In today’s world, the Data Protection and Privacy are top priorities for companies as they use data to guide business decisions and to interact with customers. As businesses go digital, it has become increasingly important for extensive data protection laws to be in place. In addition to being a significant development in the area of data protection, the Digital Personal Data Protection Act, 2023 (DPDPA), will also have a significant impact on e-commerce companies all over the world.
This Blog shall explore the significant effects of DPDPA 2023 on e-commerce companies, specifying significant changes and offering suggestions for how companies may adjust to and succeed in this new environment.
The Data Fiduciary in an e-commerce scenario is the platform provider, who collects personal information for marketing, analytics, and targeting purposes.
The DPDPA, 2023
The DPDPA, 2023 had become an Act in India following the Presidential Assent on August 11th. Five years after the Apex Court of India declared the Right to Privacy as a Fundamental Right and several iterations later, the DPDPA had passed through the legislation channels in August 2023 to become an Act.
The Act imposes several obligations on Data Fiduciaries (Person who determines the purpose and means of processing of Personal Data) to Protect and Limit the processing of Data while also providing several rights to Data Principals (Individual to whom the Personal Data relates).
The DPDPA 2023 aims to increase Data Principal’s Control over their personal data, limit data processing operations, and promote better responsibility among companies handling personal data.
Determining Data Fiduciary in case of e-commerce businesses
One of the most important questions to which answer is required is who will be Data Fiduciary in case of e-commerce businesses. A question will arise whether it will be the platform or the retailers and the sellers.
Data Fiduciary determines how and why personal data is collected. Because they gather personal information at the moment of registration and utilise it for things like marketing, analytics, or targeting, the platform provider in an e-commerce setting is unquestionably one of the data controllers.However, if we look at the standard e-commerce platforms, we’ll notice that they frequently act in the role of a Data Fiduciary.
Similar to this, if we look at the retailers or sellers on the platform, we’ll see that some of them are bigger retailers or sellers who choose what sort of data they should be gathering to process or execute orders. Unless they are retailers that the platform or the e-commerce organisation is solely using to collect items and then deliver them to customers without disclosing who the end-customer is or supplying any personal data, they may also be regarded as data fiduciaries.
The retailer would be the processors if the platform providers did not give personal information to them and the retailer was only there to offer goods and services.
However, if these are retailers making decisions about what might be the different criteria or information needed from a customer to complete the orders, then they would also be regarded as data fiduciaries.
Although there are many different combinations and permutations of platforms and shops, their function as a Data Fiduciary may be identical. Depending on the role they play, both could be data fiduciaries or there might be combinations where each one is more of a processor than a fiduciary.
However, the guiding idea is that any organisation choosing the methods and objectives for collecting and using the customer’s personal data would behave in a Data Fiduciary capacity.
Impact on E- Commerce Businesses
- Enhanced Agreement Management- DPDPA, 2023 requires users’ explicit and informed consent to data processing as one of its main modifications. E-commerce businesses will need to update their consent processes so that customers understand how their data will be handled before providing consent. This may end in a more open relationship between organisations and clients.
- Data Processing Practices- E-commerce businesses frequently handle an extensive amount of user data for activities including transaction processing, customised marketing, and service to customers. Data processing procedures must have to operate in accordance with state, legal requirements under DPDPA, 2023. These Legal requirements include:
- a. Acquiring Consent for Processing of Personal Data of Data Principals.
- b. Sending of Itemized Notice along with Request for Personal Data.
- c. Data Processed must be complete, accurate, and updated.
- d. Furnishing of contact details for a Data Protection Officer (DPO) or authorized representative to facilitate effective grievance redressal mechanisms for Data Principals.
- e. Additional obligations relating to Child Data Processing including Parental Consent and restriction on Behavioural monitoring.
To stay in compliance while avoiding massive fines, businesses will need to take stock of their data procedures.
- Stricter Data Processing Principles- The DPDPA 2023 maintains an extreme value on accuracy, reduction of information, and storage limitation. Businesses involved in e-commerce have to assess their data processing processes in order to be sure they only gather the data necessary, preserve its correctness, and preserve it on record for an appropriate length of time. The DPDPA necessitates that the Data must be accurate, complete, and updated.
- In addition, the Act provides that Personal Data must be erased on the withdrawal of consent by the Data Principal or when the specified purpose is no longer being served. It might prove essential to introduce modifications to collecting information forms, storage systems, and data retention regulations for the purpose to implement these principles.
- Individuals’ Expanded Rights- This legislation offers individuals more power over their own private information. E-commerce businesses have to be prepared to respond to consumer requirements for data access, correction, elimination, and transmission. This can involve setting into effect dependable procedures and structures for responding to these requests swiftly. Additionally, the DPDPA provides that Data Principals may give, manage, review, or withdraw their consent to the Data Fiduciary through a Consent Manager. A Consent Manager is a person registered by the Data Protection Board who acts as a single point of contact to enable a Data Principal to manage their Consent. The Consent Manager is accountable to the Data Principal and a Data Principal has the right to Grievance Redressal provided by the Consent Manager. Hence, Individuals’ Rights have been expanded under the DPDPA.
- Data Protection Officers (DPO)- The DPDPA, 2023 provides for the appointment of a DPO which, according to the act, is not mandatory for all Data Fiduciaries, however, the appointment of a DPO is mandatory only for certain e-commerce organisations that have been notified as Significant Data Fiduciaries. Under the Act, DPOs will be in the position of managing compliance, data protection strategies, and providing as a point of contact for data protection authorities. Apart from mandatory appointment of DPOs, Significant Data Fiduciaries also have additional obligations including the appointment of an Independent Auditor and undertaking Periodic Data Protection Impact Assessments and Periodic Data Audits.
- Cross Border Data Transfer- Personal data transfers outside of the country are subject to further scrutiny under DPDPA, 2023. Under the DPDPA, the transfer of Personal Data outside India can be restricted to a certain country or territory upon notification by the Central Government. Furthermore, certain laws or regulations providing for a higher degree of protection may also restrict the transfer of Personal Data outside India. Hence, E-Commerce Businesses are allowed to transfer Data across borders provided the Central Government does not restrict the transfer through notification.
The DPDPA marks a turning point in Data Privacy and Protection in India and will significantly affect E-commerce Businesses. The new DPDPA places several obligations on E-Commerce Businesses with respect to Processing and Handling of Personal Data while also ensuring the rights of Data Principals online. Upholding Data Principal Rights and Privacy in an E-Commerce Environment is not only legally required, but it allows Businesses to demonstrate their commitment to Data Protection and Privacy while enhancing Customer Confidence and Trust.
Nevertheless, the impact of DPDPA on E-Commerce Businesses is tremendous and failure to abide by the obligations under the Act can lead to heavy regulatory fines which can result in a financial burden to such businesses. Hence, it is increasingly important for E-Commerce Businesses to understand and fulfil the obligations under the DPDPA. This commitment goes beyond the legal compliance, extending to cultivating a reputation, instilling confidence, and fostering trust.