How Will India’s DPDP Act Impact E-Commerce Businesses?

In today’s digital world, Data Protection and Privacy are prime concerns for companies as they use data to guide business decisions and to interact with customers. As businesses go digital, it has become increasingly important for substantial data protection laws to be in place. In addition to being a remarkable development in the area of data protection, the Digital Personal Data Protection Act, 2023 (DPDPA), will also have a meaningful effect on e-commerce businesses all over the world.

This article explains the significant effects of DPDPA 2023 on e-commerce companies, outlining important amendments & offering insights on how companies may adjust to and succeed in this new environment.

The Data Fiduciary in an e-commerce scenario is the platform provider, who collects personal data for analytics, targeting and marketing purposes.

The DPDPA, 2023

The DPDPA, 2023 had become an Act in India following the Presidential Assent on August 11th 2023.

The Act imposes numerous obligations on Data Fiduciaries (Person who determines the purpose and means of processing of Personal Data) to Protect and Limit the processing of Data while also providing numerous rights to Data Principals (Individual to whom the Personal information relates).

The DPDPA 2023 aims to elevate Data Principal’s Control over their personal data, limit data processing operations, and promote better responsibility among companies handling personal data.

Determining Data Fiduciary in case of e-commerce businesses

One of the most vital questions to which answer is required is who will be Data Fiduciary in case of e-commerce businesses. A question will arise whether it will be the retailers or the platform and the sellers.

Data Fiduciary determines why and how personal information is collected. Because they collect personal information at the moment of registration and utilize it for things like targeting, analytics and marketing, the platform provider in an e-commerce setting is undoubtedly one of the data controllers. Although, if we look at the standard e-commerce platforms, we’ll notice that they frequently act in the role of a Data Fiduciary.

Similar to this, if we look at the sellers or retailers on the platform, we’ll see that some of them are bigger retailers or sellers who choose what sort of data they should be gathering to execute or process orders. Unless they are retailers that the platform or the e-commerce organization is solely using to collect items and then deliver them to customers without disclosing who the end-customer is or supplying any personal information, they may also be considered as data fiduciaries.

Impact on E- Commerce Businesses

Data Processing Practices-

E-commerce businesses frequently handle an extensive amount of user data for activities including transaction processing, customized marketing, and service to customers. Data processing procedures must have to operate in line with state legal requirements under DPDPA, 2023. These Legal requirements include:

  • Obtaining consent for processing of Personal information of Data Principals.
  • Data Processed must be complete, accurate, and updated.
  • Sending of Itemized Notice along with Request for Personal information
  • Authorized representative to facilitate effective grievance redressal mechanisms for Data Principals or furnishing of contact information for a Data Protection Officer (DPO).
  • Additional obligations relating to Child Data Processing including Parental Consent and restriction on behavioral monitoring.

To stay in compliance while evading huge fines, businesses will need to take stock of their data procedures.

Enhanced Agreement Management-

DPDPA, 2023 requires users’ informed and explicit consent to data processing as one of its main modifications. E-commerce companies will be required to amend their consent processes so that customers understand how their information will be managed before providing consent.

Individuals’ Expanded Rights-

This legislation offers individuals more power over their own personal data. E-commerce businesses have to be ready to answer consumer concern for data access, elimination, transmission and correction. Additionally, the DPDPA provides that Data Principals may give, review, withdraw, or manage their consent to the Data Fiduciary through a Consent Manager. A Consent Manager is an individual registered by the Data Protection Board who acts as a single point of contact to enable a Data Principal to manage their Consent. The Consent Manager is responsible to the Data Principal and a Data Principal has the right to Grievance Redressal provided by the Consent Manager. Hence, Individuals’ Rights have been expanded under India's DPDP Act.

Stricter Data Processing Principles-

The DPDPA 2023 manages an extreme value on reduction of information, storage limitation and accuracy. Businesses involved in e-commerce have to evaluate their data processing processes in order to make sure they only collect the necessary data, maintain its correctness, and safeguard it on record for a suitable length of time. The DPDPA necessitates that the Data must be complete, updated and accurate.

Moreover, the Act provides that Personal information must be erased on the withdrawal of consent by the Data Principal or when the specified purpose is no longer being served. It might prove essential to introduce modifications to storage systems, collecting information forms and data retention regulations for the purpose to implement these principles.

Cross Border Data Transfer-

Personal data transfers outside of the country are subject to further scrutiny under DPDPA, 2023. Under the DPDPA, the transfer of Personal Data outside India can be bound to a certain territory or country upon notification by the Central Government. Furthermore, certain laws or regulations providing for a higher degree of protection may also restrict the transfer of Personal Data outside India. Thus, E-Commerce Businesses are authorized to transfer Data across borders provided the Central Government does not restrict the transfer through notification.

Data Protection Officers (DPO)-

The DPDPA, 2023 provides for the appointment of a Data Protection Officer which, according to the DPDP Act, is not needful for all Data Fiduciaries, however, the appointment of a DPO is compulsory only for certain e-commerce organizations that have been notified as Significant Data Fiduciaries. Under the DPDP Act, DPOs will be in the position of managing compliance, providing a point of contact for data protection authorities and data protection strategies. Apart from mandatory appointment of DPOs, Significant Data Fiduciaries also have several other obligations including undertaking Periodic Data Protection Impact Assessments, Periodic Data Audits and the appointment of an Independent Auditor.

Conclusion

The DPDPA marks a turning point in Data Privacy and Protection in India and will significantly affect E-commerce Businesses. The new DPDPA places numerous obligations on E-Commerce Businesses with respect to Handling and Processing of Personal information while also ensuring the rights of Data Principals online. Upholding Privacy and Data Principal Rights in an E-Commerce Environment is not only legally necessary, but it allows Businesses to demonstrate their commitment to Data Privacy and Protection while enhancing Consumer Trust and Confidence.

However, the impact of DPDPA on E-Commerce Businesses is enormous and negligence to comply with the obligations under the Act can lead to heavy regulatory fines which can result in a financial burden to such businesses. Hence, it is increasingly vital for E-Commerce Businesses to understand and fulfill the obligations under the DPDPA. This commitment goes beyond the legal compliance, instilling confidence, extending to cultivating a reputation and fostering trust.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with various global regulations by taking a data centric approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify data inventory, data mapping, data minimization, and securely delete data in enterprises to reduce legal and financial liability.

Legal Disclaimer: The information provided in this blog is not intended to, and does not constitute, legal advice. All content is provided for general informational purposes only. Access to and use of the materials provided do not create an attorney-client relationship. Readers and users should consult with their individual attorneys for advice about their specific legal concerns.