LEGAL EXPLAINER • 10 min read
DPDP Consent and Notice Requirements for Enterprise E-Commerce
A practical guide for 2026 compliance leaders in D2C and e-commerce on operationalising consent, delivering itemised and multi-lingual notices, and managing audit evidence under the DPDP Act 2023 and Rules 2025.
Last updated:
The End of Bundled Consent in E-Commerce
As we navigate the 2026 regulatory landscape, the historical practice of bundling marketing consent into general terms of service is no longer legally defensible for e-commerce and Direct-to-Consumer (D2C) enterprises. Governed by India's Digital Personal Data Protection (DPDP) Act 2023 and now fully operationalised by the DPDP Rules 2025, the standard for compliance has escalated. For Heads of Compliance and Chief Privacy Officers, the immediate challenge is transforming legacy, friction-free consent flows into robust, regulator-ready evidence packs. Often, marketing teams fear losing their extensive email lists, while technical teams view compliance as a dashboard that complicates the user journey. You must establish cross-functional accountability to ensure that capturing, tracking, and revoking user consent scales without breaking checkout experiences. The current rules demand an absolute separation between what is strictly necessary to deliver a product and what is desired for secondary marketing or analytics.
Establishing Lawful Purpose (Section 4)
The DPDP Act 2023 establishes a foundational rule for any enterprise handling customer information: data processing cannot occur in a vacuum. Under Section 4(1), a person or entity may process the personal data of a Data Principal only in accordance with the provisions of the Act and strictly for a "lawful purpose." The Act provides a straightforward definition in Section 4(2), stating that the expression "lawful purpose" means any purpose which is not expressly forbidden by law. Furthermore, Section 4 establishes that this lawful processing must be based on one of two primary pillars: either the Data Principal has given her explicit consent (Section 4(1)(a)), or the processing falls under certain "legitimate uses" (Section 4(1)(b)). For consumer apps and e-commerce platforms, the vast majority of customer-facing data processing - from account creation to marketing newsletters - will rely heavily on the consent mechanism. This places an enormous operational burden on ensuring that the consent obtained is legally valid and structurally sound.
Structuring the Mandatory Notice (Section 5 and Rules 2025)
When your consumer app requests consent for processing data, Section 5(1) of the DPDP Act introduces strict prerequisites. Every request made to a Data Principal for consent must be accompanied or preceded by a comprehensive notice given by the Data Fiduciary. The statute explicitly dictates three elements that this notice must inform the Data Principal about: (i) the exact personal data being collected and the specific purpose for which it is proposed to be processed; (ii) the manner in which the user may exercise her rights under sub-section (4) of Section 6 and Section 13; and (iii) the manner in which the Data Principal may make a complaint to the Data Protection Board. Crucially for a 2026 audience, the DPDP Rules 2025 heavily expand on how this notice is operationally delivered. The Rules 2025 dictate that the notice must be presented in an itemised format, effectively banning generic, monolithic privacy policies hidden in an app's footer. Furthermore, the Rules enforce strict language requirements, ensuring the Data Principal can access the notice in specified regional languages, not just English. The Act illustrates the baseline requirement: "X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process." In this scenario, Y must provide a clear, itemised, and multi-lingual notice detailing this exact processing upfront.
The Anatomy of Valid Consent and the 'Necessary' Limitation (Section 6)
Delivering a compliant Rules 2025 notice is only half the compliance equation; the actual capture of consent is governed by Section 6(1). The Act demands that consent given by the Data Principal must be "free, specific, informed, unconditional and unambiguous with a clear affirmative action." This effectively bans pre-ticked boxes, forced opt-ins, and ambiguous "by continuing, you agree" language. Crucially, Section 6(1) introduces a strict proportionality test: consent must signify an agreement for a specified purpose and be "limited to such personal data as is necessary for such specified purpose." The Act uses a powerful illustration to demonstrate this: X downloads Y, a telemedicine app. The app requests consent to process personal data for making available telemedicine services, and also requests access to the user's mobile phone contact list. X consents to both. However, because a phone contact list is not necessary for making available telemedicine services, her consent shall be legally limited only to the processing of personal data necessary for telemedicine services. If your e-commerce app asks for location data or contact lists not strictly necessary for shipping a physical item, you are violating the necessity limitation of Section 6.
