Theerthana.S.B,Chennai Dr.Ambedkar Government Law College – Pudupakkam
To the point
The Digital Personal Data Protection Act, 2023 mandates that all businesses ensure the proper protection of customer data.This includes e-commerce businesses of all sizes. But small e-commerce sellers often don’t have enough money, staff, or technical knowledge. They may find it hard to take proper consent from customers before collecting data. The Act also wants them to appoint a grievance officer and follow many legal steps. These steps can be confusing and expensive for small sellers. Many of them run their business through simple websites or social media. They just want to sell products, not deal with complex data laws. Because of this, they may stop growing or even shut down. This makes the law feel unfair to small and new online businesses.
Abstract
The Digital Personal Data Protection Act, 2023 represents a significant step toward strengthening data privacy and protection in India.However, its uniform application across all entities irrespective of their size poses unique challenges for small and medium e-commerce enterprises. These businesses often operate with limited financial, technical, and legal resources, making it difficult to implement the Act’s requirements such as informed consent collection, data grievance redressal mechanisms, and appointment of data protection officers. The resulting compliance burden may discourage digital entrepreneurship and innovation, particularly among emerging players in the e-commerce sector. Furthermore, the risk of non-compliance penalties could have disproportionate impacts on smaller businesses. My Article critically examines the compliance challenges faced by small e-commerce platforms under the DPDP framework and argues for a more flexible, tiered approach to data protection obligations.
Legal Jargon
In the Digital Personal Data Protection Act, 2023, every e-commerce entity is treated as a Data Fiduciary, thereby placing them under a statutory obligation to process personal data of Data Principals in a lawful, fair, and transparent manner. Key compliance mandates include obtaining informed consent, appointing a Data Protection Officer in the case of a Significant Data Fiduciary, and establishing an effective grievance redressal mechanism.
However, for small and medium e-commerce enterprises, the compliance burden may be disproportionate, particularly in the absence of adequate financial or technical resources. The requirement to ensure privacy by design, handle cross-border data transfers, and respond to data breach notifications imposes operational challenges that risk over-regulation or regulatory overreach. While the Act recognizes certain legitimate use exceptions, the absence of a proportionality principle within its framework limits flexibility for smaller actors. Without a tiered compliance model, there is a growing concern that stringent enforcement and potential penalty adjudication mechanisms may inadvertently hinder the growth of digitally-driven micro and small businesses in India’s e-commerce sector.
The Proof
The enactment of the Digital Personal Data Protection Act, 2023, has brought notable disruptions to the functioning of India’s e-commerce sector.Online retail platforms, which heavily rely on the collection and analysis of consumer data to tailor services, are now mandated to obtain explicit and informed consent before processing any personal information. The law also provides individuals with the right to access, correct, and erase their data, significantly altering how e-commerce firms manage user information.
Section 33 of the Act introduces penalties reaching up to ₹250 crore for non-compliance, making data governance a legal priority for these businesses. Additionally, the Act places restrictions on cross-border data transfers, which affects e-commerce platforms using foreign cloud services.
As reported by The Economic Times on August 2023,leading firms like Flipkart and Amazon have already begun restructuring their privacy frameworks to align with the new law. Industry bodies such as NASSCOM and IAMAI have also raised concerns over the compliance burden, especially for small and medium-sized enterprises and start-ups.
These developments suggest that while the DPDP Act aims to strengthen data privacy in India, it simultaneously imposes regulatory and operational pressures on digital commerce platforms.
Case Laws
1.PhonePe Pvt. Ltd. v. Bengaluru Cyber Police (2025)
The Karnataka High Court held that platforms cannot withhold user data from lawful investigations, even under privacy protections emphasising that legal grounds can override individual consent.
2.Delhi High Court v. Meesho copyright case (2023-2024)
Thee Delhi HC held that e-commerce platforms must display complete seller details and exercise transparency when dealing with IP infringement.The DPDP Act enshrines transparency and accountability. These cases underscore how data about sellers must be properly disclosed and managed by platforms.
3.Shankarlal Purohit v. State of Maharashtra (2011)
The Supreme Court recognized that electronic contracts are legally enforceable, validating consumer reliance on digital platforms.Digital agreements often involve user consent to data collection under the DPDP Act. This case supports the enforceability of consent-based data processing in e-commerce.
4.Kent Ro Systems Ltd v. Amit Kotak & Ors. (2017)
This case clarified that intermediaries must publish clear privacy rules and remove infringing content when notified, but aren’t required to pre-screen every listing.Under DPDP, platforms act as data fiduciaries they must implement meaningful governance and take action when informed. These precedents reinforce that balance.
Conclusion
Nevertheless, the path forward for e-commerce platforms remains challenging.While large corporations may have the capacity to implement advanced compliance frameworks, smaller businesses and start-ups may struggle with the financial and technical demands of data protection compliance. Moreover, uncertainties remain regarding enforcement, cross-border data transfer, and the scope of exemptions under the Act.A balanced approach is essential one that ensures meaningful data protection for individuals without stifling innovation and growth in the digital economy.The success of the DPDP Act will depend not only on strict enforcement but also on regulatory clarity, judicial guidance, and industry cooperation. The Act offers India a chance to become a data-responsible digital economy but only if its execution is as thoughtful and rights-driven as its intent.
FAQs
1.Define Digital personal data protection act?
The Digital Personal Data Protection Act 2023 establishes the Data Protection Board of India as an independent adjudicatory authority responsible for enforcing compliance with the Act. The DPBI is empowered to address complaints, investigate personal data breaches, and impose penalties on data fiduciaries for non-compliance, thereby ensuring accountability and safeguarding individual data rights.
2.Who is Data principal?
The Data Principal is a person whose personal data is taken and used by a Company or organisation
3.what is mean Data Fiduciary?
Data Fiduciary is any person, company, government body, or entity that determines the purpose and means of processing personal data.
This was stated in Section 2(i) of the DPDP Act
4.what is National Association of Software and Service Companies – (NASSCOM)?
A trade association of the Indian Information Technology and Business Process Outsourcing industry.NASSCOM represents the voice of the Indian tech sector. It engaIAMAI (Internet and Mobile Association of India)
5.What is IAMAI?
An industry body representing India’s digital services sector, including e-commerce, online media, fintech, and mobile services.IAMAI works with stakeholders and regulators to ensure that internet-based businesses can thrive.
ges with the government on policy, promotes innovation, and works to create a business-friendly environment for IT and tech-driven industries.
