← All articles · 30 April 2026 · compliance.hjlabs.in

DPDPA for E-commerce: Cart Cookies, User Data, Payments

If you run a Shopify store, a WooCommerce site, a D2C brand, or sell on ONDC/Mintsoft, the DPDPA touches every part of your stack — from the cookie banner on your homepage to the GST invoice you save for 8 years. This is the e-commerce-specific playbook.

The e-commerce data lifecycle under DPDPA

Map your customer's journey:

  1. Anonymous browse — cookies, fingerprinting, IP, behavioural events
  2. Account signup — name, email, phone, OTP verification
  3. Cart and wishlist — implicit interest signals, persistent cookies
  4. Checkout — billing/shipping address, payment tokens
  5. Fulfilment — courier APIs, OTP delivery
  6. Post-purchase — reviews, returns, support, GST invoice retention

Each step has its own DPDPA implications. Let's walk through them.

Cookies and fingerprinting

Strictly necessary cookies (cart, login session, CSRF) need no consent. Everything else — analytics, advertising, retargeting, A/B testing — requires explicit, opt-in consent before the cookie is set. Pre-ticked checkboxes are not valid consent under Section 6.

Practical: implement a granular cookie banner with categories (Necessary / Analytics / Marketing). Block tags until consent. Use Cloudflare's free Zaraz, OneTrust, or CookieYes.

Abandoned cart emails

This is a hot topic. Under DPDPA, sending an abandoned-cart email is processing personal data (email + behavioural data) for marketing. You need consent. The cleanest way: have a "Yes, send me reminders if I leave items in my cart" checkbox during signup or first cart action.

Implicit "we will email you because you left items in your cart" without a prior signal is now risky. Many large Indian brands have updated their flows in 2025 to capture this consent up-front.

Payment data

Card numbers, UPI IDs, and bank details are collected by your payment gateway (Razorpay, PayU, Cashfree). Your store typically only sees a tokenised reference, which is good — RBI's tokenization mandate already minimises your DPDPA exposure here.

What you do retain (last 4 digits, payment method, transaction ID) must be in your privacy notice and protected.

GST invoice retention

The Income Tax Act and GST law require you to retain invoice records for 8 years. This is a "legitimate use" under Section 7(c) of the DPDPA — you are complying with a law. Your privacy policy should explicitly state this retention period and the legal basis.

Importantly, you cannot use this 8-year-retained data for marketing without consent — the legitimate use is only for the tax/legal purpose.

Courier and logistics integrations

Delhivery, Bluedart, Shadowfax, Ekart, etc., are Data Processors. You need a Data Processing Agreement (DPA) with each one that flows down DPDPA obligations. Your privacy policy must list them as sub-processors.

Marketing analytics and ad pixels

Meta Pixel, Google Tag, TikTok Pixel — these all transfer user data to international platforms. Two implications:

Strong practice: server-side tracking via your own first-party endpoint, then forwarded with hashed identifiers.

Reviews and UGC

Public reviews are personal data of the reviewer. Even though the reviewer chose to publish, you still owe them rights — they can request edit/delete. Your review platform (Yotpo, Judge.me, Loox) must support DSR workflows.

ONDC and marketplace selling

If you sell through ONDC, Amazon, Flipkart, or Meesho, the marketplace is the primary Data Fiduciary for the buyer's data. You receive only what's necessary to fulfil the order. Your DPDPA exposure is narrower but not zero — once you communicate post-sale (warranty, support, marketing) you are processing in your own right.

Children's data and gifting

Be careful with kids' products and gifting flows. If a 14-year-old signs up to gift their parent something, you may be processing a child's data. Your TOS prohibition of under-18 signups is not enough — you need verifiable parental consent or you must block the flow.

The minimum e-commerce DPDPA stack

  1. Cookie banner with granular consent and "block before consent" behaviour
  2. Privacy policy that lists every category of data, every sub-processor, retention periods, and rights flow — generate one
  3. Account-level consent toggles for marketing, abandoned cart, recommendations
  4. DSR endpoint (could be a simple form that emails support) — log every request
  5. DPA template signed with every vendor
  6. Grievance officer details on every page footer
  7. Breach response runbook

Bottom line

DPDPA does not block e-commerce growth — major Indian D2C brands have already adapted. The pattern is: explicit consent, granular controls, transparent processor lists, and a real grievance process. The rest is normal commerce. Walk the 15-point checklist and you are 90% there.

Generate your DPDPA privacy policy

Free. Two minutes. Section-by-section references. English & Hindi.

Open the generator →

More from the blog