DPDP Act24 May 2026 7 min read

DPDP Act for E-Commerce: Customer Data and Consent

DPDP Act obligations for Indian e-commerce companies — consent for marketing and personalisation, customer data rights, delivery partner data sharing, and international seller obligations.

Key Takeaways

E-commerce companies process large volumes of customer data across purchase history, browsing, location, and payment — each requiring specific consent.
Personalisation and targeted advertising require separate, unbundled consent from checkout consent.
Customer data shared with sellers, logistics partners, and payment gateways requires DPAs with each partner.
Under-18 shoppers require verifiable parental consent before processing their personal data.
Indian e-commerce companies are strong SDF candidates given their scale and data comprehensiveness.

In this guide

E-Commerce Data: What You Collect and Why
Consent at Checkout: Getting It Right
Personalisation and Targeted Advertising Consent
Data Sharing with Sellers and Logistics Partners
Customer Rights in E-Commerce Context
Under-18 Shoppers: Age Verification Requirements
SDF Classification and Compliance for Large Marketplaces

E-Commerce Data: What You Collect and Why

An Indian e-commerce platform typically collects: registration data (name, email, mobile, address); payment data (card details, UPI ID, wallet balances); purchase history (what was bought, when, at what price); browsing and clickstream data (what was viewed, how long, what was searched); location data (delivery address, current location for hyper-local features); and device data (device type, OS, app version, advertising ID).

Each data category was collected for a primary purpose (account creation, payment processing, order delivery) but is routinely used for secondary purposes: personalised recommendations, targeted marketing, customer segmentation, price optimisation, and fraud prevention. Under the DPDP Act, each distinct secondary use is a separate processing activity requiring a separate lawful basis.

Behavioural targeting — showing ads based on browsing history — is the most commercially valuable secondary use for e-commerce, but it requires explicit consent under the DPDP Act. This is a significant business model impact: e-commerce companies that depend on targeted advertising revenue must build robust consent frameworks that allow users to opt in without conditioning access to shopping on consent to targeting.

The checkout flow is where e-commerce companies must carefully separate necessary processing from optional processing. The processing of personal data necessary for order fulfilment — name, delivery address, payment details, contact for delivery updates — is processing necessary for contract performance under GDPR; under DPDP Act, you need either consent or a Section 7 legitimate use. Until Rules clarify Section 7(f) scope, obtain consent at checkout for this core processing.

Marketing consent at checkout should be a separate, unchecked opt-in box — never pre-ticked, never bundled with "I accept terms and conditions." The marketing consent must clearly state what communications the customer will receive (email promotions, SMS offers, WhatsApp messages) and must be independently revocable.

Payment data has specific sensitivity. If you store payment card details for future purchases ("remember my card"), this requires specific consent for storage — not just consent for the current payment. Clearly state at the point of offering card storage that the user's card details will be stored and can be removed from their account settings at any time.

Product recommendation engines and targeted advertising require consent under the DPDP Act. Showing a customer recommendations based on their purchase history is processing their personal data (purchase history) for a purpose — personalisation — that requires a lawful basis. This is distinct from and additional to the consent for the original purchase.

Implement a "Privacy Controls" section in your customer account settings where users can control: whether their browsing history is used for personalisation; whether their data is used for targeted advertising; whether their data is shared with third-party advertisers; and whether they receive marketing communications. Each toggle must be independently controllable.

For targeted advertising through third-party ad networks (Google Display, Facebook, DV360), the data sharing involved requires consent. Your consent management platform (CMP) on the website must gate the loading of advertising trackers until consent is given. Implement a cookie consent banner that meets DPDP Act standards — not a banner that defaults to consent or that makes declining difficult.

In a marketplace model, customer data is shared with third-party sellers for order fulfilment (seller needs the customer's address and contact to ship the order). This sharing is necessary for order delivery — but it creates a Data Processor relationship with each seller. You need DPAs with your sellers that restrict them to using customer data only for order fulfilment, require security safeguards, and prohibit further sharing or marketing use.

Logistics partners (Delhivery, Blue Dart, Ekart, DTDC, etc.) receive customer name, address, and contact number for delivery. These are Data Processors; DPAs are required. Logistics partner DPAs should also address: data retention (the logistics company should not retain delivery recipient data beyond the delivery purpose); security (data must be protected during transit, especially from driver app data leaks); and breach notification.

Payment gateways (Razorpay, PayU, CCAvenue, Cashfree) receive payment card or UPI data. They are typically PCI-DSS compliant and have standard DPA templates. Review these templates against DPDP Act requirements and ensure DPDP Act breach notification obligations are specifically addressed alongside PCI-DSS incident notification.

