Every e-commerce business in India must comply with DPDP — whether you're selling on Shopify, WooCommerce, your own platform, or even Instagram/WhatsApp. The law applies to all customer data: names, addresses, phone numbers, payment information, order history, and browsing behavior.
Key risks: Storing payment card details (₹250 crore fine) • Not deleting old customer accounts (₹50 crore) • No privacy policy (₹50 crore) • Processing orders without consent (₹50 crore).
Does DPDP Apply to Your Online Store?
Yes, if you answer "yes" to any of these:
- ✅ You sell products online to Indian customers
- ✅ You collect customer names, emails, or phone numbers
- ✅ You collect delivery addresses
- ✅ You process payments (even via Razorpay, Paytm, PhonePe)
- ✅ You store order history
- ✅ You send marketing emails or WhatsApp messages
- ✅ You use Google Analytics or Facebook Pixel
- ✅ You offer customer accounts/login
DPDP applies to:
- 🛒 All platforms: Shopify, WooCommerce, Magento, custom-built stores
- 🛒 All sizes: Solo entrepreneur to large marketplace
- 🛒 All business models: B2C, B2B, D2C, dropshipping, print-on-demand
- 🛒 All channels: Website, mobile app, Instagram Shop, WhatsApp Business
🛒 Reality Check: "I use Razorpay, so payment data isn't my problem" is WRONG. Even if payment processing is handled by a gateway, you're still responsible for DPDP compliance. You control the customer relationship = you're the Data Fiduciary.
What Customer Data is Covered Under DPDP?
E-commerce businesses collect massive amounts of personal data. Here's what's covered:
1. Account & Identity Data
- Names (first, last, full)
- Email addresses
- Phone numbers (mobile, landline)
- Date of birth (if collected)
- Gender (if collected)
- Profile photos
2. Address Information
- Delivery addresses (street, city, state, PIN code)
- Billing addresses
- Alternate delivery locations
- GPS coordinates (if delivery tracking enabled)
3. Financial Information
- Payment card last 4 digits (if stored for "save card" feature)
- UPI IDs
- Bank account numbers (for refunds)
- Transaction history
- Payment gateway tokens
⚠️ CRITICAL: Storing full card numbers, CVVs, or card PINs is prohibited under RBI guidelines and violates DPDP security requirements.
4. Browsing & Purchase Behavior
- Order history (what they bought, when, how much)
- Cart abandonment data
- Product views and wishlists
- Search history on your site
- IP addresses
- Device IDs, browser fingerprints
- Cookies and tracking pixels (Google Analytics, Facebook Pixel)
5. Customer Service Data
- Support tickets and chat transcripts
- Email correspondence
- WhatsApp chat history (if using WhatsApp Business)
- Return/refund requests
- Product reviews and ratings
All of this is personal data under DPDP. You must handle it according to DPDP requirements.
DPDP Requirements for E-commerce Businesses
1. Obtain Valid Consent Before Checkout
You must obtain explicit consent from customers before processing their data. This means:
- At checkout: Add a checkbox (unchecked by default): "I agree to the Privacy Policy and consent to processing my personal data for order fulfillment."
- For marketing: Separate checkbox: "I want to receive promotional emails and offers." (This must be optional — you cannot force customers to opt-in to marketing to complete purchase.)
- For analytics: Cookie consent banner before Google Analytics/Facebook Pixel starts tracking.
❌ ILLEGAL: Pre-ticked consent checkboxes. The box must be unchecked by default. If customers have to uncheck to opt-out, that's invalid consent → ₹50 crore maximum penalty.
2. Publish a Privacy Policy
Your privacy policy must explain:
- What data you collect (names, addresses, payment info, order history, etc.)
