DPDP Compliance for E-commerce Companies
E-commerce platforms collect purchase history, addresses, payment data, and browsing behavior. Understanding DPDP obligations is critical for marketplaces operating at scale in India.
The E-commerce Data Challenge
India’s e-commerce platforms are data machines. From the moment a user browses to the point of delivery, platforms like Flipkart, Amazon India, and Myntra collect an extraordinary volume of personal data — browsing patterns, purchase history, payment information, delivery addresses, product reviews, and even return behavior.
Why E-commerce DPDP Compliance Is Complex
E-commerce platforms operate as multi-party data ecosystems. When you order a product, your personal data flows to:
- The marketplace platform (data fiduciary)
- The seller (receives name, address, phone number)
- The logistics partner (receives delivery address, phone)
- The payment processor (financial data)
- Advertising partners (behavioral data)
Under DPDP, the platform bears primary responsibility as Data Fiduciary, but each data recipient must also maintain adequate security. A single breach at a third-party logistics partner could trigger penalties up to ₹250 Crore for the platform.
Purchase History Reveals More Than You Think
A customer’s order history can reveal:
| Purchase Pattern | Inference | Sensitivity |
|---|---|---|
| Baby products + maternity wear | Pregnancy | Health data |
| Religious books + specific food items | Religious affiliation | Sensitive |
| Medications + health devices | Health conditions | Health data |
| Children’s products | Family composition | Personal |
Under DPDP, these inferences derived from purchase data could require heightened consent, especially when used for targeted advertising.
The Seller Data Problem
Most marketplace policies share customer names, addresses, and phone numbers with sellers for order fulfillment. But what happens when:
- A seller stores customer data beyond the order lifecycle?
- A seller uses customer data for off-platform marketing?
- A seller’s systems are breached, leaking marketplace customer data?
DPDP requires clear data processing agreements and accountability chains that most marketplaces haven’t fully established.
Data Retention: The Invisible Gap
How long should an e-commerce platform retain your abandoned cart items? Your browsing history? Your search queries? Most e-commerce privacy policies say “as long as necessary for business purposes” — which isn’t specific enough under DPDP. Clear, time-bound retention policies are now a compliance requirement.
E-commerce Company Analyses
Meesho
Meesho's social commerce model creates unique DPDP challenges — customer data is shared with individual resellers (data sub-processors?) with minimal governance. The 150M+ user platform's 41/100 score reflects fundamental data flow architecture issues that go beyond simple policy updates.
BigBasket
BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce — diet, health needs, baby care, income bracket — all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.
Nykaa
Nykaa collects deeply personal beauty and health data — skin conditions, beauty routines, and facial scans for virtual try-on — yet treats it with the same casual privacy approach as generic e-commerce. At 44/100, the gap between data sensitivity and protection is concerning.
Lenskart
Lenskart captures the most biometrically sensitive data among e-commerce platforms — 3D facial geometry for virtual try-on, eye prescriptions revealing vision conditions, and pupillary distance measurements. At 44/100, treating this biometric-adjacent and health data with standard e-commerce privacy practices is a significant DPDP gap.
Tata Neu
Tata Neu is India's most ambitious data aggregation play — combining flights (Air India), hotels (IHCL), groceries (BigBasket), medicines (1mg), luxury (Tanishq), insurance (Tata AIG), and more into one profile via NeuPass. At 44/100, aggregating consumer behavior across 20+ Tata companies under a single privacy policy creates the country's most comprehensive consumer profile.
Myntra
Myntra collects uniquely intimate data — body measurements, style preferences, and shopping behavior — making its 47/100 DPDP score particularly concerning. As a Flipkart subsidiary within the Walmart ecosystem, cross-border data flow adds another layer of risk.
Flipkart
Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.
Amazon India
Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.