Introduction 

The digital economy has revolutionised commerce, generating billions of transactions each year and producing an enormous amount of customer data. This, however, comes with significant obligations. The Digital Personal Data Protection Act (DPDPA), which received Presidential Assent on August 11, 2023, signalled a pivotal shift in India's approach to data governance. It created the world's most comprehensive legal structure for personal data protection, treating all data equally, regardless of its sensitivity. For e-commerce companies, especially those catering to Indian consumers, the DPDPA signifies a complete rethinking of how they interact with and retain their customers. This law goes beyond the usual rules. It reshapes the relationship between people and companies, giving individuals more power over their personal data than ever before. At the same time, it places heavy responsibilities on businesses that handle that data. Now that the DPDP Rules, 2025 are in effect, e-commerce companies are at a crossroads. They must either fully adjust to these changes or face serious financial and reputational damage. 

The Data Fiduciary Framework: Fundamental Organisational Obligations 

The DPDPA sets forth a dual accountability framework that stipulates the roles and responsibilities of data controllers and the individuals whose data is handled. An e-commerce business qualifies as a Data Fiduciary the moment it independently determines the purposes and means of collecting, processing, storing, or sharing customer personal data. Section 8 of the DPDP Act mandates non-delegable accountability on Data Fiduciaries, delineating six fundamental responsibilities regardless of contractual agreements with data processors. Data Fiduciaries, in the end, bear the responsibility for all processing actions. This is true regardless of whether they handle the data themselves or delegate the task to Data Processors. Following that, they must take the necessary technological and organisational steps to assure compliance. Additionally, they must secure personal data by using appropriate security measures.

Furthermore, the thoroughness and quality of the data utilised for important choices must be documented. Ultimately, they must implement grievance redressal methods that are available to data principals. Lastly, data must be deleted when consent is revoked or the original purpose is achieved, unless the law mandates its preservation. This framework makes it clear that businesses can't assume legal responsibility is passed on to someone else when they work with a third party. Rule 6(f) of the DPDP Rules, 2025 upholds this idea by requiring that Data Fiduciaries include terms in their contracts that make sure Data Processors use the same security measures. E-commerce sites can't just blame someone else when things go wrong. They need to set up strong vendor governance systems that show they're always keeping an eye on and carefully checking the way they handle data. 

Significant Data Fiduciaries: Refined Compliance Framework for Market-Leading Platforms 

DPDPA Section 2(z) identifies Significant Data Fiduciaries (SDFs) as Central Government-notified institutions based on data volume, sensitivity, and possible impact on individual rights, state sovereignty, electoral democracy, and public order. According to the DPDP Rules, 2025, e-commerce companies with two crore registered users, online gaming intermediaries with fifty lakh users, and social media platforms with two crore users are SDFs. 

SDFs encounter increased responsibilities that correspond to their market impact and risk exposure: 

• Mandatory Data Protection Impact Assessments (DPIAs): The DPDP Rules, 2025 require SDFs to do extensive DPIAs to assess processing risks, notably algorithmic decision-making and behavioural monitoring. The Data Protection Board of India (DPBI), constituted on November 13, 2025, must receive annual, meticulously recorded assessments. 

  
  

• Data Protection Officers (DPOs): SDFs must appoint data protection law experts to develop organisational compliance policies, serve as the DPBI's official point of contact, and manage all privacy efforts. DPO contact information must be widely displayed and accessible to data principals. 

  
  

• Independent External Audits: SDFs need to employ independent auditors to ensure DPDPA compliance beyond internal DPIAs. Report audit findings, including important risk assessments, to the DPBI. Dual-audit prevents organisational capture and provides external responsibility. 

  
  

• Algorithmic Risk Assessment: The DPDP Rules, 2025 require SDFs undertake due diligence to ensure that algorithmic systems and technical instruments used in data handling do not threaten data principals' rights, especially in materially affecting individual decision-making. 