- Why you collect it (order fulfillment, shipping, customer support, marketing)
- How long you keep it (e.g., "7 years for tax compliance, 2 years for non-tax data")
- Who you share it with (payment gateways like Razorpay, shipping partners like Delhivery, email services like Mailchimp)
- How customers can access, correct, or delete their data
The policy must be:
- ✅ Linked from your footer, checkout page, and signup forms
- ✅ Written in plain English (or Hindi if your audience uses Hindi)
- ✅ Specific to e-commerce (don't copy-paste a generic GDPR template)
3. Implement Security Measures
E-commerce security requirements:
- HTTPS (SSL certificate): Mandatory. Encrypts data in transit.
- Database encryption: Customer data at rest must be encrypted.
- Access controls: Limit which team members can access customer data.
- PCI-DSS compliance: If you handle payment cards (even tokenized), follow Payment Card Industry standards.
- Regular security audits: Quarterly or after major platform updates.
4. Honor Data Deletion Requests
Customers have the right to request deletion of their data. You must:
- Provide a way for customers to request deletion (email like [email protected] or a form)
- Delete data within 30 days (unless you have a legal obligation to retain it, e.g., tax records)
- Delete from all systems: main database, backups, CRM, email marketing lists, analytics
⚠️ Exception: You can keep data required for legal compliance (e.g., GST records for 7 years, order invoices). But you must delete everything else.
5. Set Data Retention Periods
You cannot store customer data forever. Set clear retention periods:
- Active customers: Keep data while account is active + 2 years after last purchase
- Inactive customers: Delete accounts inactive for 2+ years (unless they have active warranties/subscriptions)
- Tax/legal records: 7 years (GST requirement)
- Marketing data: Delete after 1 year of no engagement
Top 7 E-commerce DPDP Violations (And How to Avoid Them)
The mistake: Saving customer credit/debit card numbers, CVVs, or expiry dates in your database for "faster checkout next time."
Why it's illegal: RBI prohibits merchants from storing full card data. DPDP's security requirements reinforce this. Storing card data = security failure.
Penalty: Up to ₹250 crore.
Fix: Use tokenization via payment gateways (Razorpay, Stripe). The gateway stores the token, not you.
The mistake: Launching your store without publishing a privacy policy.
Why it's illegal: DPDP mandates a clear privacy notice. No policy = automatic violation.
Penalty: Up to ₹50 crore.
Fix: Generate a DPDP-compliant e-commerce privacy policy. Link it from footer and checkout page.
The mistake: Checkout page has a pre-ticked checkbox: "☑ Send me promotional emails." Customers have to uncheck to opt-out.
Why it's illegal: DPDP requires explicit consent. Pre-ticked boxes are assumed consent, not explicit consent.
Penalty: Up to ₹50 crore.
Fix: Make the checkbox unchecked by default. Customers must actively tick it to opt-in.
The mistake: Keeping customer accounts, order history, and addresses from 2015 even though those customers haven't ordered since then.
Why it's illegal: DPDP requires data retention limits. You can't store data indefinitely "just in case."
Penalty: Up to ₹50 crore.
Fix: Set a retention policy: Delete accounts inactive for 2+ years (after backing up tax-required data).
The mistake: Customer emails asking to delete their account. You ignore it or say "we can't delete it due to technical limitations."
Why it's illegal: Data Principals have the right to deletion. You must honor it (except for legally required data).
Penalty: Up to ₹50 crore.
Fix: Create a [email protected] email. Respond within 30 days. Delete the account and data (keep only tax records if required).
The mistake: Selling customer email lists to marketing companies or sharing customer data with "partner brands" without explicit consent.
Why it's illegal: DPDP requires consent for each specific purpose. Consent to "place an order" ≠ consent to "share data with partners."
Penalty: Up to ₹50 crore.
Fix: Don't share/sell customer data. If you must share with partners, get separate explicit consent.
The mistake: Your database gets hacked. Customer data leaks. You try to "fix it quietly" without notifying anyone.
Why it's illegal: DPDP requires breach notification to the Data Protection Board within 72 hours + notification to affected customers.
Penalty: Up to ₹200 crore.
Fix: Create an incident response plan. If breach occurs, notify DPB within 72 hours, notify customers, fix the vulnerability.