Customer Rights in E-Commerce Context

Access requests: customers will want to know what data you hold about them. Build a "My Data" section in your account settings that shows the customer their profile data, purchase history, browsing preferences, saved addresses, and payment methods. This self-service access satisfies most access requests without requiring manual intervention.

Erasure requests: "delete my account" is the most common erasure request in e-commerce. When a customer deletes their account, you must erase their personal data — but you may need to retain transaction records for tax/GST compliance (typically 7 years under Indian tax law). Communicate clearly what is deleted (profile, preferences, marketing data) and what is retained (transaction records for legal compliance) when processing a deletion request.

Correction requests: incorrect delivery addresses, wrong names, and outdated contact details are common correction scenarios. Build self-service correction into your account settings. For data that the customer cannot self-correct (historical order data, analytical inferences), establish an internal process for manual corrections within your SLA.

Under-18 Shoppers: Age Verification Requirements

Indian e-commerce platforms are widely used by teenagers for fashion, gaming accessories, books, and electronics. Section 9's under-18 protections apply to these users. You must implement age verification in your registration or checkout flow to identify minor users and obtain verifiable parental consent before processing their personal data.

For e-commerce, payment-card-based age verification is a practical mechanism — a credit or debit card transaction requires an adult account holder. If the shopper uses a payment method linked to a parent's account, this serves as a proxy for parental involvement. Strengthen this with an explicit parental consent step during account creation for users who indicate they are under 18.

The tracking and profiling prohibitions under Section 9(3) mean you cannot show targeted advertising or personalised recommendations to under-18 users based on their browsing and purchase history. Implement an "under-18 mode" in your platform that disables behavioural targeting, removes targeted ad placements, and limits data collection to what is strictly necessary for the shopping service.

SDF Classification and Compliance for Large Marketplaces

India's largest e-commerce platforms — Flipkart, Amazon India, Meesho, Snapdeal, Myntra — process personal data of hundreds of millions of Indian users. They are almost certain to be among the first entities classified as Significant Data Fiduciaries. Their combination of scale, data comprehensiveness (location, payment, purchase behaviour, browsing), and systemic importance to Indian commerce meets multiple Section 10 classification criteria.

For large marketplaces planning SDF compliance: appoint a DPO with e-commerce data expertise; initiate DPIAs for your recommendation engine, dynamic pricing algorithms, and fraud detection models; build annual data audit readiness (the audit scope will be enormous for a platform with millions of daily transactions); and review your cross-border transfer exposure (particularly for data shared with international sellers or processed on global infrastructure).

Even mid-size e-commerce companies should prepare for potential SDF classification as the threshold criteria become clearer. If you process personal data of more than 1 million Indian users, you may be within the SDF classification zone. Build your compliance programme to SDF-ready standards now rather than scrambling after classification.

Frequently Asked Questions

Do we need separate consent for each marketing channel — email, SMS, WhatsApp?

Yes. Each marketing channel is a distinct communication type. A customer may be comfortable receiving email promotions but not WhatsApp messages. Obtain separate consent for each channel. The TRAI DND registry also imposes separate opt-in requirements for telemarketing — ensure your consent capture satisfies both DPDP Act and TRAI requirements.

Can we use browsing data from non-logged-in visitors for personalisation?

Yes, but only with consent. Non-logged-in visitors are not identifiable by name, but their browsing creates personal data through cookies and device identifiers. Your cookie consent banner must gate personalisation tracking for non-logged-in visitors just as it does for logged-in users.

Our platform has a review and rating system. Are customer reviews personal data?

Reviews authored by identifiable individuals (their name or username is attached) are personal data of the reviewer. Users should be able to request deletion of their reviews under Section 12. However, anonymised reviews (where the reviewer is not identifiable) are outside personal data scope. Consider offering a "publish anonymously" option to reduce erasure complexity.

We use customer data for dynamic pricing. Is this allowed under DPDP Act?

Dynamic pricing based on individual customer data (e.g., charging loyal customers more, or varying prices by location) uses personal data for pricing decisions. This requires a lawful basis. Consent for data-driven pricing is required if you use identifiable personal data — anonymised/aggregate pricing algorithms (e.g., surge pricing based on area demand) may not involve personal data and may not require consent.

Our marketplace has international sellers who receive Indian customer data. Does DPDP Act apply?

Your sharing of customer data with international sellers is a cross-border transfer once the whitelist framework is in force. If the seller is in a non-whitelisted country, you may not be able to share the full customer address and contact details with them. This is a significant operational challenge for global marketplaces — assess your seller geography and whitelist risk carefully.