DPDPA for E-Commerce: The 2026 Compliance Guide for Data Fiduciaries
By Privy
Jul 03, 2026

DPDPA for E-Commerce: The 2026 Compliance Guide for Data Fiduciaries

An e-commerce platform becomes a data fiduciary the moment it decides what customer data to collect and why. That single fact reframes almost everything about how an online business handles carts, checkouts, marketing lists, and vendor integrations. Under India's Digital Personal Data Protection Act, the consent banner is now a legally enforceable artefact, and the data behind it has to be located, mapped, and governed before consent means anything at all.

This guide is written for the DPO, compliance head, or privacy engineer running that work at an Indian online retailer, marketplace, D2C brand, or quick commerce operator. It covers what the DPDPA and the DPDP Rules 2025 actually require of e-commerce operators, where most platforms are currently exposed, and how to build a compliance program that survives an audit rather than one that only looks good on the storefront.

Why E-Commerce Sits at the Centre of DPDPA Risk

E-commerce platforms collect more categories of personal data, from more touchpoints, than almost any other consumer business. Account creation, browsing behaviour, cart contents, payment details, delivery addresses, returns, reviews, loyalty programs, and third-party ad pixels all generate personal data, and each is tied to a different purpose.

The DPDPA treats every one of those purposes as its own consent requirement. Bundled consent, the single "I agree" checkbox that used to cover collection, marketing, analytics, and sharing all at once, is no longer valid. Section 6 requires consent to be free, specific, informed, unconditional, and unambiguous, expressed through clear affirmative action.

The gap between where platforms are and where the law expects them to be is large. A survey by the Advertising Standards Council of India found that only 6% of operators currently run consent banners that would meet DPDPA standards. For a sector that runs on data-driven personalisation, that is a structural compliance problem, not a cosmetic one.

The timeline makes it urgent. The DPDP Rules 2025 were notified on 13 November 2025. Consent manager registration opens at the 12-month mark, around 14 November 2026. The core operational obligations, compliant notice and consent, security safeguards, breach reporting, retention limits, children's data rules, and significant data fiduciary duties, become enforceable at the 18-month mark, around 14 May 2027. That is the real deadline e-commerce compliance teams are working against.

e-commerce consent banner

The Data Fiduciary Framework Applied to Online Retail

The DPDPA sets up a dual accountability structure, and e-commerce operators sit squarely inside it. The platform is the data fiduciary because it independently decides the purposes and means of processing customer data. Customers are the data principals. Any cloud host, analytics vendor, logistics partner, or annotation service that processes data on the platform's behalf is a data processor.

The responsibility does not transfer. When an operator hands customer data to a third party, the operator remains accountable for what that party does with it. Rule 6 of the DPDP Rules 2025 reinforces this by requiring fiduciaries to contractually bind processors to equivalent security measures. An online retailer cannot point at a marketing vendor or a shipping API when something goes wrong. Vendor governance is now a fiduciary obligation, which is why third-party risk management belongs inside the compliance program from day one.

Larger platforms face a second layer. The Central Government can designate a business as a significant data fiduciary based on the volume and sensitivity of data it processes and its potential impact on individuals. Marketplaces and high-traffic retailers are obvious candidates. Designation as an SDF brings added duties: data protection impact assessments, periodic audits, and appointment of a DPO. Building the program now with those duties in mind avoids a scramble later if the notification lands.

Consent Notices That Actually Hold Up

Rule 3 of the DPDP Rules 2025 is where most e-commerce compliance work concentrates, because it governs the notice that sits in front of every consent decision. A compliant notice has to be a standalone communication, not buried inside terms and conditions or a privacy policy. It has to be in plain language, available in English and the languages of the Eighth Schedule, and it has to itemise the specific personal data being collected, the specific purpose for each, and the goods or services that depend on that processing.

For an online retailer, that means the checkout notice, the account signup notice, and the marketing opt-in notice are different artefacts with different content. It also means each notice needs a clear route to withdraw consent and to raise a grievance, and both routes have to be as easy to use as the original opt-in.

