Are cookies covered by the DPDPA?

Where cookies and similar technologies process personal data for analytics or marketing, that processing needs a lawful basis — typically consent — and should be managed through a consent mechanism.

How long can we keep customer data?

Only as long as necessary for the purpose it was collected for (plus any legal retention period). Once that ends, the DPDPA requires erasure.

DPDPA for E-commerce

DPDPA Compliance for E-commerce

E-commerce runs on personal data: accounts, delivery addresses, payment details, wishlists and a rich trail of browsing and purchase behaviour used for personalisation and remarketing. The DPDPA requires that this data be collected with clear consent, used only for stated purposes, and erased when no longer needed — a meaningful shift for marketing-driven retail.

Book a Demo Free assessment

Does the DPDPA apply to e-commerce?

E-commerce platforms process customer data at scale — orders, addresses, payments and browsing behaviour — so DPDPA compliance is essential. Online retailers and D2C brands must obtain consent for marketing and analytics, manage notices and cookies, honour customer rights, and secure data against breaches.

Personal data in e-commerce

Account, contact and delivery address details
Order history and payment information
Browsing, cart and wishlist behaviour
Marketing preferences and loyalty data

Why it matters

Massive customer bases mean high breach impact and likely SDF status.
Aggressive remarketing without consent is a common, visible violation.
₹250 crore exposure for security-safeguard failures.

Key obligations

DPDPA obligations for e-commerce

The duties under the DPDP Act 2023 that matter most for e-commerce organisations.

Consent for marketing & personalisation

Transactional processing to fulfil an order differs from marketing, profiling and remarketing — the latter need clear, granular consent.

Notice & cookie management

Present an itemised Section 5 notice and manage analytics/marketing cookies through a consent mechanism with easy withdrawal.

Customer rights at scale

Automate access, correction and erasure requests across a large customer base within statutory timelines.

Vendor governance

Logistics, payment and marketing vendors are Data Processors you remain accountable for (Section 8(2)).

How Data Adhikaar helps e-commerce teams

Sammati powers cookie/notice consent with granular marketing purposes and one-click withdrawal.
Adhikari automates high-volume rights requests within SLA.
Drishti maintains a live RoPA across order, CRM and marketing systems.
Sambandh tracks logistics, payment and ad-tech processors and their DPAs.

Meet the ten agents

FAQ

DPDPA & E-commerce: FAQ

Yes. Fulfilling an order is one purpose; marketing is another. Sending promotional communications generally requires the customer’s clear, specific consent, with an easy way to withdraw it.

Get e-commerce DPDPA-ready.

Run the free readiness assessment or book a demo tailored to your sector.

Book a Demo Free Readiness Assessment

Or call +91 98226 28174