DPDPA Compliance for E-Commerce: Customer Data Protection Guide

The e-commerce industry in India handles billions of customer transactions annually, generating massive quantities of personal data. With platforms like Flipkart, Amazon, and numerous D2C (Direct-to-Consumer) brands serving millions of customers, the Digital Personal Data Protection Act (DPDPA) 2023 introduces critical compliance requirements for checkout flows, data retention, marketing consent, and cookie management.

Key Compliance Requirement: DPDPA Section 6(7) requires customer data be kept only as long as necessary for the stated purpose. The e-commerce industry's traditional 3-year data retention rule now aligns with DPDPA's purpose-limitation principle, but requires explicit consent for retention beyond that period.

Understanding E-Commerce Data Collection Under DPDPA

E-commerce platforms collect diverse personal data throughout customer journeys: account registration data (email, phone, address), order history, payment information, browsing behavior, device identifiers, and behavioral tracking through cookies and pixels.

Checkout Consent Flows and Privacy

The checkout process is where compliance challenges intensify. Traditional e-commerce platforms collect and process data at every checkout step without explicit, granular consent.

Compliant Checkout Process

Example: Flipkart/Amazon-Style Operations must implement:

Clear Consent at Each Step: Separate consent for data collection at account creation, address entry, and payment processing
Purpose Specificity: Clearly state data will be used for order processing, delivery, and fraud prevention
No Pre-Checked Boxes: Marketing consent must never be pre-selected
Withdrawal Mechanism: Post-purchase, customers can withdraw consent for future marketing
Transparent Privacy Policy Link: Accessible from checkout page, not buried in footer
Data Processing Notice: Inform customers about third parties (payment gateways, logistics partners) who access their data

Compliance Risk: Many e-commerce platforms pre-check marketing consent boxes with small text saying "Uncheck to opt-out." Under DPDPA, this constitutes deceptive practice. Consent must be affirmative, not assumed through silence or pre-selection.

The 3-Year Data Retention Rule Under DPDPA

DPDPA Section 6(7) requires data be kept "for as long as necessary for the purpose stated." For e-commerce, this translates to practical retention limits:

Data Type	Maximum Retention	DPDPA Rationale
Transaction Records	3 years	GST/Tax compliance requirement
Customer Address/Contact	3 years post-purchase	Delivery, returns, dispute resolution
Payment Information (Card Details)	Per PCI-DSS (tokenized), not stored	Payment processor responsibility
Browsing/Behavioral Data	6-12 months	No legitimate long-term business purpose
Marketing Consent Records	Duration of consent + 1 year	Proof of consent, then deletion
Complaint/Return Records	3 years	Dispute resolution, refund processing

Practical Retention Implementation

E-commerce platforms must create automated deletion processes. For example, a D2C fashion brand should set system-triggered deletions: automatically delete browsing data after 12 months, archive transaction records after 3 years (converting to non-personal format), delete marketing email lists when consent withdrawn, and anonymize customer reviews removing identifying information after 3 years.

Cookie Compliance and Behavioral Advertising Restrictions

E-commerce platforms heavily rely on cookies and tracking pixels. DPDPA aligns with existing cookie guidelines but strengthens requirements:

Case Law Reference: The Advertising Standards Council of India (ASCI) Guidelines on Cookie Strategy (2022) establishes that behavioral tracking without explicit consent violates consumer rights. DPDPA Section 5(3) enforces this principle by requiring affirmative consent before setting tracking cookies.

Compliant Cookie Implementation

Required Elements:

Cookie Banner: Displayed on first visit, not hidden or dismissible by clicking elsewhere
Granular Choices: Separate toggles for essential, functional, analytics, and marketing cookies
Essential Cookies Only Default: Only necessary cookies enabled without consent
Clear Description: Explain what each cookie category does in plain language
Easy Withdrawal: Users can change preferences anytime from website settings
Consent Records: Track what user consented to and when

Common Violations: "Dark patterns" in cookie consent including: small "Reject" button vs. large "Accept" button, hiding cookie settings, using confusing language, or bundling all tracking under "necessary" cookies. DPDPA enforcement includes penalties for these deceptive practices.

