Interplay between the DPDP Act, 2023 and Consumer Protection/E-Commerce Laws
Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) and India’s Consumer Protection Act, 2019 (CPA), along with the Consumer Protection (E-Commerce) Rules, 2020, together govern the rights of consumers in the digital economy. While the DPDP Act secures informational privacy, consumer protection law addresses fair trade, transparency, and grievance redressal.
The overlap creates synergies but also raises questions of conflict, particularly in areas such as consent for marketing, erasure rights versus record retention for consumer disputes, and dual grievance redressal frameworks. This essay explores these intersections, compares global models, and highlights corporate implications through case examples.
Table of Contents
Introduction: Dual Regulatory Framework for Digital Consumers
Indian consumers interact with businesses primarily through e-commerce platforms and digital services. These interactions involve both commercial fairness (regulated by CPA) and data privacy (regulated by DPDP).
- CPA 2019: Protects against unfair trade practices, misleading advertisements, defective goods/services.
- E-Commerce Rules 2020: Prescribe duties for e-commerce entities on transparency, seller disclosures, grievance officers.
- DPDP Act 2023: Governs collection, use, storage, and sharing of personal data.
- Together, they form a twin compliance burden for digital businesses.
Points of Convergence
- Consent and Transparency
- DPDP: Requires clear notice and consent for processing personal data.
- E-Commerce Rules: Require disclosure of terms of service, refund policies, and consumer rights.
- Overlap: Both stress informed consumer decision-making.
Grievance Redressal
- DPDP: Fiduciaries must establish privacy grievance officers.
- CPA/E-Commerce Rules: Platforms must appoint grievance officers for consumer complaints.
- Overlap: Dual grievance mechanisms, often handled by the same officer.
Misleading Practices
- CPA: Penalises unfair trade practices, including misrepresentation of services.
- DPDP: Consent obtained through dark patterns or misleading notices is invalid.
- Overlap: Both penalise deceptive practices in digital commerce.
Potential Conflicts
Right to Erasure vs. Record Retention
- DPDP: Consumers may demand deletion of personal data once purpose is served.
- CPA/E-Commerce: Platforms may need to retain records for refunds, chargebacks, or disputes.
- Conflict: Fiduciaries must balance erasure rights with legal obligations.
Dual Grievance Forums
- DPDP: Complaints may escalate to the Data Protection Board.
- CPA: Complaints may go to Consumer Dispute Redressal Commissions.
- Conflict: Parallel proceedings possible for the same grievance (privacy vs. unfair trade).
Use of Data for Targeted Advertising
- DPDP: Consent required for processing.
- CPA: No direct prohibition, but unfair exploitation of consumer data may be deemed “unfair practice.”
Sectoral Focus
E-Commerce Platforms
- Handle vast consumer data and face obligations under all three laws.
- Example: A marketplace must ensure both privacy-compliant marketing and truthful product representations.
Direct-to-Consumer (D2C) Brands
- Depend on personalised targeting for growth.
- Must navigate consent under DPDP and avoid manipulative advertising under CPA.
Digital Service Providers
- Subscription apps, edtech platforms, OTT services must integrate grievance redressal for both service delivery and data privacy.
Illustrative Scenarios
Scenario 1: Targeted Advertising
- An e-commerce platform uses purchase history to push new products without explicit consent.
- DPDP: Violation of consent rules.
- CPA: Potentially unfair practice if misleading.
Scenario 2: Grievance Mishandling
- A consumer’s refund request doubles as a data erasure request.
- DPDP: Requires erasure of data.
- CPA: Requires addressing refund grievance.
- Conflict: Platform must segregate and respond under both frameworks.
Scenario 3: Consumer Review
- A D2C brand deletes negative reviews linked to consumer accounts.
- CPA: Misleading practice.
- DPDP: Improper processing of personal data (reviews, identities).
Global Comparisons
EU (GDPR + Consumer Law)
- GDPR governs privacy; consumer law prohibits unfair practices.
- EU integrates through the Unfair Commercial Practices Directive.
U.S. (FTC)
- FTC enforces both privacy and consumer protection under Section 5 “unfair or deceptive acts.”
UK (ICO + CMA)
- ICO enforces data protection, CMA enforces consumer law, but they issue joint guidance.
- India currently lacks joint guidance leading to uncertainty for businesses.
Corporate Implications
- Dual Compliance Costs: Companies must invest in integrated teams for privacy + consumer law.
- Litigation Risk: Parallel complaints before DPB and Consumer Commissions.
- Reputational Harm: Mishandling consumer data perceived as both privacy violation and unfair trade.
Compliance Strategies
1. Integrated Notices: Draft privacy policies and consumer disclosures together to ensure consistency.
2. Unified Grievance Systems: One grievance officer handling both privacy and consumer complaints.
3. Data Retention Policies: Align erasure under DPDP with minimum record-keeping under CPA.
4. Vendor Oversight: Ensure sellers on marketplaces comply with both privacy and consumer law.
5. Cross-Regulatory Readiness: Prepare for scrutiny by both DPB and Consumer Commissions.
Conclusion & Key Takeaways
The DPDP Act and Consumer Protection/E-Commerce laws together form the backbone of consumer rights in India’s digital economy. While synergies exist, overlaps in grievance redressal and conflicts around data retention vs. erasure create compliance challenges.
Key takeaways:
- Privacy and consumer protection are two sides of the same coin in digital commerce.
- Businesses must adopt integrated compliance frameworks covering both laws.
- Dual enforcement raises risk of parallel litigation and regulatory scrutiny.
- Coordinated guidance from regulators would reduce uncertainty and foster consumer trust.
For corporates, compliance is no longer siloed: it requires a holistic approach combining privacy, fairness, and transparency.
Co–Authored by :- Aurelia Menezes
By entering the email address you agree to our Privacy Policy.