Data Privacy for E-Commerce Under the DPDPA

E-commerce platforms are built on data. Recommendation engines, personalised pricing, targeted advertising, and customer retention strategies all depend on processing personal data at scale. The DPDPA requires that each of these processing activities be separately consented to, transparently disclosed, and proportionate to the stated purpose. A platform that obtains a single consent for "personalisation" and uses it to drive recommendation engines, third-party advertising, dynamic pricing, and cross-platform tracking will not satisfy the granularity requirement of Section 6.

The marketplace model introduces additional complexity. When a platform shares customer data with third-party sellers, it must ensure that each seller operates under a compliant Data Processing Agreement. The platform remains the primary Data Fiduciary for the customer relationship, but the sellers's processing must be governed and auditable. Quick commerce platforms face further challenges: real-time location tracking, delivery partner data sharing, and compressed processing timelines make consent and transparency operationally demanding.

Granular Consent at Checkout

Separate consent for order fulfilment, marketing communications, personalised recommendations, third-party advertising, and data sharing with sellers. Pre-checked consent boxes are prohibited.

Dark Patterns Prohibition

Interface designs that manipulate users into sharing more data than intended, including misleading button labels, confusing opt-out flows, or consent bundling, are prohibited and may invalidate the consent obtained.

Marketplace Data Sharing

Customer data shared with third-party sellers must be governed by Data Processing Agreements. The platform must audit seller data practices and maintain contractual control over downstream processing.

Payment Data Security

Payment data processing must comply with both DPDPA security safeguards and RBI data localisation requirements. Card-on-file tokenisation, PCI-DSS compliance, and encryption are minimum infrastructure requirements.

Behavioural Tracking Governance

Analytics, cookies, device fingerprinting, and cross-platform tracking must be separately disclosed and consented to. Each tracking technology must be mapped to a specific processing purpose.

Children's Data in E-Commerce

Platforms accessible to users under 18 must implement age verification, obtain verifiable parental consent, and exclude child users from behavioural tracking and targeted advertising.

The Dark Patterns and Consent Design Challenge

The DPDPA, read with the CCPA Dark Patterns Guidelines, prohibits interface designs that undermine genuine consent. For e-commerce platforms, this means fundamental changes to how consent is presented during registration, checkout, and marketing opt-in flows. Techniques such as making the "Accept All" button more prominent than "Manage Preferences," burying opt-out options in multi-step flows, or using confusing double negatives in consent language are all potentially non-compliant. Platforms must redesign their consent UX to ensure that each choice is genuinely free and informed.

"An e-commerce platform that cannot demonstrate granular consent for each processing purpose is operating on a foundation of potentially invalid consent. That is the largest single risk in Indian digital retail."

Does the DPDPA apply to e-commerce platforms?

Yes. E-commerce platforms are Data Fiduciaries for all personal data they process, including account information, browsing behaviour, purchase history, delivery addresses, and payment data. The platform must comply with all Data Fiduciary obligations under Section 8, including consent, purpose limitation, security safeguards, and breach notification.

How should marketplaces handle seller access to customer data?

Marketplaces that share customer data with third-party sellers must ensure each seller operates under a compliant Data Processing Agreement governed by Section 8(2) and Rule 6. The marketplace remains the primary Data Fiduciary and must audit seller data practices, limit data sharing to what is necessary for order fulfilment, and maintain contractual control over downstream processing.

What are the dark patterns restrictions for e-commerce?

The DPDPA prohibits obtaining consent through deceptive design patterns. For e-commerce, this includes pre-checked consent boxes, misleading button labels that favour data sharing, multi-step opt-out processes that discourage withdrawal, and consent bundling that does not allow purpose-specific choices. Non-compliant consent interfaces may render the consent obtained invalid.

How does the DPDPA affect e-commerce marketing?

Marketing communications, personalised recommendations, and targeted advertising each require separate consent under Section 6. A customer who consents to receiving order updates has not consented to marketing emails or personalised advertising. Each processing purpose must be separately identified and separately consented to.

Get the E-Commerce DPDPA Compliance Brief

This brief provides a structured framework for building DPDPA compliance across the e-commerce customer journey, from registration through post-purchase engagement.