Behavioral Advertising Restrictions

DPDPA Section 3(f) and Section 5(3) impose restrictions on behavioral advertising:

Prohibited: Creating detailed psychological/behavioral profiles without consent
Prohibited: Automated decision-making to deny services based on behavioral data (e.g., denying credit to specific neighborhoods)
Allowed: Basic audience segmentation (e.g., women interested in electronics)
Required: Transparency about how behavioral data influences ad targeting
Required: Mechanism for users to opt-out of behavioral targeting

Payment Data Handling and PCI-DSS Compliance

E-commerce platforms must separate payment data handling from DPDPA obligations:

Minimal Storage: Do not store full card numbers, CVV, or PIN
Tokenization: Use payment gateways (Razorpay, PayU) that tokenize payments
PCI-DSS Compliance: Ensure payment processors are PCI-DSS Level 1 certified
Data Processing Agreement: Establish written DPA with payment processor confirming data handling practices
No Secondary Use: Payment data cannot be used for profiling or behavioral advertising

Marketing Consent and Email List Management

Email marketing compliance requires explicit, documented consent:

Compliant Email Marketing Process

At Signup: Customers explicitly opt-in to marketing emails with clear language about email frequency and types of content.

Consent Records: Maintain proof of consent—IP address, timestamp, exact wording customer consented to—for minimum 3 years.

Easy Unsubscribe: Every email includes clear unsubscribe link. Unsubscribe is immediate—no follow-up confirmation emails.

List Hygiene: Remove invalid emails after 3 bounce attempts. Inactive subscribers (no engagement for 12 months) must be re-consented or deleted.

Withdrawal Documentation: When customer unsubscribes, document the date and timestamp. Do not contact customer again for marketing purposes without new consent.

Data Processing Agreements with Third Parties

E-commerce platforms use multiple third parties: payment gateways, logistics partners, analytics platforms, email service providers, and CRM systems. DPDPA requires written Data Processing Agreements (DPA) with all third parties.

DPA Requirements: Must specify what personal data third party will process, for what purposes, which country data will be stored in, duration of processing, and security measures employed. DPDPA Section 5(9) prohibits data transfer outside India without explicit consent.

Third-Party Audit Framework

Example: Amazon/Flipkart Supply Chain must ensure:

Logistics Partners: Can access only address and phone number necessary for delivery
Analytics Providers: Cannot receive raw customer data—only aggregated, anonymized metrics
Email Service Providers: Process emails on behalf of platform, cannot access customer data for secondary purposes
Marketplace Sellers: Cannot access customer email addresses or phone numbers—communication only through platform
Data Processing Agreement: Define each third party's role and data access limitations

Customer Rights and Access Requests

DPDPA grants customers several rights e-commerce platforms must facilitate:

Right to Access: Customer can request all data platform collected about them within 30 days
Right to Correction: Customer can request correction of inaccurate data
Right to Deletion: After 3-year retention period, customer can request complete deletion
Right to Data Portability: Customer can request data in machine-readable format (CSV/JSON) within 30 days
Right to Opt-Out: Customer can opt-out of profiling, behavioral advertising, and marketing

Platforms must provide easy mechanisms for these requests—not requiring email to obscure address or manual form-filling. In-app or website portal for data access requests is recommended.

Breach Notification and Incident Response

When e-commerce platform experiences data breach (unauthorized access, loss, or theft of customer data), DPDPA Section 8(3) requires:

Identify Affected Customers: Determine scope of breach—which data, how many customers
Notify Within 72 Hours: Send breach notice to affected customers with clear information
Breach Notice Content: What data was compromised, when, mitigation steps taken, contact information
Regulatory Notification: Notify Data Protection Board if breach affects significant customer base
Documentation: Maintain detailed breach records for compliance audit

Key Takeaways for E-Commerce Compliance

DPDPA Compliance Checklist for E-Commerce:

✓ Implement granular, affirmative consent at checkout
✓ Establish 3-year maximum retention for customer data
✓ Implement compliant cookie consent (not dark patterns)
✓ Provide easy opt-out from behavioral advertising
✓ Establish Data Processing Agreements with all third parties
✓ Create customer data access request mechanisms
✓ Implement data deletion processes after retention period
✓ Establish breach notification procedures
✓ Train staff on DPDPA compliance requirements
✓ Conduct annual privacy audit

Conclusion

DPDPA compliance transforms how e-commerce platforms collect, retain, and use customer data. By implementing clear consent mechanisms, transparent retention policies, and customer-friendly data access tools, e-commerce platforms can achieve compliance while building greater customer trust and loyalty.