A Project by Meridian Bridge Strategy
Book Consultation
E-commerce

BigBasket โ†—

Ready Score 43/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
๐Ÿ“… 9 Feb 2026

Executive Summary

BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce โ€” diet, health needs, baby care, income bracket โ€” all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.

โš ๏ธ Compliance Gaps

  • No DPDP Act 2023 reference
  • Grocery purchase data reveals household composition and health patterns
  • Tata Group entity data sharing scope unclear
  • No data retention timelines
  • Data Protection Board not mentioned
  • Baby product purchases reveal sensitive family information
  • Medicine/health product purchases treated as standard e-commerce data

โœ… Strengths

  • Standard security measures described
  • Grievance officer designated
  • Account deletion mechanism available

Overview

BigBasket, now a Tata Digital subsidiary, delivers groceries to millions of Indian households. Weekly grocery orders reveal more about a household than almost any other data source: dietary practices (religious indicators), health products (medical conditions), baby products (family composition), premium vs. budget choices (income level), and organic preferences (health consciousness). This household-level profiling is under-addressed in their privacy policy.

DPDP Readiness: Section-by-Section Analysis

Section 6 โ€” Consent & Notice ๐Ÿ”ด

Single consent covers all grocery data processing. No separate consent for:

  • Household profiling based on order patterns
  • Health product purchase tracking
  • Baby/child product pattern monitoring
  • Sharing data within Tata Group entities

DPDP concern: Grocery data is deceptively intimate. A householdโ€™s weekly orders reveal religion, health, family stage, income, and lifestyle โ€” all without explicit consent for such inferences.

Section 7 โ€” Certain Legitimate Uses โš ๏ธ

Order fulfillment is legitimate. But BigBasket extends processing to:

  • Purchase pattern analytics for supplier partnerships
  • Household classification for targeted marketing
  • Tata ecosystem cross-selling (Tata Neu, 1mg, Croma integration)

These go beyond service delivery and need separate justification under DPDP.

Section 8 โ€” Obligations of Data Fiduciary โš ๏ธ

Standard security measures. However:

  • Delivery personnel access customer addresses and order contents
  • Warehouse staff process orders revealing personal information
  • No mention of enhanced handling for health or baby product orders

Section 9 โ€” Data Retention ๐Ÿ”ด

No retention timelines. Particularly concerning for:

  • Health product orders: Revealed medical conditions stored indefinitely
  • Baby product patterns: Family lifecycle data persisted
  • Delivery address history: Housing patterns tracked
  • Order frequency and timing: Household routine mapping

Section 11 โ€” Rights of Data Principal ๐Ÿ”ด

  • No mechanism to delete order history selectively (e.g., delete medicine purchases but keep grocery history)
  • No transparency on household profile inferences
  • No nomination rights
  • No right to prevent cross-Tata-entity profiling

Section 12 โ€” Right of Grievance Redressal โš ๏ธ

Basic grievance officer. No DPB pathway.

Section 16 โ€” Cross-Border Data Transfer โš ๏ธ

As a Tata Group entity, data may flow within the conglomerateโ€™s global infrastructure. Policy doesnโ€™t specify whether household grocery data is processed or accessible outside India.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to โ‚น250 Cr
Household profilingCriticalWeekly groceries = comprehensive household intelligence
Health product dataHighMedicine and health product purchases reveal conditions
Tata ecosystem sharingHighCross-entity data flow within conglomerate
Data retentionHighIndefinite storage of intimate household data

The Grocery Data Intelligence Problem

Weekly grocery orders create the most detailed household profile available in Indian digital commerce:

Product CategoryInferenceSensitivity
No non-veg items, specific religious itemsReligious practicesHigh
Diabetes-friendly, sugar-free productsChronic health conditionHealth data
Baby formula, diapers, baby foodNew parent, child ageFamily data
Organic, premium productsIncome level, health consciousnessFinancial
AlcoholLifestyle choicePersonal
Feminine hygiene productsHousehold gender compositionPersonal
Quantity and frequencyHousehold sizeDemographic

Recommendations

  1. Classify health product purchases as sensitive data โ€” Enhanced consent and retention rules for medicines, health products
  2. Implement household profiling transparency โ€” Let users see and control inferences made from their purchase patterns
  3. Establish Tata Group data boundaries โ€” Clear rules on what BigBasket data is shared with other Tata entities
  4. Add granular retention โ€” โ€œActive orders: 6 months; health products: 1 year; general purchase: 2 years; addresses: until user deletionโ€
  5. Separate consent for cross-platform sharing โ€” Distinct consent for Tata Neu integration, 1mg health cross-referencing
  6. Deploy inference protection โ€” Donโ€™t combine grocery patterns to create religious, health, or family profiles without explicit consent

How Does Your Policy Compare?

๐Ÿ” Run Your Free DPDP Audit โ†’

Take the free 60-second DPDP Audit to check your own companyโ€™s liability under the DPDP Act โ€” 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
๐Ÿ“ž Free Consultation