Contextual timing matters as much as content. Consent requests should appear at the point of collection. A just-in-time notice before a payment step, before a marketing subscription, or before enabling analytics cookies is far more defensible than a single banner that tries to cover the entire session. The DPDPA consent notice requirements under Rule 3 go into the itemisation and versioning detail that e-commerce teams need to get right.

Versioning is the part teams most often miss. Every time a notice changes, it needs a version identifier, and the consent record has to capture which version the customer actually saw. Without that mapping, an operator cannot prove what a customer agreed to, which is exactly the evidence the Data Protection Board will ask for.

Dark Patterns Are Now a Compliance Failure

E-commerce interfaces have long used design nudges to push users toward accepting cookies and marketing. Under the DPDPA, those nudges cross a legal line. A consent flow that makes accepting a single click while burying rejection under multiple steps produces consent that is not freely given, which means it is not valid.

The common dark patterns that now create liability include pre-ticked boxes, asymmetric accept and reject buttons, consent bundled with service access, and confusing double negatives in opt-out language. Section 6's requirement for clear affirmative action invalidates pre-ticked consent outright. Toggles must default to off. Rejection must be as frictionless as acceptance.

This is a design and engineering problem as much as a legal one. It usually requires auditing the full customer journey, from onboarding through post-purchase, and identifying every point where the interface pressures a consent decision. Mobile-first testing is essential given how much Indian e-commerce traffic is on phones, where cramped screens make dark patterns both easier to deploy and harder to defend.

Data Principal Rights and the Operational Load

Chapter III of the DPDPA gives customers four rights that e-commerce platforms have to service: the right to access a summary of their data and its processing purposes, the right to know which fiduciaries and processors it was shared with, the right to correction and erasure, and the right to grievance redressal. Customers can exercise these directly or through a registered consent manager.

For a platform with millions of accounts, this is an operational commitment, not a legal footnote. A data principal request for access has to return a complete picture of where that person's data lives, across the order database, the marketing platform, the analytics warehouse, the customer service tickets, and any vendor systems. A request for erasure has to actually delete or anonymise that data everywhere it exists, except where tax or regulatory law requires retention.

You cannot fulfil either request reliably if you do not know where the data is. This is the reason data discovery and mapping come before rights fulfilment in any working program. Platforms that treat rights requests as a manual scramble across teams will miss the response timelines and generate exactly the grievance records that lead to enforcement. A structured approach to handling data principal requests at scale turns this from a fire drill into a repeatable workflow.

Breach Notification and Security Safeguards

Section 8 of the DPDPA places the duty on fiduciaries to implement appropriate technical and organisational security measures, and the DPDP Rules 2025 turn that into concrete obligations: access controls, encryption, logging, vendor security assessments, staff training, and documented incident response procedures.

The breach notification rule is where e-commerce operators face acute exposure. On becoming aware of a personal data breach, the platform must notify affected data principals through direct channels, describing the nature of the breach, the categories and volume of data involved, the likely consequences, the mitigation taken, and the safety steps customers should follow. The Board must also be notified. For a consumer platform, a breach can touch payment data, addresses, and order histories across a large user base at once, which makes a pre-built, tested response playbook far more valuable than an ad hoc reaction.

Penalties give this weight. The Board can impose up to ₹250 crore for severe infringements, ₹200 crore for failures in breach notification or children's data protection, and ₹150 crore for substantial non-compliance by a fiduciary. An e-commerce breach that is mishandled at the notification stage carries a specific and large exposure.

Personal Data Discovery Is the Foundation, Not an Afterthought

Everything above depends on one capability that most e-commerce compliance programs underinvest in: knowing where personal data actually lives. Manual tagging cannot keep pace with the way data spreads across an online business. Customer records sit in the order database, payment tokens in a gateway, browsing data in analytics, addresses in the logistics stack, reviews in a CMS, and copies of all of it in SaaS marketing tools and vendor systems.

