Industry — E-commerce

DPDPA Compliance for
E-commerce Companies

Customer data at scale. Marketing pixels. Payment processors. E-commerce DPDPA exposure is wider than most founders realise — and most of it sits in the checkout flow, the marketing stack, and the customer database.

Checkout Consent Flows Marketing Pixel Compliance Retargeting Without Consent Customer Data Retention Payment Processor DPAs
Book a Scoping Conversation See the Readiness Review
The Core Challenge

Why e-commerce companies carry significant DPDPA exposure

Recent industry surveys suggest that the large majority of Indian e-commerce operators are running consent flows designed for a pre-DPDPA environment.

The Checkout Flow

Most e-commerce checkout pages present a single checkbox covering terms of service, privacy policy, and marketing consent simultaneously. This bundled approach does not satisfy DPDPA's requirement that consent be specific to the purpose for which it is obtained. Each distinct processing purpose requires its own consent mechanism.

The Marketing and Tracking Stack

Retargeting pixels, behavioural analytics tools, and remarketing tags typically fire on page load — before any consent is obtained from the user. Non-essential data processing under DPDPA requires prior, specific consent. Processing that occurs before this consent has no valid lawful basis for that period.

The Customer Database

E-commerce companies accumulate customer data over years — purchase history, delivery addresses, browsing behaviour, payment records. DPDPA requires personal data to be retained only for as long as the stated purpose requires. Retaining customer data indefinitely without a documented retention framework and a functioning erasure process is a compliance gap in most e-commerce operations.

Common Findings

The gaps Privara finds most consistently in e-commerce assessments

Identified through review of live checkout flows, marketing configurations, and customer data practices — not a generic checklist.

Critical
Bundled consent at checkout

A single checkbox at checkout simultaneously covering acceptance of terms of service, acknowledgement of the privacy policy, and opt-in to marketing communications. DPDPA requires consent to be specific to the purpose for which it is obtained. A bundled consent mechanism does not satisfy this requirement — consent for marketing is not the same as acceptance of purchase terms, and cannot be combined in a single mechanism.

Section 6 — Consent Specificity
Critical
Tracking pixels firing before consent is obtained

Meta Pixel, Google Analytics, Google Ads conversion tags, and similar tools executing on page load before the user has actively opted in. These tools process personal data — IP addresses, device identifiers, behavioural data, and purchase signals — for purposes beyond essential site functionality. Where this processing occurs before a valid consent basis is established, no lawful ground for processing exists for that period.

Section 6 — Consent Before Processing
Critical
Flash sale and time-pressure consent flows

Consent obtained during countdown timers, gated discount offers, or purchase-gated registration flows. DPDPA requires consent to be free — meaning voluntarily given without any element of coercion or conditioning on the purchase or access to a product. Consent obtained as a condition of accessing a discount or completing a transaction raises questions about whether it genuinely meets this standard.

Section 6(1) — Free Consent Standard
High
Purchase data used for retargeting without secondary consent

Using purchase history or browsing behaviour to serve retargeted advertising without specific consent for this secondary use. The consent obtained at checkout for the purpose of processing a transaction does not extend to using transaction data for targeted advertising. DPDPA links the validity of consent directly to the purpose for which it was obtained — secondary use requires a new consent basis.

Sections 5 + 6 — Purpose Limitation
High
No documented retention policy or deletion process

Customer data retained indefinitely with no documented retention timeline, no automated deletion mechanism, and no user-facing erasure request process. DPDPA requires personal data to be erased once the purpose for which it was collected is fulfilled. Most e-commerce platforms have no mechanism to identify which data categories are past their retention window and no process for honouring customer deletion requests across all systems where data is held.

Section 8(7) — Data Retention
Checkout and Consent Architecture

What DPDPA requires at the point of purchase

The checkout flow is the highest-risk consent surface in most e-commerce products. It is the point where users are asked to provide the most information, where marketing consent is most commonly bundled, and where the pressure to complete the transaction creates conditions that may not support genuinely free consent.

DPDPA does not prohibit marketing consent at checkout. It requires that it be obtained separately, specifically, and without conditioning the transaction on providing it. Where marketing consent is optional and genuinely separate from the purchase process, the checkout flow can be compliant.

The same principle applies to the tracking and analytics stack. Tools that fire on page load before any opt-in is registered need to be configured to wait for active consent — or must be limited to strictly necessary functionality until consent is obtained.

