Become a member

Get the best offers and updates relating to Liberty Case News.

― Advertisement ―

spot_img

Domestic Violence BNS Section 85 vs DV Act Explained

Understand how domestic violence BNS Section 85 and the Protection of Women from Domestic Violence Act, 2005 work differently — and together — to protect you.
HomeLaw for YouDPDP E-Commerce Customer Data: What Online Retailers Must Know

DPDP E-Commerce Customer Data: What Online Retailers Must Know

In short: The DPDP Act, 2023 and the DPDP Rules, 2025 make DPDP e-commerce customer data a regulated asset. Indian marketplaces, D2C brands, and third-party sellers must obtain specific consent, sign processor contracts, and accept liability for partner breaches — with full compliance due by 13 May 2027.

Key points

  • The DPDP Act was enacted on 11 August 2023 and the DPDP Rules were officially notified on 13 November 2025. Full substantive compliance obligations kick in on 13 May 2027, but the IT Act and SPDI Rules, 2011 remain in force until then.
  • Every entity that decides why and how customer data is processed — whether a large marketplace, a D2C brand, or an individual seller running its own email list — is a “Data Fiduciary” with statutory obligations.
  • Consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked boxes and bundled consents are expressly non-compliant.
  • Marketing is a separate processing purpose from order fulfilment; you need a distinct opt-in for promotional communications.
  • When you share customer data with a logistics partner, payment gateway, or warehouse operator, you must have a valid written contract with that processor — and you remain liable if that processor causes a data breach.
  • Withdrawing consent must be as easy as giving it; customers cannot be put through a harder process just because they want to opt out.

Who does the DPDP Act apply to in e-commerce?

If your business collects, stores, or uses the personal data of Indian customers online, the DPDP Act applies to you. That is true whether you run a large aggregator marketplace, a Shopify-powered D2C brand, or an app-based seller.

The Act’s core concept is the Data Fiduciary: any entity that determines the purpose and means of processing personal data. In practice, this means the platform itself is a Data Fiduciary. But marketplace sellers can also independently become Data Fiduciaries.

When does a marketplace seller become a separate Data Fiduciary?

A seller on a marketplace becomes its own Data Fiduciary the moment it independently uses customer data beyond what the marketplace processes on its behalf. Common examples include exporting customer email lists for direct marketing campaigns or saving customer phone numbers for outreach outside the platform’s system.

When that happens, the seller must comply with all Data Fiduciary obligations under the Act — independently of whatever the marketplace does. The marketplace and the seller are each responsible for the data they separately process.

Consent: the non-negotiable foundation of DPDP e-commerce customer data compliance

Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous — and it must be given through a clear affirmative action. Silence, pre-ticked boxes, or consent buried inside terms and conditions will not satisfy this standard.

The data collected must also be limited to what is actually necessary for the stated purpose. You cannot collect a customer’s date of birth simply because your checkout form has a field for it.

Marketing consent is separate from order fulfilment consent

This is one of the most commercially important points in the Act. A customer who ticks a box agreeing to let you process their data to deliver an order has not thereby agreed to receive your promotional emails, SMS blasts, or WhatsApp campaigns.

Marketing is a distinct processing purpose. You need a separate, explicit opt-in for it. And customers must be able to withdraw that consent just as easily as they gave it — you cannot hide the unsubscribe mechanism behind multiple clicks while the opt-in was a single tap.

Third-party sellers and data processors: contracts and liability

Most e-commerce businesses rely on third parties: logistics companies, payment gateways, return-management platforms, warehouses, and marketing tools. Under the DPDP Act, each of these is potentially a Data Processor — an entity processing data on your behalf.

The Act is clear that you may share data with a processor only under a valid contract. That contract must exist before processing begins, not after a problem arises.

You cannot outsource your liability

The fiduciary remains responsible for ensuring that its processors comply with the law. If your logistics partner suffers a breach and your customers’ delivery addresses and phone numbers are exposed, the Data Protection Board of India will look to you — the Data Fiduciary — for accountability.

