.svg){kind=small}
.avif)
What is an e-commerce platform?
An e-commerce platform is usually a B2B2C company where one business onboards another business to offer products or services to end consumers.
B2B2C has two businesses: a primary business (such as a manufacturer or service provider) that collaborates with an intermediary business (like a retailer or service facilitator) to reach a broader audience and enhance consumer experience. E-commerce platforms see the following players:
- Sellers (Brands, SMEs, Vendors) - offer products on the platform.
- The platform (e.g., Flipkart, Amazon, Nykaa) - facilitates catalogue management, payments, marketing, customer service, and logistics.
- Customers - shop and transact through the platform.
Though the buyer and seller are the two parties transacting, the e-commerce platform is deeply involved in the data journey, collecting, processing, and even analyzing user information to enhance experience and drive business outcomes.
How does DPDP Act affect e-Commerce Platform?
The DPDP Act is India’s privacy legislation that governs how organizations collect, process, and store digital personal data. It gives Indian citizens rights over their data and imposes strict obligations on businesses handling it. Penalties of up to ₹250 crore per instance for non-compliance can be levied.
In an e-commerce transaction, personal data flows between multiple entities:
- The platform collects data for login, marketing, checkout, and support.
- Sellers receive customer data for fulfilling orders.
- Logistics partners get the address and contact details for delivery.
- Payment gateways handle sensitive financial information.
Under the DPDP Act, any entity that decides how and why personal data is processed is called a Data Fiduciary.
If you're just following instructions and don’t control the purpose of data use, you're a Data Processor.
To understand how the DPDP Act affect e-commerce platforms, you need to first figure out if your business is a data fiduciary or data processor. Let’s take a look at it.
Is my e-commerce platform a data fiduciary or data processor?
E-commerce as a Data Fiduciary : E-commerce platforms usually act as Data Fiduciaries in several flows. You're a fiduciary when your platform:
- Collects and uses customer data for marketing
- Analyzes browsing or purchase history to personalize recommendations
- Uses customer reviews to enhance product visibility
- Manages user accounts or loyalty programs
In these flows, you determine the purpose and means of processing, so you are liable for all compliance obligations under the DPDP Act — from consent to grievance redressal.
E-commerce as a Data Processor : You're a processor when:
- You pass customer data to a seller or delivery agent only for order fulfilment and don’t collect, store or use the data.
- You manage payment collection on behalf of the seller using a payment gateway
- You offer seller tools (e.g., analytics dashboards) without using that data yourself
In these cases, you're processing data on someone else’s behalf, and your obligations are limited to what’s in the contract with the fiduciary (usually the seller or brand).
What are the top Challenges for e-commerce Companies under the DPDP Act?
The DPDP Act poses a lot of challenges for the e-commerce industry as they collect a lot of personal data. Some of the major challenges are:
1. Role Clarity: Misidentifying yourself as a processor when you're a fiduciary could lead to massive compliance risk.
2. Shared Responsibility: Platforms and sellers often share access to personal data. Both need clear contracts and SOPs on data use, breach handling, and consent records.
3. Consent Management: Consent must be clear, specific, informed, and recorded. Users i.e. Data Principles should be able to withdraw consent with ease.
4. Third-party Vendors: Ensure all your third-party vendors — logistics, call centres, hosting providers — must also follow the rules because you, as a fiduciary, are liable for their non-compliance.
5. Data Deletion: You must delete personal data when:
- The customer withdraws consent
- The purpose (e.g., order delivery) is fulfilled
- A retention period expires
What should e-commerce industry do to comply with DPDP Act?
The DPDP Act is not a deal breaker for e-commerce industry, rather it will introduce industry specific best practices to process personal data of users making deletion, usage and retention more streamlined.
As non-compliance with this law will attract a hefty fine of 250 crores, e-commerce platforms can incorporate a few steps to comply with DPDP Act:
- Map Your Data Flows: To accurately define your role in every flow, you must map data flows. You must have information on which team collects personal data, who decides ‘why’ and ‘how’ of data processing and also have a clarity on what happens to the data after it serves its purpose.
- Manage Consent Appropriately: The role of Data Fiduciary and Data Processor will play a vital role for e-commerce industry. If you are a Fiduciary you must collect and store direct consents. If you are a Processor you ensure the fiduciary provides valid consents. If you are doing it for marketplaces you must collect interoperable consents usable across sellers.
- Use Standard Contracts: As a processor, you need to define your obligations clearly through standard contract clauses with the sellers. As a fiduciary, you must pass data responsibilities down to processors (logistics, analytics vendors) via clear agreements.
- Build a Deletion Protocol: Processing data, especially deleting customer data after it is withdrawn or it has served its purpose, will help you avoid penalties. You need to run periodic audits to ensure there is no lapse and ensure that all your associated third-party vendors do the same.
What are the next steps for e-commerce industry?
Take the first step towards seamless DPDP compliance by evaluating your data protection processes today. Conduct a thorough audit of your data processing activities and establish clear agreements with your partners. For expert guidance on how to be DPDP Compliant you can get in touch with us at enquiry@leegality.com.
