DPDP Compliance for E-commerce Companies
E-commerce platforms collect purchase history, addresses, payment data, and browsing behavior. Understanding DPDP obligations is critical for marketplaces operating at scale in India.
The E-commerce Data Challenge
India’s e-commerce platforms are data machines. From the moment a user browses to the point of delivery, platforms like Flipkart, Amazon India, and Myntra collect an extraordinary volume of personal data — browsing patterns, purchase history, payment information, delivery addresses, product reviews, and even return behavior.
Why E-commerce DPDP Compliance Is Complex
E-commerce platforms operate as multi-party data ecosystems. When you order a product, your personal data flows to:
- The marketplace platform (data fiduciary)
- The seller (receives name, address, phone number)
- The logistics partner (receives delivery address, phone)
- The payment processor (financial data)
- Advertising partners (behavioral data)
Under DPDP, the platform bears primary responsibility as Data Fiduciary, but each data recipient must also maintain adequate security. A single breach at a third-party logistics partner could trigger penalties up to â‚ą250 Crore for the platform.
Purchase History Reveals More Than You Think
A customer’s order history can reveal:
| Purchase Pattern | Inference | Sensitivity |
|---|---|---|
| Baby products + maternity wear | Pregnancy | Health data |
| Religious books + specific food items | Religious affiliation | Sensitive |
| Medications + health devices | Health conditions | Health data |
| Children’s products | Family composition | Personal |
Under DPDP, these inferences derived from purchase data could require heightened consent, especially when used for targeted advertising.
The Seller Data Problem
Most marketplace policies share customer names, addresses, and phone numbers with sellers for order fulfillment. But what happens when:
- A seller stores customer data beyond the order lifecycle?
- A seller uses customer data for off-platform marketing?
- A seller’s systems are breached, leaking marketplace customer data?
DPDP requires clear data processing agreements and accountability chains that most marketplaces haven’t fully established.
Data Retention: The Invisible Gap
How long should an e-commerce platform retain your abandoned cart items? Your browsing history? Your search queries? Most e-commerce privacy policies say “as long as necessary for business purposes” — which isn’t specific enough under DPDP. Clear, time-bound retention policies are now a compliance requirement.
E-commerce Company Analyses
Meesho
Meesho's social commerce model creates unique DPDP challenges — customer data is shared with individual resellers (data sub-processors?) with minimal governance. The 150M+ user platform's 41/100 score reflects fundamental data flow architecture issues that go beyond simple policy updates.
Country Delight
Country Delight’s policy covers the basics of data collection but fails the 'Notice' and 'Control' tests of the DPDP Act. Its reliance on 'all-or-nothing' consent and lack of specific deletion timelines creates significant compliance risks for a company handling daily household location data.
JioMart
JioMart’s policy is a classic example of 'old law' compliance, leaning heavily on the IT Act 2000. While it is transparent about what it collects, it fails the DPDP Act’s strict requirements for clear, affirmative consent and specific data deletion timelines.
BigBasket
BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce — diet, health needs, baby care, income bracket — all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.
Lenskart
Lenskart's privacy policy is comprehensive in outlining data collection and security, but it doesn't explicitly reference the DPDP Act 2023. Significant gaps exist around granular consent, specific data retention periods, and a full DPDP-aligned framework for Data Principal rights and grievance redressal.
Nykaa
Nykaa collects deeply personal beauty and health data — skin conditions, beauty routines, and facial scans for virtual try-on — yet treats it with the same casual privacy approach as generic e-commerce. At 44/100, the gap between data sensitivity and protection is concerning.
Tata Neu
Tata Neu is India's most ambitious data aggregation play — combining flights (Air India), hotels (IHCL), groceries (BigBasket), medicines (1mg), luxury (Tanishq), insurance (Tata AIG), and more into one profile via NeuPass. At 44/100, aggregating consumer behavior across 20+ Tata companies under a single privacy policy creates the country's most comprehensive consumer profile.
Myntra
Myntra collects uniquely intimate data — body measurements, style preferences, and shopping behavior — making its 47/100 DPDP score particularly concerning. As a Flipkart subsidiary within the Walmart ecosystem, cross-border data flow adds another layer of risk.
Flipkart
Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.
Amazon India
Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.
Blinkit
Blinkit’s privacy policy, last updated in January 2025, remains heavily influenced by the IT Act 2000 framework. While it provides high transparency regarding 'what' is collected, it fails the 'how' of DPDP Act 2023—specifically regarding granular consent, the right to be forgotten, and the new statutory rights of nomination. The reliance on 'implied consent' through platform usage is a high-risk area under the new regulatory regime.