Strengthened Consent Framework: Transitioning from Opt-Out to Informed Authorisation 

The DPDPA disregards opt-out consent models and requires affirmative, informed, specific, and granular consent before processing personal data. Data processing is now a privilege requiring consumer authorisation. Section 5 of the DPDP Act requires specific consent for each processing purpose. Rule 3 of the DPDP Rules, 2025 requires data primary notices to be explicit, understandable without external documentation, and delivered in the individual's selected language from the Eighth Schedule of the Constitution. These regulations encourage e-commerce platforms to revamp their data collection platforms. Consent notices must list the precise categories of personal data being collected, the purpose(s) of processing, the legal basis for processing, retention period or deletion criteria, categories of recipients receiving data, grievance officer or Data Protection Officer contact information, and data principal rights, according to MeitY's June 2025 Business Requirement Document. Bundled, pre-checked, or silent consent no longer meet regulations. A major reform of e-commerce consent procedures is needed to allow customers to authorise data use for core service delivery while rejecting behavioural analysis, cross-platform tracking, and third-party marketing. 

Rights of Data Principals: Transforming Corporate-Consumer Dynamics 
Chapter III (Sections 11-14) of the DPDPA offers Data Principals four specific rights, which considerably change the usual power dynamics related to data. 

Right to Access (Section 11): 

• Demand a summary of personal data being processed and the purposes of such processing. 

  
  

• Obtain details of all Data Fiduciaries and Data Processors with whom personal data has been shared, in a structured, machine‑readable format within a reasonable time frame, enabling portability to other services. 

Right to Correction and Erasure (Section 12): 

• Require correction, completion, or updating of inaccurate, incomplete, or outdated personal data. 

• Request erasure of personal data when the purpose is fulfilled, consent is withdrawn, or retention is no longer necessary, except where law mandates continued retention (e.g., tax or regulatory obligations). 

 Right to Grievance Redressal (Section 13): 

• File formal complaints regarding improper processing or violation of rights. 

• Receive acknowledgment within 48 hours and resolution within a prescribed period (up to 90 days) with documented investigation and outcome. 

Right to Nominate (Section 14):

• Nominate another person to exercise data protection rights in the event of death or incapacity. 

  
  

• Ensure continuity of control over personal data beyond the individual’s lifetime. 

Protecting Children: Regulatory Requirements and Operational Mandates 
The Data Protection and Digital Personal Data Protection Act (DPDPA) establish stringent stipulations concerning the processing of children's personal data, acknowledging the increased susceptibility of this demographic. Specifically, Section 9 of the DPDP Act stipulates that the processing of children's data is contingent upon obtaining verifiable parental consent. 

The DPDP Rules of 2025 delineate four approved verification methodologies: 

• Government Registry Cross-Verification: This involves cross-referencing the consenting guardian's information with established identity databases, such as Aadhaar, passport registries, or electoral rolls. 

  
  

• OTP-Based Authentication: This method entails dispatching one-time passwords to the registered parental mobile numbers, necessitating their input to validate authorization. 

  
  

• Digital Locker Integration: This approach leverages government digital locker services or authorised entities to confirm guardianship. 

  
  

• Document Verification: This method accepts certified government-issued identity documents that establish legal guardianship. 

Beyond simply obtaining consent, the DPDP Act places strict limits on how children's data can be handled. It outright bans behavioural tracking, which includes monitoring what kids do online, like their browsing habits, purchases, and clicks. Profiling is also off-limits; that means no building psychological or preference models. Targeted advertising, which delivers ads based on what kids do online, is also prohibited, as is commercial monitoring.  

Consent Managers: Establishing a Decentralised Consent Infrastructure 
Acknowledging the difficulty individuals face in navigating consent across numerous service providers, the DPDPA establishes Consent Managers. These are specialised businesses, established with the Data Protection Board, that function as centralised intermediates. 