What a compliant e-commerce consent flow requires
Separate, optional checkbox for marketing communications — not bundled with terms or checkout completion
Tracking and analytics tools configured to fire only after active opt-in is recorded
Privacy notice accessible and clearly linked at the point consent is requested — not only in the footer
Consent records maintained per user per purpose — with timestamp, notice version, and affirmative action type
Withdrawal mechanism as accessible as the consent mechanism — not hidden in account settings
Real Finding

What a finding looks like in an e-commerce assessment

Finding — Pre-Consent Tracking
Meta Pixel and Google Analytics firing on page load before consent is obtained

During a product review of an e-commerce platform, the Meta Pixel and Google Analytics global site tag were found to fire on page load — before any consent interaction had been registered. Network inspection confirmed both tools transmitted device identifiers, page URL, and session data before the cookie banner was even displayed.

Under the Act, non-essential processing requires prior, specific consent. Processing before consent is obtained has no valid lawful basis for that period. Additionally, neither vendor had a compliant Data Processing Agreement in place — standard platform terms do not restrict the vendor's use of submitted data for their own purposes.

Critical Section 6 — Consent Before Processing Section 5 — Privacy Notice Network inspection + notice review
Recommended Starting Point
Where most e-commerce companies should begin

For most e-commerce companies, the Readiness Review is the right starting point — covering consent architecture, privacy notice, vendor setup, and data handling practices in 10 to 20 working days. It produces a documented output immediately usable for remediation planning.

For companies with significant marketing vendor complexity, multiple payment processors, or those preparing for investor due diligence, the Operational Compliance Audit provides the depth and documentation required.

Learn more about the Readiness Review Learn more about the Operational Compliance Audit
Book a Scoping Conversation
FAQ

Questions from e-commerce founders

A generic cookie notice is unlikely to satisfy DPDPA's consent requirements. Each non-essential processing activity requires specific, affirmative opt-in — the notice must describe what data is collected, why, and who it is shared with, before consent is obtained. A banner that informs users that cookies are in use without obtaining their active agreement before non-essential cookies fire does not meet this standard.
Both tools process personal data for purposes beyond essential site functionality — behavioural data, device identifiers, and purchase signals are transmitted to Meta and Google respectively. Configuring them to fire before active opt-in means they are processing personal data without a valid consent basis for that period. Both tools support consent mode configurations that allow them to operate in a limited capacity before consent is obtained and activate fully only after opt-in is recorded.
Erasure requests should be honoured where no valid retention basis exists. Data required for legal compliance — tax records, transaction data required under applicable financial regulations — may be retained for that specific purpose, but the retention basis must be documented and communicated to the data principal. The erasure obligation under the Act extends to data held in all systems where the customer's data is present — including third-party marketing platforms, analytics tools, and email platforms.
It depends on the consent basis. If the customer provided specific, separate marketing consent before the email was sent and has not withdrawn it, a valid basis exists. Using an email address collected at checkout under a bundled terms-and-privacy acceptance — without a separate, specific marketing opt-in — may not satisfy DPDPA's specificity requirement for the marketing purpose. The email address collected to process the order does not automatically extend to marketing use.
Yes. Your payment gateway is a data processor operating on your behalf. Under DPDPA Section 8(2), every data processor must operate under a written contract that specifies how personal data is handled, deleted, and protected. Standard payment gateway agreements and PCI-DSS compliance do not substitute for a compliant Data Processing Agreement under the Act. The e-commerce company retains accountability for how the gateway processes customer personal data.
The assessment includes a review of your live product to identify which marketing and analytics tools are active, whether they fire before consent is obtained, and whether they are disclosed in your privacy notice. Each tool is assessed for whether a Data Processing Agreement exists. The output identifies which tools are creating compliance exposure and what action is required per tool — this becomes the action list for your engineering and marketing teams.
Other Industries

See how DPDPA applies to other sectors

DPDPA for Startups DPDPA for Fintech DPDPA for E-commerce DPDPA for EdTech DPDPA for Healthcare
Get Started

Find out where your e-commerce operation actually stands

The scoping conversation is focused and practical. We will identify which areas of your consent flows, marketing stack, and customer data practices carry the highest DPDPA exposure — before anything is agreed.

Book a Scoping Conversation

Scope and pricing confirmed before work begins. No commitment required.