide. For questions about building compliance into your platform, use the penalty calculator to understand your exposure, then contact our team to discuss implementation.