Vaibhav Lall

The author is Founder, Khojdeal

More From The Author >>

Data Privacy and Policy Frameworks in E-Commerce Landscape

Let’s take a look at how these privacy legislations might reshape the future of the e-commerce industry.

Over the last 5 years, the Indian e-commerce industry has witnessed an upsurge with a significant headroom for future growth. According to a recent report, the Indian e-commerce market is predicted to reach 300 to 350 million buyers by 2025. 

In today's convenience-oriented society, consumers no longer want to venture around the city for items but want to shop in their homes, making e-commerce a flexible solution for both businesses and shoppers.

Importance of Data Privacy and Security in E-Commerce 

While smartphones and other new devices have allowed users to shop and communicate seamlessly with the brands, it is also surrounded by privacy controversies and concerns revolving personal data. Consumers are increasingly getting worried about access to their data and the fact that almost the entire data generated by them is owned by just 4-5 large companies in the world. 

E-commerce companies process a huge amount of data every day ranging from user clicks to personal credit card or financial information. Although this enables them to provide an elevated shopping experience and personalization to their visitors, this sensitive data can be misused for advertising purposes or handed to other third parties for financial gains. 

Some of the widely known examples of data breaches and privacy abuse include Cambridge Analytica, the British Airways, and the most recent, closer-to-home, Big Basket in October 2020, which impacted around 20 million Indian users. Experts are expressing their concerns about the trade-offs involved in this increasingly online-dependent lifestyle. 

India’s Push for Regulation and Frameworks

With the tech industry becoming victimized by various high-profile data breaches, it has come under the scrutiny of the government and various market regulators. Stricter data privacy laws and policy frameworks are now being vehemently advocated to ensure fair competition and consumer protection in the world’s fastest-growing e-commerce market. 

In December 2019, Personal Data Protection Bill, 2019 (Draft Bill), was cleared by the Union Cabinet. Once the final bill is passed, it will govern the collection, processing, storage, usage, transfer, protection, and disclosure of the personal data of all Indian residents. All companies and organizations operating in India will have to comply with the rules stated in the document.

In addition to the Personal Data Protection Bill, India is also on the path to frame an e-commerce policy that promises to tighten regulations for companies like Amazon, Flipkart, Google, and other corporate giants. These frameworks are being designed to help keep users’ online personal information safe and secure. 

Let’s take a look at how these privacy legislations might reshape the future of the e-commerce industry.

 1. E-commerce websites will have to obtain user consent before collecting their personal data

Before collecting the personal data of customers, e-commerce companies will have to explicitly ask for their permission at each stage of processing. They will also have to clearly define the purpose for which the data in question is being collected.

Complying with this clause of the DPB could become problematic for the e-commerce companies since they not only collect user information but also process it further to create actionable business intelligence. The collected data is also transferred to third party analytics vendors for further processing and deducing new information.

Once DPB comes into effect, it will be necessary to list all the third parties that may have access to the data. This is sure to impact the e-commerce industry, especially when it comes to personalization, profiling, and any marketing activity that involves processing large amounts of data.

2. E-commerce websites will not be able to retain the personal data of consumers after a certain period of time.

According to clause 9 of the DPB, e-commerce companies will not be able to retain customer data after a specified period of time. This specified period of time will correspond to the time it will take for the company to process the data for the purpose for which it was collected. At the end of the processing period, the company will have to delete the collected data from their database. If the company wants to retain the data, it will have to take an explicit permission from the customer.

Once this clause is implemented, e-commerce companies will not only be unable to earn additional revenues by selling customer data to third-party vendors, they will also be unable to use this data for their marketing activities.

3. E-commerce companies will have to store sensitive and critical data in servers located in India only

DPB classifies customer data into three categories – sensitive, critical, and general. Sensitive data comprises of data on health, financials, sexual orientation, transgender status, genetics, biometrics, religious belief, and caste. Critical data includes data concerning the military or national security data that the government deems as important from time to time. Any information that’s not covered in the two above-mentioned categories will be considered general data.

Currently, e-commerce companies can store data anywhere i.e. wherever the server costs are less. However, once the bill becomes a law, they will have to store sensitive and critical data in Indian servers, no matter the cost. This will most likely put an additional financial strain on e-commerce websites.

It is also important to note that if e-commerce companies want to process sensitive personal data outside India, they’ll have to take explicit permission of the users before transferring the information.


As consumers are getting more aware of their online security and privacy, they need to start taking proactive steps to prevent misuse of their data. Reviewing a website’s privacy policy, limiting location access to a few apps, avoiding public wi-fi networks are some of the basic hygiene checks one needs to ensure to have a safe experience. While many e-commerce companies are ensuring higher standards of data protection at their end, the Data Protection Bill and India’s E-commerce Policy will help standardize data privacy laws across the EU, Canada, California, and India. 

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house

Tags assigned to this article:

Around The World