This makes vendor due diligence a legal obligation, not a best practice. Before onboarding any data processor, review their security practices and ensure the contractual obligations reflect DPDP requirements.

Returns and customer data: a practical scenario

When a customer initiates a return, you typically collect additional data — pickup address, bank account details for refunds, and perhaps photographs of the product. Each of these is personal data under the Act.

You should only collect what is genuinely necessary for processing the return. If you are sharing that data with a reverse-logistics partner, the processor-contract requirement applies. And you should not use the return interaction to layer on new marketing consent without a fresh, clear opt-in.

Old law vs. new law: what changes and when

AreaCurrent position (until 13 May 2027)Position from 13 May 2027
Governing law for data protectionIT Act, 2000 (Section 43A) and SPDI Rules, 2011DPDP Act, 2023 and DPDP Rules, 2025 (full effect)
Consent standardReasonable security practices under SPDI RulesFree, specific, informed, unconditional, unambiguous affirmative action
Processor contractsNo explicit statutory mandate in SPDI RulesMandatory valid contract before any processor engagement
Fiduciary liability for processor breachSection 43A IT Act: compensation for negligenceDPDP Act: fiduciary accountable to Data Protection Board regardless of where breach occurred
Marketing vs. fulfilment consentNot explicitly distinguished in SPDI RulesSeparate processing purposes requiring separate consent

Even though the DPDP Act’s full obligations are not mandatory until May 2027, building compliant processes now is wise. Retrofitting consent flows, vendor contracts, and data-minimisation practices into a live platform is significantly harder than designing them in from the start.

For practical guidance on how other data-related laws interact with your business operations, explore the Law for You guides on The Courtroom, which cover consumer rights, technology law, and business compliance in plain language.

Steps to start building compliance today

Map your data flows. List every point at which your platform collects customer data — checkout, account registration, returns, customer support, and marketing tools.

Audit your consent mechanisms. Check whether your current checkboxes are pre-ticked, bundled, or vague. Replace them with purpose-specific, affirmative opt-ins.

Separate your marketing consent. If you are using order-fulfilment data to send promotional communications, create a distinct consent layer before May 2027.

Review and update processor contracts. Every vendor or partner that touches customer data needs a compliant written agreement that defines their processing role and security obligations.

Create a withdrawal mechanism. Customers must be able to withdraw consent as easily as they gave it. Test this flow from the customer’s perspective.

Frequently asked questions

Does the DPDP Act apply to small D2C brands and marketplace sellers, or only to large platforms?

The DPDP Act applies to any entity that determines the purpose and means of processing personal data — there is no blanket small-business exemption in the verified provisions. A D2C brand that collects customer email addresses and a marketplace seller who exports phone numbers for direct marketing are each independently Data Fiduciaries with compliance obligations. The Act does allow the government to notify different obligations for different categories of fiduciaries, but those specific notifications have not been confirmed in the verified fact sheet. Consult a qualified advocate for your specific situation.

Can I share a customer’s order data with my logistics partner without a formal contract?

No. The DPDP Act requires a valid contract before a Data Fiduciary can engage a Data Processor to handle personal data. Sharing data with a courier, warehouse, or reverse-logistics partner without such a contract is non-compliant. Critically, even if the contract exists, you as the fiduciary remain accountable to the Data Protection Board of India if the processor causes a data breach.

Do I need to do anything right now, or can I wait until May 2027?

The IT Act and SPDI Rules, 2011 remain in force until the DPDP Act’s full obligations take effect on 13 May 2027, so you are not in a legal vacuum today. However, rebuilding consent flows, vendor contracts, and data-minimisation practices across a live platform takes time. Starting now reduces the risk of non-compliance on the effective date and may also improve customer trust in the interim. You should take advice from a qualified advocate on your specific compliance timeline.

Primary sources

Written by Editorial Team, The Courtroom · Last verified 2026-07-14

This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.