Skip to content
checkDPDP

Industry guide · #5 most exposed · High risk

DPDP Act for E-commerce & D2C in India

Indian D2C brands, marketplaces, Shopify storefronts and quick-commerce apps run on a stack of analytics, retargeting pixels, abandoned-cart automations and review-request emails — each of which DPDP treats as a consent moment. The cumulative exposure is "death by a thousand cuts" rather than one catastrophic finding.

Penalty exposure cap

₹150 cr

Most e-commerce findings sit in the ₹50 cr residual band, but a security breach involving order history + addresses crosses into Section 8 territory (₹250 cr cap). Mid-band ₹150 cr is the realistic enforcement target.

Realistic effort

60–160 hrs (3–8 weeks)

CTO + Marketing lead + 1 part-time DPO (founder works for SMB)

Annual budget

₹1.5–8 lakh / yr for CMP, banner, DPA chase

Tooling + DPO retainer + audit

Sector regulators

MCA / CCPA (consumer protection) · FSSAI (if food) · CERT-In

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits E-commerce & D2C differently

Every checkout collects email, phone, address — Section 5 itemised notice required at point of collection. Every retargeting pixel needs prior consent under Section 6. Every abandoned-cart email is a marketing communication that needs opt-in. Scanners catch this from the public web in seconds.

What you must do

Specific DPDP obligations for this sector

Section 6

Consent before any non-essential tracker fires

GA4, Meta pixel, Hotjar, Klaviyo, Mailchimp pixel — all need user opt-in before they fire.

Section 5

Itemised checkout privacy notice

List purposes at the point of collection (order fulfilment, marketing, analytics) with separate opt-in for marketing.

Section 6(4)

One-click withdraw / preference centre

Persistent "Manage cookies" link in footer that re-opens the banner. Reject must be as easy as accept.

Section 8 joint accountability

Vendor DPAs (Shopify, Razorpay, courier, CRM)

Inventory every external service that touches order data — pull or sign DPAs.

Section 5

Grievance Officer on storefront + notice

Findable contact, 30-day SLA, in the footer of every page.

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    DPDP-aware consent banner (Pandectes, CookieYes, checkDPDP)

    1 day · Banner builder

  2. 2

    Marketing opt-in checkbox at checkout (un-ticked by default)

    2 hours theme code

  3. 3

    Persistent "Manage cookies" footer link

    1 hour theme edit

  4. 4

    Disable third-party scripts until consent

    1 day Liquid / theme work

  5. 5

    Itemised privacy + Grievance Officer page

    2 days · Notice template

  6. 6

    Vendor inventory with DPAs

    1 week

  7. 7

    HTTPS + security headers baseline

    1 day · Security guide

What goes wrong

Real-world enforcement scenarios

Customer email leaks via newsletter tool breach

Section 8 + breach notification — modest fine, but unsubscribe/withdraw surge to handle.

Customer claims their data was shared with a partner without consent

Section 6 violation — must produce DPA + consent log within 7 days.

Cart-recovery email to a user who did not opt-in

Section 5 + Section 6 — small fine but easy enforcement target because scanners catch it.

Close these first

The three highest-impact gaps for this sector

  1. 1

    Trackers firing before consent (Klaviyo, GA, Meta, Hotjar)

    Gate every non-essential SDK behind the CMP consent event.

    Open the fix →
  2. 2

    Pre-ticked marketing opt-in at checkout

    Default-off the checkbox in the Shopify / WooCommerce checkout customisation.

    Open the fix →
  3. 3

    No DPA on file for payment / CRM vendors

    Inventory and chase DPAs — 30-day operations sprint.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your E-commerce / D2C risk →Run a free site scan

E-commerce / D2C · FAQ

Sector-specific questions, answered

Are abandoned-cart emails allowed under DPDP?

Only with prior, specific consent to receive marketing communications. They are not transactional under the Act's reading.

Can I use Meta pixel on my D2C site?

Yes, after the user accepts marketing in the banner. Default-on without consent is a Section 6 violation.

Do I need a DPA from Shopify?

Yes — Shopify provides one. Sign and file it. Same for Razorpay / Cashfree / courier APIs.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Diagnostic Labs & Pathology Chains

Critical

Patient PII + lab results + Aadhaar-linked KYC — the most stacked DPDP exposure of any sub-sector inside healthcare.

Healthtech & Pharma

Critical

Health data is the highest-sensitivity category — DPDP overlaps with ABDM and the Clinical Establishments rules.