The DPDP Rules, 2025 delineate comprehensive registration criteria for Consent Managers:

• Minimum net value of ₹2 crore 

  
  

• Exhibited technological, operational, and financial capability 

  
  

• Interoperable platform independently verified in accordance with DPBI data protection standards 

• Governance documentation demonstrating comprehensive compliance with DPDPA obligations 

Consent Managers are required to function with "data blindness," meaning they must build their systems in a way that prevents them from accessing the personal data that moves through their platforms. They are also obligated to keep comprehensive records of all consent transactions granted, denied, and withdrawn for a minimum of seven years. Regular independent audits are a must, and they must also publish transparency reports that detail their activities. The Ministry of Electronics and Information Technology's Business Requirement Document, released in June 2025, outlines the technical capabilities that Consent Management Systems should have. These include managing the entire consent lifecycle (from collection and validation to modification, renewal, and withdrawal), providing user dashboards for consent visualisation and withdrawal, managing cookie consent, and implementing real-time mechanisms for addressing grievances. 

Data Security Protections and Breach Notification: Required Operational Standards 
Section 8(4) of the DPDPA places the onus on Data Fiduciaries to adopt suitable technical and organisational measures to meet its requirements. The DPDP Rules, 2025, translate this general mandate into concrete, obligatory safeguards: 

Technical Controls:

• Encryption of personal data, whether stored or being transmitted 

  
  

• Multi-factor authentication for administrative access 

  
  

• Data masking, tokenisation, or obfuscation of sensitive fields 

  
  

• Thorough logging and monitoring of all data access, modification, and transfer activities 

  
  

• Documented backup and recovery procedures, including encrypted backups 

Organisational Measures: 

• Vendor security assessments and data protection pledges outlined in contracts. 

  
  

• Staff training covering data protection responsibilities and security protocols. 

  
  

• Documented methods for responding to incidents. 

Critically, Section 8(6) of the DPDPA mandates rigorous breach notification requirements. Upon identifying a violation of personal data, platforms are required to: 

• Notify Affected Individuals: Immediately notify affected individuals via registered communication channels (email, SMS, in-app notifications) of breach nature, data categories and individual count, discovery and notification timeline, potential consequences, mitigation measures taken, and recommended protective measures. 

  
  

• Report to the DPB within 72 hours: Send detailed breach reports to the DPBI within 72 hours after discovery, including factual breach description, affected data categories, impact assessment, remedial measures, and individual notification documentation. 

  
  

• Maintain Comprehensive Breach Records: Document all breaches, investigations, remediation efforts, and communications enabling rapid regulatory response during inquiries 

  
  

• Non-compliance: With breach notification requirements attracts penalties up to ₹200 crore independent of damages owed to affected individuals. 

Mechanisms for Grievance Redressal: Infrastructure for Operational Accountability 

Data Fiduciaries must provide data principals with adequate grievance redressal under the DPDPA. In 2025, the DPDP Rules stipulate operational requirements: 

• Grievance Officer appointment with publicised name, designation, and contact information 

  
  

• Email, phone, in-app forms, mail complaint submission 

  
  

• Recorded complaint date, type, investigation, and resolution. 

  
  

• 48-hour acknowledgement; 90-day resolution with transparent documents 

  
  

• Dissatisfied customers can escalate to top management and the DPBI. 

The Consumer Protection (E-commerce) Rules, 2020 add e-commerce-specific grievance requirements, requiring 48-hour acknowledgement and one-month resolution, creating a dual-timeline compliance structure with the harsher norm. Beyond regulatory compliance, these measures provide early warning systems for systemic data management problems before regulatory action and demonstrate organisational commitment to customer accountability. 

Conclusion 

The DPDPA fundamentally reorients the concept: individuals own personal data, not businesses controlling processing systems. This is a fundamental rethinking of corporate-consumer interactions, not just compliance,  E-commerce enterprises must adapt. In data-conscious markets, companies that include privacy into their design, use transparent permission methods, and respect data principal rights will stand out. Changing privacy from burden to competitive advantage demands urgent, ongoing commitment. Managing this transformation thoughtfully will not only avoid regulatory penalties but also build stronger, more durable customer relationships based on genuine respect for individual data autonomy, giving them a resilient competitive advantage in India's digital economy. The DPDP Act and Rules demonstrate India's digital governance responsibility. Excellence in data management will define business reputation and market leadership in coming decades. 

For any queries, Connect with us.