Overview
JioMart is the e-commerce arm of Reliance Retail, handling everything from your grocery list to your home address and credit card details. When you shop here, you aren’t just buying milk; you’re handing over a digital map of your life.
As a Data Fiduciary (the company that decides why and how your data is processed), JioMart has a massive responsibility to protect you, the Data Principal (the person the data belongs to). Currently, their policy feels like it was written for a different era of the internet.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
This is where most Indian companies are going to trip up. JioMart uses “bundled consent”—where they hide the permission to track you for ads inside the permission to deliver your groceries.
What the policy says: “By accessing, using, browsing, or purchasing on JioMart… you agree to be bound by the terms of this Privacy Policy and consent to the collection…”
What the law requires: Consent must be unambiguous and affirmative. You have to physically click or check a box that says “I agree.” Simply “browsing” a website cannot be legally counted as giving consent anymore.
The problem: If you haven’t clicked a clear “I Agree” button that specifically explains what you are agreeing to, JioMart might be processing your data illegally under the new law.
Section 7 — Certain Legitimate Uses ⚠️
The law allows companies to use your data without consent for “legitimate uses” like responding to a medical emergency or fulfilling a court order.
What the policy says: JioMart claims it uses data to “detect and protect us against error, fraud and other illegal activity.”
What the law requires: Section 7 is very narrow. While fraud prevention is generally okay, e-commerce companies often try to stretch “legitimate use” to cover internal marketing and analytics.
The problem: JioMart’s list of uses is broad. Under the DPDP Act, they cannot claim “legitimate use” for things like “improving products” or “marketing communications”—those require your explicit permission.
Section 8 — Obligations of Data Fiduciary ⚠️
A Data Fiduciary (JioMart) must ensure your data is accurate and kept safe with “reasonable security safeguards.”
What the policy says: They mention using “generally accepted industry and security standards” and “secure digital platforms of approved payment gateways.”
The problem: The policy is very vague about what those standards actually are. Under Section 8, if a breach happens, the fines are massive (up to ₹250 crore). “Generally accepted” might not be a strong enough defense when the Data Protection Board comes knocking.
Section 9 — Data Retention 🔴
This is a major weak spot for almost every Indian retailer.
What the policy says: “The Information so collected shall be retained only for the duration necessary to fulfil the purposes… Once the purposes are achieved, all Information is deleted.”
What the law requires: The law says data must be erased as soon as the purpose is served, unless a specific law (like tax law) requires keeping it.
The problem: Who decides what “duration necessary” means? Is it 5 years? 50 years? JioMart doesn’t give you a timeline. If you delete your account, they should have a clear “auto-delete” trigger. Right now, they don’t.
Section 11 — Rights of Data Principal ⚠️
As the Data Principal, the law gives you “superpowers” over your data, including the right to correct it, erase it, or nominate someone else to manage it if you pass away.
What the policy says: They allow for “Access, Correction and Deletion” but warn that it might be “extremely difficult to implement” or “not supported by valid documents.”
The problem:
- There is zero mention of the “Right to Nominate” (Section 14), which is a mandatory requirement.
- They make deletion sound like a favor they might grant you, rather than a legal right you own.
Section 12 — Right of Grievance Redressal ⚠️
If you’re unhappy with how your data is handled, you need a clear way to complain.
What the policy says: “In case of any feedback or concern… you may contact cs@jiomart.com.”
What the law requires: You must have a clear process to register a grievance, and the company must respond within a set timeframe. If they don’t, you have the right to go to the Data Protection Board of India.
The problem: JioMart just gives a general customer service email. Under DPDP, you need a dedicated Grievance Officer whose name and contact details are easy to find. A generic “cs@” email usually leads to a bot, not a privacy expert.
Section 16 — Cross-Border Data Transfer ✅
What the policy says: “Your Information will primarily be stored and processed in India.”
What the law requires: Data can only be sent to countries that the Indian government hasn’t “blacklisted.”
The strength: JioMart is mostly “Made in India” when it comes to data. By keeping the bulk of the processing local, they avoid many of the legal headaches associated with international data transfers.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | ”Implied consent” is no longer valid; could lead to stop-processing orders. |
| Regulatory Fines | High | Lack of DPDP-specific grievance and nomination rights carries high penalty risks. |
| Data Retention | Medium | Vague “as necessary” language makes it hard to prove compliance during audits. |
| Security Disclosure | Medium | Policy lacks specific “reasonable security” details required to limit liability. |
Recommendations
If you’re running a business—even one much smaller than JioMart—here’s what you should learn from their gaps:
- Stop using “By using this site, you agree.” Add a clear checkbox for your privacy policy at signup.
- Separate your “Yes” buttons. Let users say “Yes” to the service but “No” to marketing emails.
- Give a real timeline. Instead of “retained as long as necessary,” say “we delete transaction data after 7 years and marketing data after 18 months of inactivity.”
- Appoint a Grievance Officer. Don’t hide behind a “support@” email. Put a real person’s title (or at least a dedicated “privacy@” email) in your policy.
- Add a “Nominee” clause. Mention that users can nominate someone to exercise their rights in the future. It’s a small addition that shows you actually read the new law.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.