What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s first comprehensive data privacy law. Think of it as India’s GDPR. It regulates how businesses collect, store, process, and share personal data of Indian citizens.
If you run a D2C brand that collects customer names, phone numbers, email addresses, shipping addresses, or payment information — you are a ‘Data Fiduciary’ under this law. You have obligations.
Key Requirements for D2C Brands
1. Consent Before Collection
- You must get explicit, informed consent before collecting personal data.
- Pre-ticked checkboxes don’t count. The customer must actively opt in.
- Your privacy policy must clearly state: what data you collect, why, how long you keep it, and who you share it with.
- Action: Add a clear consent checkbox at checkout and account creation. Update your privacy policy.
2. Purpose Limitation
- You can only use data for the purpose you stated when collecting it.
- Collected email for order updates? You can’t auto-add it to your marketing list without separate consent.
- Collected phone number for delivery? You can’t share it with a marketing partner.
- Action: Separate transactional consent (order processing) from marketing consent (newsletters, WhatsApp broadcasts).
3. Data Minimization
- Only collect data you actually need.
- Does your checkout really need date of birth? Anniversary? If you’re not using it for personalization, don’t collect it.
- Action: Audit your checkout fields and forms. Remove anything you don’t actively use.
4. Right to Erasure
- Customers can request deletion of their personal data.
- You must delete it within a ‘reasonable’ timeframe (guidelines suggest 30 days).
- Exception: data required for legal compliance (tax records, GST invoices) can be retained.
- Action: Build or configure a data deletion workflow. Shopify has built-in customer data request handling.
5. Data Breach Notification
- If you suffer a data breach, you must notify the Data Protection Board of India AND affected customers.
- No specific timeline in the Act yet, but expect 72-hour requirements similar to GDPR.
- Action: Have an incident response plan. Know who to contact and what to communicate.
Penalties
| Violation | Maximum Penalty |
|---|---|
| Failure to take security measures | ₹250 crore |
| Failure to notify breach | ₹200 crore |
| Non-compliance with obligations to children | ₹200 crore |
| General non-compliance | ₹50 crore |
These are maximum penalties. Early enforcement is likely to focus on large companies, but building compliance now protects you as enforcement scales.
Compliance Checklist for D2C Brands
- Update your Privacy Policy — Make it clear, in simple language, what data you collect and why. Link it in your footer and checkout.
- Add consent mechanisms — Checkbox at checkout for marketing communication. Separate from order processing consent.
- Audit third-party data sharing — Who has access to your customer data? Analytics tools, ad platforms, CRMs, courier partners. Document all data processors.
- Set up data deletion workflows — Enable customers to request data deletion. Respond within 30 days.
- Secure your data — Use HTTPS everywhere. Encrypt stored data. Use strong passwords and 2FA on all admin accounts.
- Train your team — Anyone who handles customer data (support team, marketing team) should understand basic data protection principles.
Need Help With DPDP Compliance?
At Growww Tech, we help D2C brands audit their data practices and implement DPDP-compliant workflows. Don’t wait for enforcement — get compliant now.
Related reading:
Leave a Reply