E-Commerce Sector — DPDPA Compliance

DPDPA for E-Commerce, Marketplaces & D2C

Q: How does DPDPA apply to e-commerce marketplaces in India?

E-commerce marketplaces are Data Fiduciaries for all personal data they collect directly — customer accounts, browsing behaviour, purchase history, search queries, payment information, delivery addresses. For seller data, the marketplace is also a Fiduciary. The key complexity is the tripartite relationship: marketplace (Fiduciary), seller (independent Fiduciary for their order data), and logistics partner (Processor). Each relationship requires distinct DPDPA compliance architecture — consent flows, processor contracts under Section 8(2), and clear delineation of data sharing purposes.

Q: What are dark patterns under DPDPA and how do they affect e-commerce?

DPDPA Section 6(3) read with Rule 3 addresses consent obtained through misleading design — dark patterns. For e-commerce, this includes: pre-checked consent boxes for marketing, hidden unsubscribe options, confusing cookie banners, forced account creation for guest checkout, and deceptive UI that makes data sharing appear mandatory. The CCPA guidelines on dark patterns and MeitY's prior draft rules provide interpretive guidance. E-commerce platforms must audit every consent touchpoint for deceptive design elements.

Q: Does DPDPA apply to behavioural advertising on e-commerce platforms?

Behavioural advertising — using purchase history, browsing patterns, and search queries to serve targeted ads — requires explicit consent under Section 6. This is separate from the consent for purchasing. E-commerce platforms cannot bundle advertising consent with service delivery consent. Additionally, behavioural advertising directed at children is prohibited under Section 9(3). Platforms must implement separate, granular consent mechanisms for advertising, with clear withdrawal options.

E-commerce platforms sit on the largest consumer data reservoirs in the economy — purchase patterns, browsing behaviour, payment data, delivery addresses. DPDPA transforms how this data can be collected, processed, shared, and retained.

Dark PatternsBehavioural AdsSeller DataQuick Commerce5 Sub-Sectors

E-commerce built its business model on data — personalised recommendations, behavioural advertising, dynamic pricing, credit scoring. DPDPA does not prohibit these practices, but it requires explicit, informed, granular consent for each. The era of bundled consent buried in terms of service is over.

Sub-Sector Analysis

DPDPA Challenges by E-Commerce Sub-Sector

Horizontal Marketplaces

Multi-category platforms — electronics, fashion, grocery

›Tripartite data flows: customer → marketplace → seller — who is Fiduciary for what data?
›Behavioural profiling for recommendations and advertising — Section 6 consent granularity
›Seller personal data (proprietor KYC, bank details, GST-linked data) — separate consent track
›Dark pattern audit across checkout flows, cookie banners, and marketing opt-ins
›Cross-border data for global marketplace operations — Section 16 for international sellers/buyers
›SDF classification for platforms with hundreds of millions of user accounts

D2C (Direct-to-Consumer) Brands

Owned channels — website, app, WhatsApp commerce

›Single-brand data fiduciary — cleaner compliance surface than marketplaces
›Customer data platform (CDP) — unified profiles from website, app, store, and social media
›WhatsApp Business API data processing — Meta as processor, D2C as fiduciary
›Loyalty programme data — purpose creep from rewards to marketing to third-party partnerships
›Subscription and recurring order data — ongoing consent management

Quick Commerce & Hyperlocal

Rapid delivery — grocery, food, pharmacy

›Delivery partner location tracking — continuous GPS monitoring as personal data
›Customer address data at granular level (floor, apartment, landmark) — heightened privacy sensitivity
›Pharmacy delivery — health-adjacent data processing without DPDPA special category protection
›Dark store employee data — biometric attendance, performance monitoring
›Real-time demand prediction using order patterns — automated processing assessment

Payment & Fintech Layer

Payments, BNPL, wallets within e-commerce

›Payment data processing — RBI PA/PG guidelines + DPDPA dual compliance
›BNPL (Buy Now Pay Later) credit decisions — automated processing and profiling
›UPI transaction data retention and sharing with e-commerce platforms
›Tokenisation and card-on-file data governance
›Wallet KYC data — purpose limitation for non-payment use of KYC information

Logistics & Last-Mile Delivery

3PL providers, warehousing, delivery networks

›Delivery personnel data — gig worker privacy, location tracking, performance scoring
›Customer delivery data — name, address, phone shared by marketplace (processor vs joint fiduciary)
›Warehouse CCTV and access control data — employee monitoring under DPDPA
›Returns processing — customer identity verification and item condition documentation
›Multi-client data segregation in shared logistics infrastructure

5 DPDPA Compliance Pillars for E-Commerce

Granular Consent Architecture

Separate consent for: account creation, order processing, recommendations, marketing emails, behavioural advertising, seller data sharing, and analytics. No bundling. Each consent independently withdrawable.

Section 6, Rule 3-4

Dark Pattern Elimination

Audit every user interface for deceptive design: pre-checked boxes, confusing toggles, hidden unsubscribe links, forced account creation. Section 6(3) read with Rule 3 invalidates consent obtained through misleading design.

Section 6(3), Rule 3

Marketplace Data Segregation

Define fiduciary responsibilities clearly — marketplace for platform data, seller for order fulfilment data. Implement contractual and technical controls for data sharing between marketplace and seller under Section 8(2).

Section 8(2), Rule 6

Children's Data Prohibition

No behavioural advertising or tracking directed at children (Section 9(3)). Implement age gates, parental consent flows, and advertising category exclusions for users identified or likely to be under 18.

Section 9, Rules 10-12

Data Retention & Purging

Define retention periods for each data category: order data (legal requirement period), browsing data (session or consent-based), payment data (RBI requirements), account data (until deletion request). Automate purging.

Section 8(7), Section 12

Related DPDPA Resources

E-Commerce Data Privacy

Full e-commerce privacy guide

Consent Management

Section 6 consent deep-dive

Compliance Checklist

8-phase implementation guide

DPDPA for Startups

D2C compliance playbook

Children's Data

Section 9 deep-dive

DPDPA for BFSI

Payment layer compliance

Vendor Governance

Processor chain controls

DPDPA Consulting

Counsel-led advisory services

E-Commerce-Specific DPDPA Advisory

E-commerce compliance touches every part of the platform — from checkout consent to seller onboarding to delivery tracking. AMLEGALS brings 27 years of regulatory experience to DPDPA implementation for marketplaces, D2C brands, and digital retail.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Insights & Answers

What practitioners and boards are asking

How does DPDPA apply to e commerce marketplaces in India?

E Commerce marketplaces are Data Fiduciaries for all personal data they collect. customer accounts, browsing behaviour, purchase history, search queries, and payment data. The tripartite relationship (marketplace, seller, logistics) creates complex fiduciary allocation questions. Section 6(3) read with Rule 3 prohibits consent obtained through dark patterns. pre checked boxes, confusing toggles, and forced account creation. Behavioural advertising requires explicit, granular consent separate from service delivery consent. AMLEGALS advises e commerce platforms on consent architecture, dark pattern elimination, marketplace data segregation, and children's data compliance under Section 9.