DPDP Compliance for D2C and E-commerce Brands in India

D2C and e-commerce brands live and die by the conversion funnel — and the funnel is exactly where India's Digital Personal Data Protection Act, 2023 bites hardest. Every signup, checkout, marketing opt-in, and tracking pixel is a processing activity that now needs a lawful basis. Here is how to stay compliant without wrecking conversion.

Separate transactional consent from marketing consent

When a customer buys from you, the data needed to fulfil the order — name, address, payment reference, contact for delivery — is processing tied to the transaction. Using that same data to market to them later is a different purpose, and DPDP requires consent to be specific to each purpose (§6). You cannot bundle "create my account and ship my order" with "send me promotional messages" under a single tick.

What to do: At checkout, capture the transactional basis cleanly, and present marketing opt-in as a separate, unticked choice. A pre-ticked marketing box is not valid consent under DPDP.

Marketing consent must be easy to withdraw

The right to withdraw consent is explicit, and withdrawal must be as easy as giving it (§6(4)). One-click unsubscribe in every email and an in-account toggle are the practical minimum.

What to do: Audit your marketing tools so that an unsubscribe or preference change propagates everywhere — email, SMS, WhatsApp, push — not just the channel the customer happened to use.

The age-determination problem with OTP signups

Most Indian D2C signups are a mobile number plus an OTP. That flow tells you nothing about the customer's age — and the Act treats anyone under 18 as a child, requiring verifiable parental consent before processing their data and prohibiting tracking, behavioural monitoring, and targeted advertising directed at children (§9). A generic OTP signup cannot distinguish a 30-year-old from a 15-year-old.

This is a genuine, unresolved operational tension for general-audience brands. You are not a children's brand, but minors will sign up. The Rules describe how to verify a parent is an adult once you know you are dealing with a child (Rule 10) — but the harder problem is knowing in the first place. Our deep-dive on children's data and verifiable parental consent covers the options.

What to do: Add an age-affirmation step at signup, suppress behavioural ad targeting where age is unknown or under 18, and document your approach. A defensible, written age-assurance posture matters more than a perfect technical solution that does not yet exist at scale.

Cookie and tracking consent on your storefront

Your store almost certainly runs Google Analytics, Meta Pixel, and remarketing tags. These set identifiers and track behaviour — processing personal data. Under DPDP's consent principles, non-essential trackers should not fire before the customer consents, and consent must be a clear affirmative action (§6). For under-18 visitors, behavioural and advertising trackers are off the table entirely (§9).

What to do: Deploy a consent banner that blocks analytics and advertising scripts until opt-in, with a "Reject" option as prominent as "Accept." See DPDP cookie consent: what Indian websites actually need to do for the implementation detail.

Retention: you cannot hoard customer data forever

The Act requires erasure once the purpose is served or consent is withdrawn (§8(7)). For large platforms, the Rules are specific: the Third Schedule sets a three-year retention limit (measured from the customer's last interaction) for e-commerce entities above a defined user threshold, with a 48-hour notice to the customer before erasure unless they log back in (Rule 8). High-volume marketplaces should design for this now; smaller brands still owe the general erasure duty.

What to do: Set a retention clock per data category, automate deletion of dormant accounts, and send the pre-erasure notice where the Third Schedule applies.

Build the rights and grievance plumbing

Customers can ask what data you hold (§11), correct or erase it (§12), and raise grievances (§13). You must publish a contact point for this (§8(9); Rule 9) and resolve grievances within 90 days (Rule 14(3)).

What to do: Add a "Privacy" page with a request form and a published grievance contact, backed by a tracked workflow — not a shared inbox. See Data Principal rights under DPDP.

A D2C compliance checklist

• Unbundle marketing consent from the purchase; never pre-tick
• Make withdrawal one-click and propagate it across every channel
• Add age affirmation; suppress behavioural targeting for unknown or under-18 users
• Block non-essential trackers until consent; keep "Reject" as easy as "Accept"
• Define retention per data type and automate erasure
• Publish a grievance contact and stand up a rights workflow

Substantive obligations commence 13 May 2027 (timeline here) — time enough to fix the funnel deliberately.

A worked example: emailing a past customer

Suppose a customer bought a pair of shoes from you eight months ago and ticked nothing about marketing. Can you email them a Diwali sale?

Walk it through. The order data was collected to fulfil that purchase — a specific purpose. Sending a promotional email is a different purpose (marketing), and DPDP requires consent to be specific to each purpose (§6). Because the customer never gave a separate marketing consent, you do not have a basis to send the campaign.

Now suppose at checkout you had shown an unticked "Send me offers and updates" box and they had ticked it. That is a clear affirmative action for the marketing purpose — you can send the campaign, and you must include a one-click way to withdraw (§6(4)).

What to do: Treat your existing customer list as two segments — those who gave marketing consent and those who only transacted. Market only to the first. Retro-fitting consent by emailing the second segment to "confirm" their interest is itself marketing, so collect the opt-in at the point of purchase instead.

Frequently asked questions

Can I add customers to my marketing list automatically after they buy?

No. Marketing is a separate purpose from order fulfilment, and consent must be specific to each purpose (§6). Present a separate, unticked marketing opt-in — a purchase does not imply consent to promotional messaging.

Is a pre-ticked newsletter checkbox allowed?

No. Consent requires a clear affirmative action, which rules out pre-ticked boxes and bundled "I agree to everything" toggles.

Do the same rules apply to WhatsApp and SMS marketing?

Yes — the consent and easy-withdrawal requirements (§6, §6(4)) apply across every channel, not just email. Channel-specific telecom and platform rules apply on top.

Does the three-year retention rule apply to my small store?

The Third Schedule's three-year limit targets large e-commerce, online-gaming, and social-media platforms above defined user thresholds. Smaller stores fall outside those specific limits but still owe the general duty to erase data once the purpose is served or consent is withdrawn (§8(7)).

Are we liable if a minor signs up and we track them?

Potentially. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited (§9), and the burden is on you to avoid it. A documented age-assurance approach and conservative defaults are your best protection.

How Sammati helps D2C and e-commerce

Sammati is a consent management platform (CMP) and Data Processor — not a registered Consent Manager — built for high-traffic storefronts:

• Cookie and form-consent capture that blocks trackers until opt-in, with default-off non-essential categories
• Unbundled, per-purpose marketing consent with one-click withdrawal recorded to an immutable, hash-chained ledger
• Rights and grievance workflows that meet the 90-day grievance ceiling (Rule 14(3))
• Consent notices in all 22 Eighth Schedule languages for pan-India reach

Take the free DPDP assessment or talk to us about your storefront.