DPDP Act 2023: What India's D2C Brands Must Do Now

India's Digital Personal Data Protection Act 2023 changes how D2C brands handle customer data. Here's a practical guide to what's required and how to prepare your tech stack.

Data privacy and compliance concept with Indian legal and technology context

The Digital Personal Data Protection Act 2023 (DPDPA) received Presidential assent in August 2023. The rules under the Act are expected to be notified by the Ministry of Electronics and Information Technology, and the Data Protection Board of India is in the process of being constituted. "Not yet fully notified" does not mean "not yet applicable to your business planning." If you are a D2C brand collecting customer data — names, phone numbers, email addresses, order histories, browsing behavior, payment information — you are a "Data Fiduciary" under the Act, and the compliance obligations apply to you.

This article is a practical guide for D2C operators, not a legal opinion. For advice specific to your company's situation, consult a qualified legal professional. What follows is an operator-level read of the obligations most directly relevant to how D2C brands handle customer data, and what your technology stack needs to support them.

Who Counts as a Data Fiduciary — and Why Most D2C Brands Qualify

Under the DPDPA, a "Data Fiduciary" is any person or entity who determines the purpose and means of processing personal data. If you operate a Shopify store, collect customer email addresses at checkout, send marketing messages, and use customer behavioral data for retargeting — you are determining the purpose and means of processing. You are a Data Fiduciary.

The Act applies to processing of digital personal data within India, and to processing outside India where the personal data belongs to data principals (individuals) in India. If you ship to Indian customers, you are covered, regardless of where your servers are located. Shopify's infrastructure in the US does not exempt an Indian D2C brand from DPDPA obligations for its Indian customers.

There is a size-based "Significant Data Fiduciary" classification being developed through the rules, which will impose additional requirements on very large processors. Most growing D2C brands will be in the standard Data Fiduciary category, which is already substantive in its requirements.

The Consent Framework Under Sections 5 and 6

Section 5 of the DPDPA establishes that personal data may only be processed for a lawful purpose — either with the data principal's consent, or for "legitimate uses" as defined in the Act (which includes processing necessary for employment, medical emergencies, and similar specific contexts).

For most D2C marketing activities — sending promotional messages, retargeting based on browsing data, sharing data with logistics partners — you need consent. Section 6 specifies what valid consent looks like: it must be free, specific, informed, unconditional, and unambiguous. A pre-ticked checkbox is not valid consent. Consent bundled as a condition of completing a purchase — "by checking out you consent to all marketing" — is not valid consent under the Act's specificity requirement.

Practically, this means your checkout flow needs a clearly separated, non-mandatory consent checkbox for marketing communications. Your cookie banner needs to distinguish between essential cookies (for checkout function) and analytics or marketing cookies (for retargeting), with opt-in rather than opt-out for the latter. And critically — you need to be able to produce records of when and how each customer gave consent if requested.

The Notice Requirement Under Section 7

Before or at the time of collecting personal data, you must provide a notice to the data principal in "clear and plain language" specifying: what personal data is being collected, the purpose for which it is being processed, and information about how to exercise rights under the Act (including the right to withdraw consent and the right to erasure).

Your current privacy policy probably contains most of this information in legal language. The DPDPA's "clear and plain language" standard means that a dense paragraph of legal text does not satisfy the notice requirement for a customer who does not read it. The expectation is that the notice is accessible and comprehensible — closer to a layered notice model where the key facts are surfaced prominently, with the full policy available for those who want detail.

For D2C brands, the notice obligation most frequently surfaces at: checkout (where you collect name, address, phone, and email), newsletter signup (where you collect email and potentially more), and any pop-up or form that collects data for lead generation or offers.

Data Principal Rights: What Your Customers Can Now Ask For

Section 11 gives data principals the right to access information about their data — specifically, a summary of what personal data the Data Fiduciary holds and how it has been processed. Section 12 gives the right to correction and erasure. Section 13 gives the right to grievance redressal.

For operational purposes, this means: if a customer writes to you asking "what data do you hold about me and delete it all," you need a process for responding within the timeframes the Rules will specify. Your current CRM setup — whether Klaviyo, MoEngage, or a homegrown system — needs to be able to produce a complete picture of a specific customer's data across all your systems, and needs to be able to delete or anonymize that data on request without breaking your order history and accounting records (which have separate retention requirements under GST rules and the Companies Act).

The deletion tension is real: GST regulations require you to retain transaction records for a defined period (typically 8 years for GST purposes). A customer asking for erasure under DPDPA cannot have their transaction records deleted if those records are legally required for tax compliance. The standard approach is pseudonymization — removing personal identifiers from records while retaining the transaction data required for compliance. Your tech stack needs to support this cleanly.

The Grievance Officer Requirement

Section 13 of the DPDPA requires every Data Fiduciary to provide a mechanism for data principals to raise grievances. The rules are expected to specify the exact response timeframes. At a minimum, you need a named Grievance Officer with a contactable email address, and a documented internal process for handling data-related complaints.

For an early-stage D2C brand, this typically means: a dedicated email address for data-related queries (something like [email protected]), a named person responsible for responding, and a simple internal log of requests received and how they were resolved. The Grievance Officer does not need to be a full-time privacy professional — in a small team, it is typically the founder or a senior operations person. What it cannot be is an auto-reply inbox that no one monitors.

Third-Party Data Sharing: Logistics, Payments, and Marketing Partners

When you share customer data with a logistics partner like Shiprocket, Delhivery, or Bluedart for order fulfillment, or with a payment gateway like Razorpay, Cashfree, or PayU for transaction processing, you are engaging a "Data Processor" under the DPDPA. You remain the Data Fiduciary and are responsible for ensuring your Data Processors handle the data in accordance with your instructions and the Act's requirements.

Practically, this means your agreements with logistics and payment partners should include data processing clauses. Major players like Razorpay and Delhivery are updating their standard contracts to include DPDPA-relevant terms. For smaller or newer integrations, you may need to add data processing addenda. The rule of thumb: if you are sending customer personal data to a third party as part of your business operations, that relationship needs a documented data processing basis.

What to Do Now

The DPDPA's rules are being finalized, and the enforcement timeline has some uncertainty. That is not an argument for deferring action — the consent and notice requirements are substantive enough that retrofitting them into an existing checkout and CRM setup after the fact is significantly harder than building them in now. The practical starting point for most D2C brands: audit your current data collection touchpoints (checkout, newsletter, pop-ups, loyalty program), identify where consent collection does not meet the specificity and explicitness standard, and update your notice language to plain-language clarity. Then ensure your data processor agreements with logistics and payment partners are updated. The Grievance Officer designation can be done today at zero cost.

The DPDPA is not designed to make commerce harder. It is designed to establish a baseline of trust between brands and customers — which, for D2C brands whose entire model depends on repeat purchase relationships, is genuinely aligned with good business practice rather than opposed to it.

More from the Blog

Related articles