Platform-Specific DPDP Compliance
Shopify Stores
What Shopify handles: PCI-DSS payment compliance, basic security, HTTPS.
What YOU must handle:
- Create DPDP-compliant privacy policy (Shopify's template is GDPR-focused, not DPDP-compliant)
- Add consent checkboxes at checkout (use Shopify's checkout customization or apps)
- Configure data retention (Settings → Customer Privacy)
- Respond to data deletion requests (Shopify has tools for this)
- Add cookie consent banner for Google Analytics/Facebook Pixel
WooCommerce (WordPress) Stores
What WooCommerce provides: Basic privacy tools, data export/erasure features.
What YOU must handle:
- Install and configure a DPDP-compliant privacy policy generator
- Add consent checkboxes (WooCommerce Checkout Add-ons or custom code)
- Install SSL certificate (HTTPS)
- Configure data retention (WooCommerce → Settings → Privacy)
- Install cookie consent plugin (GDPR Cookie Consent, CookieYes)
- Secure your WordPress installation (updates, strong passwords, 2FA)
Custom-Built Stores
You're responsible for everything:
- Implement consent mechanisms in checkout flow
- Build privacy policy page
- Encrypt database (AES-256)
- Implement HTTPS (SSL certificate)
- Build data export/deletion functionality
- Set up automated data retention deletion
- Log consent records
Instagram/WhatsApp Selling
Yes, DPDP applies even if you sell via Instagram DMs or WhatsApp Business:
- Publish a privacy policy (link in bio, share when customers place first order)
- Get consent: "By placing this order, you agree to our Privacy Policy: [link]"
- Don't store customer data in insecure spreadsheets — use secure CRM or encrypted database
- Delete old customer chats/data after order is fulfilled + retention period
E-commerce DPDP Compliance Checklist
| Compliance Item | Status |
|---|---|
| Privacy Policy published (linked from footer + checkout) | ☐ |
| Consent checkbox at checkout (unchecked by default) | ☐ |
| Separate marketing consent (optional, not required for purchase) | ☐ |
| Cookie consent banner (for Google Analytics, Facebook Pixel) | ☐ |
| HTTPS enabled (SSL certificate active) | ☐ |
| Payment data tokenized (not storing full card numbers) | ☐ |
| Database encrypted (customer data at rest) | ☐ |
| Data retention policy set (delete inactive accounts after X years) | ☐ |
| Privacy email active ([email protected] for data requests) | ☐ |
| Data deletion workflow (can delete customer data on request) | ☐ |
| Breach response plan (know how to notify DPB within 72 hours) | ☐ |
| Third-party audit (reviewed payment gateway, shipping, CRM DPDP compliance) | ☐ |
FAQ for Online Store Owners
Does DPDP apply to small online stores?
Yes. Even if you're a solo entrepreneur selling on Instagram or a small Shopify store with 10 orders/month, if you collect customer data from Indians, DPDP applies. There's no size exemption.
What customer data is covered under DPDP?
All personal data: names, emails, phone numbers, delivery addresses, payment information, order history, browsing behavior, IP addresses, device IDs. Everything.
Can I store customer payment card details?
No. Storing full card numbers, CVVs, or card PINs is prohibited under RBI guidelines and violates DPDP's security requirements. Use tokenization via payment gateways instead.
How long can I keep customer order data?
Only as long as necessary for the business purpose. Recommended: Keep active customer data while account is active + 2 years after last purchase. Keep tax-required records (invoices) for 7 years. Delete everything else.
Do I need consent to send order confirmation emails?
No. Transactional emails (order confirmations, shipping updates, invoices) are permitted without separate consent because they're necessary to fulfill the purchase. But marketing emails require opt-in consent.
What if I use Razorpay/Paytm for payments?
You're still the Data Fiduciary. Razorpay/Paytm are your Data Processors. You're responsible for overall DPDP compliance, even if payment processing is outsourced.