The DPDP checklist for ecommerce stores
Names, phones, addresses, payments - an online store touches more personal data than almost any other small business. Here is the checklist, in the order that matters.
- Who this is for
- Store owners and ops teams
- What you leave with
- A six-step checklist you can finish in a sprint
An online store collects personal data at every step: the account signup, the checkout address, the payment, the delivery update on WhatsApp, the abandoned-cart email. Under the DPDP Act, each of those is processing of personal data, and from 13 May 2027 the main obligations apply in full. Here is the order of work we recommend after checking hundreds of store patterns.
1. Publish a real privacy notice
Section 5 requires a notice before or when you ask for consent: what personal data you collect, itemised, and for what purpose, plus how a customer can exercise rights and complain. For a store that means naming the obvious - name, phone, email, address, order history - and the less obvious: analytics identifiers, marketing pixels, courier partners. Link it from the footer and from checkout.
2. Fix consent at checkout and signup
Consent must be free, specific, informed, and given by a clear affirmative action (Section 6). Pre-ticked marketing boxes fail every one of those tests. Separate the essentials (processing the order) from the optional (marketing messages), and let the optional be genuinely optional.
3. Gate your marketing pixels
If ad and analytics scripts fire the moment the page loads, data flows to third parties before any consent exists. Classify your scripts: what the order strictly needs versus what marketing wants, and load the second group only after an affirmative choice.
4. Mind the courier and payment partners
Sharing an address with a courier is processing through a Data Processor - allowed, but only under a valid contract and honest notice (Section 8(2)). List your processor categories in the notice and confirm a data processing agreement exists with each.
5. Set retention and honour erasure
Order data does not need to live forever. Map each category to a retention period tied to its purpose (Section 8(7), Rule 8), automate the cleanup, and make sure account deletion actually deletes.
6. Put a grievance contact where people can find it
Section 8(10) expects a working way to raise a data concern, and the Rules set response timelines. A named contact on the privacy notice and contact page is the floor.
The fastest way to see where your store stands today is to run the free check- it reads your storefront the way a customer's browser does and maps every gap to the section it serves. For the wider legal picture, start with the DPDP Act, answered in plain language.
See where your website stands
Free readiness check in about a minute. No card, no signup, no code to install.