DPDP compliance for D2C & eCommerce

Why D2C Brands Face a Different DPDP Problem

If you run a D2C or eCommerce business in India, your DPDP compliance challenge is not the same as a SaaS company's or a bank's. Your problem is volume, velocity, and the sheer number of third-party tools touching customer data at every stage of the funnel.

A typical D2C brand's data flow looks like this: a customer clicks a Meta ad (pixel fires, device ID captured), lands on your Shopify or custom storefront (Google Analytics, Hotjar, cookie trackers activate), browses products (behavioural data logged), adds to cart (email or phone captured for abandoned cart recovery), checks out (name, address, phone, email, payment details collected), payment processes through Razorpay or Stripe (financial data shared with processor), order ships via Delhivery or Shiprocket (name, address, phone shared with logistics partner), post-purchase emails trigger via Klaviyo or WebEngage (marketing data processed), and a review request goes out via a third-party review platform.

That is at least 8–10 third-party processors touching personal data in a single customer journey. Each one is a data processing relationship that needs DPDP-compliant contractual coverage. Most D2C brands have signed standard terms with these vendors without any DPDP-specific provisions.

The 5 DPDP Obligations D2C Brands Must Get Right

Obligation 1: Cookie and Tracker Consent

This is where most D2C brands are furthest from compliance. Your website likely drops 15–40 cookies and tracking pixels before a visitor has done anything - Meta Pixel, Google Analytics, Google Ads conversion tracking, Hotjar, Clarity, retargeting pixels, affiliate tracking scripts.

Under the DPDP Act, each of these trackers that processes personal data (and most do - device IDs, IP addresses, and behavioural patterns are personal data) requires specific, informed consent before activation. Not a banner that says "we use cookies" - a mechanism that lets users choose which categories of trackers to enable, with trackers disabled by default until consent is given.

What you need to implement: - A cookie consent mechanism that blocks non-essential cookies until consent is given - Category-based consent: essential (always on), analytics (opt-in), marketing (opt-in), third-party (opt-in) - A consent record system that logs when consent was given, for which categories, and which version of the consent notice was shown - A consent withdrawal mechanism as easy as the opt-in (one click, not buried in settings) - Cookie scanning: know exactly what cookies your site drops and which vendors they belong to

Timeline: If you are using a platform like Shopify, implementing a DPDP-compliant cookie consent banner takes 1–2 weeks. If you have a custom storefront with deeply integrated tracking, budget 3–4 weeks.

Obligation 2: Checkout and Account Creation Consent

When a customer creates an account or checks out, you collect name, email, phone, address, and payment details. Under DPDP, you need a standalone privacy notice (not buried in Terms & Conditions) that explains exactly what data you collect and why, presented before or at the point of collection.

Critical for D2C: You cannot bundle consent. If you want to use the customer's email for transactional updates (order confirmation, shipping notification) AND for marketing emails, these are two separate purposes requiring two separate consent checkboxes. A single "I agree to the Terms & Conditions and Privacy Policy" checkbox is not compliant.

What your checkout flow needs: - A link to your standalone privacy notice visible before the customer submits their data - Separate consent for transactional communications (can be implied if necessary for the service) and marketing communications (must be explicit opt-in) - No pre-ticked marketing consent boxes - Clear language: "We will send you promotional emails about new products and offers" - not "We may use your data to improve our services"

Obligation 3: Marketing and Retargeting Compliance

This is the obligation that will change how D2C brands operate. Under DPDP: - Retargeting ads using personal data require specific consent for that purpose - Sharing customer data with Meta, Google, or affiliate networks for ad targeting is processing for a specific purpose that must be disclosed and consented to - Lookalike audiences built from your customer lists involve sharing personal data with a third-party processor - this must be covered in your privacy notice and vendor DPA - Abandoned cart emails using personal data collected during browse (before purchase) require consent for that specific use

What this means practically: Your Meta Custom Audiences workflow - where you upload a customer email list to Meta for retargeting - requires that every email on that list was collected with consent for the specific purpose of "sharing with advertising platforms for targeted advertising." If your consent mechanism just said "marketing emails," that does not cover sharing data with Meta for ad targeting.

