Navigating Privacy, Consent And Dark Pattern Risks For E-Commerce And Retail Platforms In India – Consumer Data, Targeted Advertising And Trust
Introduction: Why E-Commerce Is at the Epicentre of Data Protection Enforcement
India’s e-commerce and digital retail ecosystem comprising marketplaces, D2C brands, omnichannel retailers, quick-commerce platforms, social commerce intermediaries and loyalty programs is fundamentally built on data.
Browsing histories, purchase patterns, payment details, delivery addresses, location data, device identifiers and behavioural analytics form the backbone of modern retail strategy and also some of the most prominent e-commerce privacy risks. Personalisation, targeted advertising, dynamic pricing and recommendation engines are now standard commercial tools.
However, this data-centric business model also places e-commerce platforms squarely within the crosshairs of data protection regulators.
With the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), Indian law has decisively shifted the balance away from unchecked commercial exploitation of consumer data towards consent, purpose limitation and accountability.
Table of Contents
Applicability of the DPDP Act to E-Commerce and Retail Platforms
A. Who Is Covered?
The DPDP Act applies to any entity processing digital personal data, including:
- Online marketplaces and aggregators
- D2C and brand-owned e-commerce platforms
- Quick-commerce and hyperlocal delivery apps
- Omnichannel retailers using digital loyalty systems
- Social commerce and influencer-led platforms
- Online marketplaces offering cross-border sales
Both Indian and foreign platforms offering goods or services to Indian consumers fall within scope.
B. E-Commerce Platforms as Data Fiduciaries
E-commerce companies almost always qualify as data fiduciaries, as they determine:
- What consumer data is collected
- How it is analysed and monetised
- With whom it is shared (logistics, advertisers, vendors)
- How long it is retained
Third-party participants like payment gateways, logistics partners, cloud providers, and ad-tech platforms typicallyy act as data processors, though primary compliance responsibility rests with the platform.
Large marketplaces and consumer platforms may be notified as Significant Data Fiduciaries (SDFs) due to:
- Volume of personal data processed
- Profiling and targeted advertising
- Risk of consumer harm at scale
Consumer Consent in E-Commerce: From Formality to Substance
A. Consent as the Primary Legal Basis
Under the DPDP Act, consent is the default ground for processing personal data, including:
- Account creation data
- Order and transaction data
- Marketing and promotional data
- Behavioural analytics
Consent must be:
- Free
- Informed
- Specific
- Unambiguous
- Capable of withdrawal
B. Notice Requirements Under the DPDP Rules
The DPDP Rules mandate that consumers receive clear notice specifying:
- Categories of personal data collected
- Purpose of processing (including marketing and profiling)
- Third-party data sharing
- Retention periods
- Rights of the consumer
- Grievance redressal mechanisms
Lengthy, generic privacy policies copied across jurisdictions are unlikely to satisfy Indian regulatory expectations.
C. Bundled Consent and Forced Choice Risks
Common industry practices such as:
- “Accept all to continue shopping”
- Bundled consent for marketing and analytics
- Conditional discounts tied to data sharing
may be viewed as coercive, particularly where refusal materially disadvantages the consumer.
Dark Patterns in E-Commerce: A Growing Enforcement Risk
A. Understanding Dark Patterns
Dark patterns are interface designs that manipulate user behaviour, including:
- Hidden opt-outs
- Pre-selected marketing consents
- Misleading countdown timers
- False scarcity claims
While the DPDP Act does not expressly define dark patterns, such practices undermine free and informed consent, rendering data processing unlawful.
B. Regulatory Direction of Travel
Indian regulators and courts have increasingly scrutinised:
- Manipulative UX design
- Deceptive consent flows
- Exploitative consumer interfaces
E-commerce platforms relying on aggressive growth tactics face increasing risk under the DPDP framework.