Automated data classification and discovery scan structured and unstructured environments, detect personal and sensitive data such as PII and payment information at the column and file level, and maintain a live inventory instead of a point-in-time snapshot. The value comes from linking that classification into governance: mapping how data flows between systems and vendors, tracking lineage, and connecting discovery directly to consent records, rights fulfilment, and retention enforcement.

This is the discovery-and-governance layer that sits underneath consent. A platform that has classified and mapped its personal data can answer a rights request, prove what a customer consented to, enforce a retention deletion automatically, and scope a breach accurately. A platform that has only a consent banner is exposed on all four. Privy's personal data discovery and mapping capabilities are built to give e-commerce operators exactly that foundation, scanning across cloud and on-premise systems and feeding classification into the rest of the compliance stack.

For operators evaluating the full picture, Privy's DPDPA compliance platform brings consent management, cookie governance, data principal rights, incident response, and personal data discovery into a single system rather than a set of disconnected tools. The Cookie Manager module handles the front-end consent capture that Rule 3 governs, while the incident management module operationalises the breach notification workflow that Section 8 requires.

A Practical Sequence for E-Commerce Compliance

For a compliance team starting now, the order of work matters. Discover and map personal data across all systems and vendors first, because everything downstream depends on it. Rebuild consent notices to be standalone, purpose-specific, multilingual, and versioned. Audit the customer journey for dark patterns and fix the interface. Stand up rights fulfilment as a repeatable workflow tied to the data map. Bind processors contractually to equivalent security. Build and test the breach response playbook. Then, if the platform is likely to be designated a significant data fiduciary, layer in DPIAs and audits.

Done in that sequence, the program is coherent. Done in reverse, starting with a banner and hoping the rest follows, it produces the exact evidence gaps regulators look for.

Conclusion

DPDPA compliance for e-commerce is a data governance problem wearing a consent banner. The banner is the visible part, and it has to be right, standalone, purpose-specific, multilingual, versioned, and free of dark patterns. But the part that determines whether a platform survives an audit is underneath: whether it knows where personal data lives, how it flows, who it is shared with, and whether consent, rights, retention, and breach scope can all be proven against that map. Operators who build the discovery and governance foundation first will find every other obligation becomes tractable. Those who start and stop at the storefront will keep failing the same four tests.

If you are building or auditing a DPDPA program for an e-commerce business and want to see how consent, cookie governance, data principal rights, breach response, and personal data discovery fit together in one platform, reach out at shivani@idfy.com to book a demo.

FAQ's

Is every e-commerce business a data fiduciary under the DPDPA?

Yes, if it independently decides what customer data to collect and for what purpose, which virtually every online retailer does. That status makes the platform accountable for compliance even when it uses third-party processors.

Does an e-commerce platform need to appoint a DPO?

A DPO is mandatory for significant data fiduciaries. Other operators are not strictly required to appoint one, though larger platforms often designate a DPO or equivalent owner given the scale of their obligations.

Can we keep using a single consent banner for the whole site?

No. Consent has to be purpose-specific. Account creation, checkout, marketing, and analytics each need their own notice and their own affirmative opt-in. A single blanket banner produces invalid consent.

When do these obligations become enforceable?

The DPDP Rules 2025 were notified on 13 November 2025. Consent manager provisions open around November 2026, and the core operational obligations, including compliant notice, security, breach reporting, and retention, become enforceable around May 2027.

What happens if we mishandle a data breach notification?

The Data Protection Board can impose penalties of up to ₹200 crore for failures in breach notification. Beyond the fine, a poorly handled breach damages customer trust, which for a consumer platform is a direct commercial cost.

Search Here

Reach out to us

Explore More

DPDP for Board: A Leadership Framework
DPDP Rules

Apr 14, 2026

DPDP for Board: A Leadership Framework

Aftermath of DPDP In 2027, What Happens After the Deadline
DPDP Rules

Jun 03, 2026

Aftermath of DPDP In 2027, What Happens After the Deadline

Share