Does DPDPA apply to my small Shopify/WooCommerce store?

Yes. There is no turnover or size threshold for being a Data Fiduciary. If you process the personal data of Indian users, the Act applies.

Do I need consent for order-fulfilment data?

Processing strictly necessary to fulfil an order the customer requested can rely on legitimate use, but marketing, analytics and profiling need separate, explicit consent.

DPDPA 2023 · DPDP Rules 2025

DPDPA Compliance for E-commerce & D2C Businesses in Chennai

DPDPA compliance for online stores and D2C brands collecting customer, payment and delivery data.

Why this matters in Chennai: Failure to take reasonable security safeguards can attract penalties up to ₹250 crore under the DPDPA Schedule. Most small-business exposure comes from breaches and consent failures, not turnover-based fines.

Overview

Every online store collects names, phone numbers, delivery addresses, order history and often payment metadata — all 'personal data' under the DPDP Act 2023. D2C brands compound this with marketing pixels, abandoned-cart retargeting and influencer data flows.

Chennai context: A manufacturing, fintech and SaaS centre where vendor and employee-data documentation is commonly missing. The obligations below apply to e-commerce and D2C businesses operating in Chennai, Tamil Nadu — there is no local exemption and no turnover threshold under the DPDP Act.

Does DPDPA apply to you?

You are a Data Fiduciary the moment you decide why and how customer data is processed. Selling to Indian consumers online puts you squarely in scope, regardless of company size or turnover.

Personal data you typically process

Customer name, email, phone
Shipping & billing addresses
Order and purchase history
Payment metadata (via gateway)
Marketing/behavioural tracking (pixels, cookies)
Customer support chat logs

Your biggest compliance risks

Pre-ticked marketing consent boxes (a 'dark pattern')
Sharing customer data with logistics & marketing tools without processor contracts
Indefinite retention of customer accounts and order data
No way for customers to request data deletion

What the DPDP Act requires you to do

Itemised consent notice at signup and checkout
Plain-language privacy notice (also available in 22 scheduled languages)
Named Grievance Officer with a working contact
Data Processing Agreements with couriers, CRMs and marketing tools
Retention schedule and erasure on request
Breach notification workflow to the Board and affected customers

Common violations regulators look for

Bundled consent ('by signing up you agree to marketing')
No consent withdrawal as easy as giving it
Selling or sharing email lists without lawful basis

Quick wins you can do this week

Replace pre-ticked boxes with explicit opt-in
Publish a Grievance Officer page
Generate a DPDPA-compliant privacy & consent notice
List every third-party tool that receives customer data

Generate your DPDPA documents free

Don't just read about it — produce a compliant privacy notice, consent notice and grievance page for your e-commerce & d2c brand in minutes, and download a Board-ready evidence pack.

Start free — generate my documents

Frequently asked questions

Does DPDPA apply to my small Shopify/WooCommerce store?: Yes. There is no turnover or size threshold for being a Data Fiduciary. If you process the personal data of Indian users, the Act applies.
Do I need consent for order-fulfilment data?: Processing strictly necessary to fulfil an order the customer requested can rely on legitimate use, but marketing, analytics and profiling need separate, explicit consent.

Related industries

SaaS / Software Startup in Chennai Logistics & Delivery in Chennai Fintech / Lending in Chennai

This page is educational and does not constitute legal advice. It reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at publication.