Targeted Advertising and Consumer Profiling
A. Profiling as High-Risk Processing
E-commerce platforms routinely engage in:
- Behavioural profiling
- Purchase prediction
- Dynamic pricing
- Personalised advertising
Under the DPDP Act, profiling must:
- Be purpose-specific
- Be disclosed clearly
- Be supported by valid consent
Opaque recommendation engines and undisclosed targeting logic create compliance exposure.
B. Ad-Tech and Third-Party Risk
E-commerce platforms commonly integrate:
- Programmatic advertising networks
- Attribution and analytics SDKs
- Retargeting tools
Each integration represents a potential data leakage point. The DPDP Act places responsibility on the platform to ensure that ad-tech partners comply with Indian data protection standards, regardless of their location.
High-Risk Consumer Data Categories
A. Financial and Payment Data
Payment information, transaction histories and wallet balances carry heightened risk due to:
- Fraud potential
- Identity theft
- Regulatory overlap with financial laws
Such data must be collected only where necessary and secured using robust technical measures.
B. Location and Delivery Data
Real-time delivery tracking, address data and location analytics must be:
- Justified by operational necessity
- Retained only for limited periods
- Protected against unauthorised access
C. Loyalty Programs and Behavioural Analytics
Loyalty programs often involve long-term tracking of consumer behaviour. Without clear disclosures and opt-out mechanisms, such programs can violate purpose limitation and storage limitation principles.
Vendor, Logistics and Marketplace Liability
A. Logistics and Fulfilment Partners
Sharing consumer data with delivery partners is operationally necessary, but platforms must:
- Limit data shared to necessity
- Impose contractual safeguards
- Monitor downstream compliance
Uncontrolled sharing of phone numbers, addresses or order details exposes platforms to liability.
B. Marketplace Sellers and Third Parties
In marketplace models, ambiguity often exists around:
- Whether the platform or seller is the data fiduciary
- Responsibility for breach notification
- Consumer grievance handling
Clear contractual allocation and governance mechanisms are essential.
Cross-Border Data Transfers in Retail Platforms
Global e-commerce platforms often store or process data overseas. Cross-border transfers are permitted only to government-notified jurisdictions, requiring platforms to:
- Map data flows
- Monitor regulatory notifications
- Reassess global data architecture
Future restrictions may require localisation or segmentation strategies.
Data Breaches: Consumer Trust at Stake
A. Mandatory Breach Notification
Under the DPDP Act and Rules, e-commerce platforms must notify:
- The Data Protection Board of India
- Affected consumers
This obligation applies regardless of financial loss.
B. Reputational Impact
Consumer data breaches often lead to:
- Media scrutiny
- Consumer backlash
- Regulatory investigations
- Long-term erosion of brand trust
For consumer brands, reputational damage may outweigh statutory penalties.
Penalties and Enforcement Exposure
A. Monetary Penalties
The DPDP Act authorises penalties up to INR 250 crore per contravention, assessed based on:
- Nature of personal data
- Scale of processing
- Duration of violation
- Mitigation measures taken
E-commerce platforms processing large consumer datasets face systemic exposure.
B. Commercial Consequences
In addition to penalties, platforms may face:
- Platform delisting or restrictions
- Loss of advertising partners
- Investor and partner concerns
- Regulatory conditions on operations
Compliance Roadmap for E-Commerce and Retail Platforms
1. Data Mapping and Purpose Review: Identify all consumer data flows and associated purposes.
2. Consent and UX Audit: Eliminate dark patterns and redesign consent journeys.
4. Contractual Safeguards: Update seller, logistics and vendor agreements.
5. Governance and Training: Align product, marketing and compliance teams on DPDP obligations.
Conclusion: Consumer Trust as a Competitive Advantage
The DPDP Act and Rules mark a decisive shift in India’s digital commerce landscape. Data-driven growth strategies that ignore consent, transparency and proportionality are no longer sustainable.
E-commerce platforms that embed privacy-by-design, reduce profiling excesses and treat consumer data as a matter of trust not merely monetisation, will be best positioned to succeed in India’s evolving regulatory environment.
By entering the email address you agree to our Privacy Policy.