At a glance
The much-discussed “delete inactive accounts after 3 years” duty in the DPDP Rules isn’t a rule for every online store — it applies only to e-commerce platforms with 2 crore (20 million) or more registered users in India, a threshold that puts it firmly in large-platform territory. If your store doesn’t clear that number, this specific rule isn’t yours; you still carry the general obligation to delete customer data once its purpose is served, just not this exact 3-year clock and the 48-hour pre-deletion notice that comes with it.
Educational resource only. This explains the scope of the 3-year inactive-account erasure duty under the Rules of India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for e-commerce platforms; it is not formal legal advice.
The situation
Coverage of the DPDP Rules often shortens “e-commerce and social media platforms with 2 crore-plus users must delete inactive accounts after 3 years” down to a general-sounding headline — “apps must delete inactive data after 3 years.” Founders running a mid-sized online store read that and start planning an inactivity-deletion engine they don’t actually need to build. The scope question comes first, always.
Where this rule actually comes from
It sits in the Rules’ Third Schedule — a list of specifically notified large-platform classes, not a general clause in the DPDP Act itself. The Third Schedule names three categories that carry this duty: e-commerce platforms with 2 crore or more registered users, social media platforms with 2 crore or more users, and online gaming services with 50 lakh (5 million) or more users. It’s a targeted obligation for the largest consumer platforms in each category, written that way deliberately — the government notified specific thresholds rather than applying the duty across every business with an online storefront.
Does your store clear the threshold?
2 crore registered users is a very high bar — most e-commerce businesses in India are nowhere near it. This threshold is designed to catch the handful of dominant national platforms, not a regional D2C brand, a niche marketplace, or even a fast-growing mid-market store with a few lakh users. If your platform’s registered-user count is below 2 crore, the specific 3-year/48-hour rule in the Third Schedule doesn’t apply to you — full stop, regardless of how large the business otherwise feels.
What in-scope platforms must actually do
For the platforms this does apply to, it’s a real engineering requirement. In scope, the duty is: erase a registered user’s data after three years of inactivity (measured from their last login or last transaction), but give at least 48 hours’ notice before doing so — and any re-engagement (a login, a purchase, contacting support) resets the inactivity clock and cancels the pending deletion. Building this means tracking last-activity per user, identifying accounts crossing the three-year mark, delivering the notice through a channel the user will actually see, and handling the reset logic reliably at scale.
If you’re below the threshold
The specific clock doesn’t apply — but the underlying erasure duty still does. Every Data Fiduciary, regardless of size, has the general DPDP obligation to delete personal data once the purpose it was collected for is over or consent is withdrawn, unless a law requires keeping it (tax records, for instance). A smaller e-commerce business doesn’t need a 3-year-inactivity deletion engine with a 48-hour notice system; it needs an actual, working process for deleting dormant customer accounts and data on its own sensible schedule — the general duty, not the Third Schedule’s specific mechanics.
FAQ
Does every e-commerce site have to delete accounts after 3 years of inactivity?
No — only platforms with 2 crore or more registered users, per the Third Schedule of the DPDP Rules. Smaller stores follow the general “delete when the purpose is over” duty on their own schedule.
What counts as the “2 crore users” threshold — total signups or active users?
The Rules frame it as registered users in India, not specifically active ones — check your actual registered-user count against the threshold rather than assuming your active-user base is the relevant number.
If we’re below the threshold now but growing fast, when should we start planning?
Before you’re close to 2 crore registered users — the engineering lift (activity tracking, notice delivery, reset logic) takes real lead time, so it’s worth scoping well ahead of actually crossing the line.
Does the general erasure duty require deleting data after any specific number of years for smaller platforms?
No fixed number — the general duty is purpose-based: delete once the purpose is served or consent is withdrawn, on a schedule the business sets and can justify, not a mandated 3-year clock.