Obligation 4: Payment Processor and Logistics Partner DPAs

Razorpay, Stripe, PayU, Cashfree - these are Data Processors under DPDP. Delhivery, Shiprocket, BlueDart - also Data Processors. Each needs a Data Processing Agreement with DPDP-specific clauses.

Most payment processors and logistics companies are ahead on this - they serve regulated clients and have DPAs available. But you need to actually execute them, not assume the standard terms cover DPDP.

Key clauses to verify: - Breach notification: Will the processor notify you within 24–48 hours of detecting a breach? (You need this to meet your 72-hour DPBI notification obligation) - Data deletion: Will the processor delete customer data upon your request or contract termination? - Sub-processors: Does Razorpay share your customer data with other processors? Which ones? - Cross-border transfer: Where is the payment data stored and processed? Is it in a permitted jurisdiction?

Obligation 5: Customer Data Rights Portal

A customer contacts you and says: "What data do you have on me? Delete it." Under DPDP, you must be able to answer the first question and execute the second - within 7 days for deletion.

For a D2C brand, this means tracing a single customer's data across: your storefront database, your CRM, your email marketing tool, your analytics platform, your payment processor, your logistics partner, and your customer support tool. That is 7+ systems.

What you need: - A data principal rights request form (see our Compliance Template Pack) - An internal workflow that routes the request to the right team - The ability to export all data held about a customer across all systems - The ability to delete a customer's data across all systems within 7 days - A log of every request received and action taken

The D2C DPDP Budget

For a D2C brand with ₹5–50 crore annual revenue:

One-time setup: ₹5–15 lakh - Cookie consent implementation: ₹1–3 lakh - Privacy notice and consent flow redesign: ₹1–2 lakh - Vendor DPA negotiation (5–10 vendors): ₹1–3 lakh - Data mapping across systems: ₹1–3 lakh - Compliance platform (ComplyDP or equivalent): ₹2–5 lakh/year

Recurring annual: ₹3–8 lakh - Platform subscription - Annual consent and cookie audit - Vendor compliance review - Staff training

The cost of non-compliance: a single penalty can reach ₹250 crore. More practically, a data breach at your payment processor that you cannot report within 72 hours because you did not have a breach notification workflow costs you customer trust, press coverage, and potentially your business.

The 8-Week D2C DPDP Sprint

Week 1–2: Audit. Map every third-party tool that touches customer data. List every cookie and tracker on your site. Document your current consent mechanisms.

Week 3–4: Fix consent. Implement a DPDP-compliant cookie consent mechanism. Redesign checkout consent flows with separate marketing opt-in. Update your privacy notice to be standalone, specific, and multilingual.

Week 5–6: Fix vendors. Send DPA addendums to your top 5 processors (payment, logistics, email marketing, analytics, CRM). Negotiate and sign.

Week 7–8: Fix rights. Build or deploy a data principal rights request form. Test the deletion workflow end to end - can you delete a customer's data across all systems in 7 days?

After 8 weeks: Run the ComplyDP Readiness Scan to verify your posture. Address remaining gaps. Schedule annual review.

D2C-Specific FAQ

Q: Do I need consent for every Meta Pixel event? A: You need consent for the Meta Pixel to fire at all, since it processes personal data (device IDs, behavioural data). Once a user consents to "marketing/advertising cookies," the pixel can fire. But you must disclose in your privacy notice that you share data with Meta for advertising purposes.

Q: What about WhatsApp Business messages? A: WhatsApp messages to customers using their phone numbers are processing personal data for a specific purpose. Transactional messages (order updates) may fall under "legitimate use" if necessary for the service. Promotional messages require explicit consent.

Q: My Shopify store is hosted outside India. Does DPDP still apply? A: Yes. DPDP applies to any processing of personal data of individuals in India, regardless of where the processing occurs. Shopify's servers being in Canada or the US does not exempt you.

Q: Do I need to offer my privacy notice in Hindi/Marathi/Tamil? A: The Act requires availability in English or any of the 22 scheduled languages based on user preference. If your customer base is predominantly Hindi-speaking, you should offer a Hindi version. If you serve customers in Maharashtra, a Marathi option strengthens compliance.

Getting Started

Run ComplyDP's free Readiness Scan at complydp.com/scan to see exactly where your D2C brand stands against DPDP obligations. It covers all 43 controls including cookie consent, vendor risk, and data rights - in under 10 minutes.