Operationalising Consent in Consumer Apps for 2026
While the DPDP Act provides this rigorous statutory baseline, your engineering and product teams must implement these mechanics seamlessly into your consumer applications. The mandate for itemised notices under the Rules 2025 effectively ends the era of single-block legalese. Your ongoing operational burden involves maintaining an accurate, real-time Record of Processing Activities (RoPA) that maps every single data point collected across your platform to a highly specific purpose and a corresponding consent artefact. For a large e-commerce platform processing thousands of daily transactions, managing opt-ins, opt-outs, and granular permissions manually via spreadsheets is a direct path to regulatory exposure. The infrastructure must be capable of presenting a Section 5 and Rules 2025 compliant itemised notice dynamically, capturing a Section 6 compliant affirmative action, and storing the exact timestamp, notice version, language selected, and user identity in an immutable audit log.
Six Steps to Enterprise E-Commerce Consent Compliance
To operationalise these 2026 DPDP requirements effectively, compliance leaders should follow these mandatory steps: 1. Conduct a Comprehensive Audit: Identify every consumer touchpoint in your mobile apps and web platforms where personal data is collected, mapping these data flows directly to your RoPA. 2. Draft Granular Section 5 Notices (Rules 2025 Compliant): Ensure every data collection point is preceded by a notice in an itemised format, available in the required specified languages, detailing the exact data collected, specific purpose, rights, and board complaint mechanisms. 3. Unbundle Core Services from Secondary Uses: Separate your general terms of service from marketing and analytics consents, guaranteeing that consent remains specific and unconditional under Section 6. 4. Enforce Data Minimization and Necessity: Strictly evaluate if requested data is necessary. As shown in the telemedicine illustration, drop excessive permissions (like contact lists) if they are not required for core delivery. 5. Build a Dynamic Preference Center: Deploy an accessible dashboard that allows users to exercise their rights and withdraw specific consents effortlessly without losing access to the main service. 6. Implement Robust Audit Trails: Maintain timestamped logs of clear affirmative actions to provide irrefutable evidence of compliance to the Data Protection Board during any regulatory inquiry.
Automating Compliance for D2C Enterprises
Large-scale compliance operations should not force your organization into deploying heavy, generic Governance, Risk, and Compliance (GRC) tools that frustrate product teams and slow down release cycles. ComplyDP offers a specialized Consent Unbundler designed specifically for the high-velocity world of e-commerce. It intelligently separates transactional data from marketing data while automatically helping generate itemised, multi-lingual Section 5 notices compliant with the Rules 2025 right at the checkout or sign-up phase. This ensures your marketing department retains legitimate leads without violating the strict Section 6 limits on necessary data processing. With ComplyDP, you can generate instant evidence packs and audit trails mapped directly back to your enterprise RoPA. Discover exactly where your current consumer consent flows fail the new statutory tests by running a free, comprehensive gap assessment at freescan.complydp.com today.
Sources
Frequently asked questions
Do we need to collect fresh consent from our existing e-commerce customers?
Yes, if your previous consent was bundled with general terms of service. Section 6(1) requires consent to be free, specific, informed, unconditional, and unambiguous through a clear affirmative action. You must provide a clear notice under Section 5 detailing the purpose of data collection to continue processing legacy data legally under the new regime.
What exactly must be included in a consent notice under Section 5 of the DPDP Act and the Rules 2025?
Under Section 5(1), the notice must explicitly inform the Data Principal of three core elements: (i) the personal data being collected and the exact purpose for which it is proposed to be processed; (ii) the manner in which they may exercise their rights under Section 6(4) and Section 13; and (iii) the manner in which they can make a formal complaint to the Data Protection Board. Crucially, the DPDP Rules 2025 require this notice to be presented in an itemised format and made accessible in multiple specified languages.
Can our shopping app legally request access to a user's mobile phone contact list or photo gallery?
No, unless it is strictly necessary for delivering the core service. Section 6(1) dictates that consent must be limited to such personal data as is necessary for the specified purpose. As demonstrated in the Act's telemedicine illustration, if a requested permission (like a contact list) is not necessary to provide your primary e-commerce service, the consent obtained for it is legally invalid.
ComplyDP