Digital Personal Data Protection Rules impact on e-commerce sector

Impact of Draft Digital Personal Rules on e-commerce sector

photographic portrait of Sujay Maskara

5 minute read 09 Jun 2025

Related topics

India's 2025 Draft Data Protection Rules usher in a new era of data privacy, imposing intricate compliance demands for e-commerce companies.

Compliance challenges for e-commerce entities

Grievance redressal mechanism
Profiling and automated decision making
Data retention requirements
Processing of sensitive personal data
Third-party and cross-border data transfers
Cross-border transfer of personal data
Verifiable parental consent and age gating

In brief

India's Draft Rules encourage a privacy-focused culture yet leave key e-commerce compliance questions open-ended.
The DPDP Draft Rules highlight ambiguities in grievance redressal, profiling, data retention, and international transfers, requiring strategic compliance.
India's Draft DPDP Rules mark progress in data privacy but leave businesses grappling with compliance ambiguities.

The Draft Digital Personal Data Protection Rules, 2025 (‘Draft Rules’) were released by MeitY at the start of the new year, sparking discussions on the impact of data protection rules on e-commerce and compliance requirements for businesses across sectors in India. While the Draft Rules address the 'retention period' for e-commerce entities, there are several compliance gaps. This article examines the ‘Draft Rules’ applicability to e-commerce entities, their mandated obligations, and the data protection compliance challenges in India that remain unaddressed in the context of the evolving data privacy law in India.

Compliance challenges for e-commerce entities

Transforming data privacy: DPDP Rules, 2025

India’s DPDP Rules, 2025, aim to enhance privacy and data protection, but ambiguities like consent and third-party risks need addressing.

1. Grievance redressal mechanism

The sector-specific E-commerce Rules, 2019 mandates the institution of a grievance redressal mechanism by e-commerce entities to address any consumer-related grievances raised by the users, along with keeping them informed of the name, contact details and designation of the grievance officer. This could be read in conjunction with Rule 13(3) of the Draft Rules that specifies the data fiduciaries to inform the data principals of the time-period within which their grievance redressal system addresses the grievances raised by consumers and, implement pertinent technical and organizational safeguards to maintain the efficiency of such a mechanism.

The e-commerce entities are at the right juncture of equipping an existing consumer grievance redressal mechanism to address the privacy law requirements and e-commerce data compliance, consumer data rights, increasing the effectiveness of their operations in line with the new DPDP rules 2025. However, the entities would be required to balance any complexities posed under the applicable sector-specific regulation(s) and Draft Rules to align their privacy compliance accordingly.

2. Profiling and automated decision making

E-commerce entities are likely to implement profiling and automated decision-making mechanisms to enhance and personalize the user experience.

However, neither does the Digital Personal Data Protection Act, 2023 (‘DPDPA’) nor does the Draft Rules stipulate any regulatory safeguards to protect the data principals from being subjected to profiling. Rule 12(3) of the Draft Rules imposes an obligation on Significant Data Fiduciaries to conduct algorithm audits if they deploy algorithmic software to process personal data. This obligation would apply to e-commerce entities once they are notified as Significant Data Fiduciaries by the central government. However, as the notification is still pending and the new DPDP Rules do not provide clarity, this creates ambiguity regarding the safeguards e-commerce entities must observe in this context.

3. Retention period

The DPDP 2025 Rules specify a three-year data retention policy period for e-commerce entities with over two crore registered users, starting from the last interaction or the commencement of the rules, whichever is later. However, no retention period is defined for e-commerce entities with fewer than two crore registered users. Further, there is no clarity on the use-cases that could be considered as the last interaction of data principals with the e-commerce platforms, which is a critical aspect of personal data security.

4. Processing of sensitive personal data

At present, the definition of ‘Sensitive Personal Data’ could only be derived from Rule 3 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (‘SPDI Rules’). Certain categories defined within the SPDI Rules, such as financial information, biometric information, or password may be processed through e-commerce platforms.

The DPDPA, as well as the Draft Rules, do not define ‘Sensitive Personal Data’ and the categories of personal data that could fall within the ambit of being sensitive. There are no additional safeguards specified to protect such data, and there is no lawful basis for processing sensitive personal data outlined in the DPDP Act.

5. Third-party data transfers

Given the large volume of personal data processed by e-commerce entities and the extent of their processing activities, the involvement of third parties is unavoidable (e.g., for facilitating customer payments).

However, while the DPDPA mandates a contractual agreement between the data fiduciary and any data processors engaged to handle personal data, the Draft Rules do not establish additional safeguards to protect data during third-party transfers, raising questions about rules for cross-border data transfer in India.

6. Cross-border transfer of personal data

The DPDPA and the Draft Rules do not provide adequate safeguards to protect personal data transferred by entities outside the territory of India. There is no clarity regarding the specific safeguards that may be implemented to protect personal or sensitive personal data from potential risks associated with such transfers. Furthermore, the central government has yet to notify the list of countries or territories to which the transfer of personal data is restricted, impacting any multi-jurisdiction business operations that the entities may be engaged in.

7. Verifiable parental consent

The Draft Rules categorize data fiduciaries into three groups and outline specific purposes of data processing that are exempt from the age gating requirements for children’s data. However, the rules do not clarify whether these obligations apply to all the other data fiduciaries, particularly those not targeting children. Most e-commerce websites, while not designed specifically for children, may still have child visitors. The rules do not specify whether age gating would be necessary for such entities, nor do they provide guidance on how to implement such measures.

The article is also contributed by Bhavya Janardhan, Director, EY India.

Summary

The Draft Rules represent a significant milestone as India moves toward a ‘privacy-conscious’ future, enabling businesses and organizations to prioritize the protection of privacy rights vested in data principals. However, ambiguities persist in the Draft Rules, in line with the DPDP Rules, presenting compliance challenges for organizations to navigate.

Data protection and privacy

EY offers data protection and privacy services to help organizations comply with India's Personal Data Protection Bill.
Read more
Cybersecurity Transformation

Discover how EY's Cybersecurity Transformation solution can help your organization design, deliver, and maintain cybersecurity programs.
Read more
Next generation security operations and response

EY Next Generation Security Operations & Response team helps you build advanced, cyber programs with holistic strategies tailored to your threat landscape.
Read more

Related articles

What fintech and payments firms must know to ensure data privacy

Explore the DPDP Act & Draft Rules: Challenges & opportunities for Fintechs & Payments Intermediaries in data privacy, security, and customer trust management.

09 May 2025 Aniket Bhosle

Redefining global privacy: The critical role of India’s GCCs

Explore the growing need for Privacy Centers of Excellence in India's GCCs, leveraging top talent, cost-effective operations, and robust data protection laws. Learn more.

25 Apr 2025 Mubin Shaikh

How companies can secure language models against emerging AI cyber risks

Explore the transformative power of Large Language Models (LLMs) in cybersecurity. Discover advancements, risks, and proactive solutions for a secure AI-driven future.

07 Apr 2025 Mubin Shaikh

About this article

photographic portrait of Sujay Maskara

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

You are visiting EY in (en)

in en