At a glance
An online store holds the everyday-maximum of customer data — names, addresses, phone numbers, payment details, full purchase histories — and shares it continuously with couriers, payment gateways and marketing tools. Under India’s DPDP Act every store is a Data Fiduciary with the standard duties, and marketing is the recurring bite: purchase data powers remarketing only with its own consent. The famous 3-year inactivity erasure and 48-hour deletion notice bind only the largest notified platform classes — but the underlying principle, data dies with its purpose, binds every store from day one.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to e-commerce and online stores; it is not formal legal advice.
The situation
E-commerce normalised data collection the way no sector before it did: an address for every order, a number for every delivery update, a browsing trail behind every recommendation, and a marketing stack that remembers the cart you abandoned in 2023. The machinery is standard — storefront, gateway, courier, analytics, remarketing — which means the DPDP gaps are standard too, replicated across lakhs of stores that all inherited the same defaults. The Act doesn’t break the model; it makes each layer answer the old question: whose data, for what, until when.
Does DPDP apply to a small online store?
Yes — a Shopify-sized seller and a marketplace giant carry the same baseline duties; the special time-bound rules are what scale adds. Deciding why and how customer data is used makes you a Data Fiduciary: notice at collection, a lawful basis per purpose, security safeguards, breach reporting, retention limits, and accountability for the processor mesh every store runs on — payment gateways, logistics partners, marketing platforms, the storefront SaaS itself. Marketplace sellers should note the layered reality: the marketplace is a fiduciary for its platform data, and you’re one for the customer data you receive and use — the buyer’s address on your seller dashboard is your responsibility the moment you export it.
The customer data a store actually handles
Identity, location, money and behaviour — refreshed with every order.
- Order core — names, delivery addresses, phone numbers, emails: collected per order, accumulated per customer.
- Payment data — card and UPI details flowing through gateways, refund records, COD (cash on delivery) reconciliation trails.
- Behavioural layer — browsing, carts, wishlists, abandonment: the remarketing fuel.
- The delivery trail — the same name-address-phone bundle handed to couriers and their subcontractors, label by label, doorstep by doorstep.
- Support residue — complaint threads, call recordings, returned-product photos, sometimes ID copies collected for verification.
The delivery trail is the underrated one: a printed label is customer data leaving your systems physically, and the courier chain — often several companies deep — is a processor relationship whether or not a contract says so.
The obligation that actually bites: marketing on purchase data
The order was consent to fulfil the order — everything the marketing stack does with it needs its own basis. Purpose limitation cuts directly across e-commerce’s growth defaults:
- Remarketing is a separate purpose. The address and number collected to deliver a package don’t automatically feed promotional SMS, WhatsApp campaigns and email flows — marketing needs its own specific, declinable consent, unbundled from checkout. The pre-ticked newsletter box fails twice: it’s bundled and it’s not an affirmative action.
- Behavioural profiling is a purpose too. Cart-abandonment sequences, recommendation profiles and audience syncing to ad platforms run on data collected “to serve you better” — a phrase that isn’t a purpose. Name the uses, split the consents.
- COD amplified the phone number. India’s e-commerce runs on reachable numbers, and the same number fuels delivery calls, promotional blasts, and — via leaks — the scam economy’s order-confirmation frauds. Minimising who holds it, and using masked-number relay where your logistics stack offers it, is both compliance and customer protection.
- Guest checkout means what it says. A guest’s data serves the order; quietly building a marketing profile from it contradicts the choice the customer just made.
The 3-year rule: who it actually binds
The time-bound erasure rules are scoped to the largest notified classes — not to e-commerce as a whole — but they preview where the defaults are heading. The Rules’ Third Schedule puts specific duties on notified classes — e-commerce entities with at least two crore registered Indian users (alongside the largest social-media and gaming platforms): personal data of a user who’s been inactive for three years must be erased, with at least 48 hours’ notice to the user before deletion. If that’s you, it’s an engineering obligation with a deadline discipline. If it isn’t — and it isn’t, for the vast majority of stores — the general rule still runs: data is erased when its purpose is served or consent withdrawn, except what law requires you to keep (tax and accounting records on their statutory periods). “We’re under two crore users” answers the Third Schedule; it doesn’t answer why a 2019 one-time buyer’s address is still in your exports.
Common mistakes online stores make
Inherited defaults, never audited.
- Checkout-to-campaign piping — every buyer auto-enrolled into SMS/WhatsApp/email flows with no separate consent anywhere.
- The pre-ticked box — still the most common consent pattern in Indian checkouts, and invalid on its face.
- Account deletion that isn’t — the login removed, the data retained, the customer told nothing about what stayed and why.
- The courier data trail unexamined — customer bundles flowing to logistics chains with no contract terms on use, security or deletion.
- Ad-platform syncing as furniture — customer lists uploaded to ad tools for lookalikes and retargeting, treated as too routine to need a basis.
- No age awareness — stores selling to everyone with no thought that under-18 customers bring the children’s regime, tracking restrictions included.
Running checkout and customer data compliantly
Split the checkout consents, contract the mesh, and give data an expiry. Checkout collects what fulfilment needs, with a plain notice; marketing rides on its own unticked opt-in per channel; the processor mesh — gateway, couriers, marketing tools — runs under contracts binding security, breach notice and deletion, with customer-list syncing to ad platforms treated as the disclosure it is. Deletion works end to end: an account-deletion request erases what no law requires (and says what stayed, and under which law), and even without the Third Schedule’s clock, dormant customer data gets a schedule. The consent-design patterns — granular asks, no pre-ticks, easy withdrawal — are the same ones this site’s consent-mechanics guides walk through; e-commerce is simply where the most customers meet them per day.
FAQ
Does the 3-year deletion rule apply to my store?
Only if you’re in the notified Third Schedule class — e-commerce entities with at least two crore registered Indian users. Below that, no fixed clock applies, but the general rule does: data goes when its purpose is served, except what tax and accounting law requires you to keep.
Can I send offers to past customers?
With a marketing consent that’s separate from the purchase, yes. The order justified collecting the contact details for fulfilment; promotional use is its own purpose, needing its own unticked, declinable opt-in.
Is sharing customer data with couriers a DPDP issue?
It’s a processor relationship: delivering the order is squarely within purpose, but the courier chain needs contract terms on security, use-limits and deletion — and masked-number relay, where available, shrinks the exposure at the doorstep.
What must happen when a customer deletes their account?
Erase what no law requires you to keep, at your processors too, and tell the customer what was retained and under which legal requirement. Removing the login while keeping the profile is the pattern customers now know to challenge.
Do we need to worry about teenage customers?
If under-18s use your store, their data sits under the children’s regime — verifiable parental consent, no behavioural tracking or targeted ads at them. Most stores’ honest answer is an age question at account creation and marketing flows that respect it.