NAVIGATING THE INTERSECTION OF E-COMMERCE AND DATA PROTECTION LAWS IN INDIA

INTRODUCTION

The Digital Personal Data Protection Act, 2023 (“DPDPA”) aims to protect the personal data of individuals from unauthorised use, transfer, or disclosure by regulating entities responsible for handling such data. It imposes obligations and restrictions on the processing and transfer of personal data.

The individual whose personal data is concerned, referred to as the “data principal”, is often a purchaser or recipient of a product or service from the entity determining the purpose and means of processing the data (“data fiduciary”). In these cases, the data principal may qualify as a “consumer” under the Consumer Protection Act, 2019 (“CPA”), India’s primary consumer protection legislation, designed to safeguard consumer interests and address grievances. Under the CPA, the Indian government enacted the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) to regulate digital sale of products and services.

Consumers routinely provide personal data such as their name, address, phone number, banking details, and government IDs when interacting with sellers or service providers on digital platforms. As both privacy laws in India and consumer legislation share the objective of safeguarding individuals, there exist overlapping provisions in these laws that may raise jurisdictional questions. This note delves into the intersection between the DPDPA and consumer protection laws, exploring its implications for businesses.

E-COMMERCE AND DATA PROTECTION

Businesses that fall within the ambit of the E-Commerce Rules are required to identify whether they are categorised as a “marketplace e-commerce entity” or an “inventory e-commerce entity” (or in some cases, the business may be both). Depending on the classification, the entity may be considered a data fiduciary for certain processing activities. For example, a marketplace e-commerce entity may be a data fiduciary concerning users that avail products through its platform; however, depending on its terms of use, it may be a data processor with respect to data collected through the product directly (with the product manufacturer being the data fiduciary). Accordingly, a comprehensive data mapping exercise may be required to identify these determinations and fulfil relevant obligations under the DPDPA.

Furthermore, if the e-commerce entity is a data fiduciary, it may be required to implement certain changes to its platform user interface and customer-facing documentation (such as the privacy policy) to comply with the DPDPA. Consent forms should be displayed during the initial visit to the platform, and at times, during the user registration process. The DPDPA requires consent to be freely given, specific, informed, and unambiguous. Similarly, the CPA requires consumers to be given all material information to make informed choices and consent to the sharing of personal information with sellers or service providers during transactions. These requirements must be considered while structuring consent journeys and preparing relevant policies.

As children may also access these platforms, technical measures to obtain parental consent in such cases may also need to be ensured. The Indian government is expected to guide on how such measures may be adequately implemented. Similarly, the CPA allows minors to bring forth consumer complaints through their parent or legal guardian. Provisions applicable to any adult consumer under the CPA are also applicable to child consumers. Accordingly, businesses providing products or services aimed at children must also assess the risk of consumer complaints and structure their offerings appropriately.

E-commerce entities should also ensure contractual downstream flow-down of relevant obligations to their delivery partners and other such service providers. As the DPDPA does not directly regulate data processors, adequate contractual liabilities and safeguards must be ensured to mitigate the risk of non-compliance.

CONCLUSION

Entities acting as both data fiduciaries and manufacturers or service providers in interactions with individuals should adopt a dual approach to compliance. Given that both the CPA and DPDPA 2023 aim to safeguard and benefit individuals in their capacities as consumers and data principals, businesses need to be mindful of additional obligations and requirements when engaging with customers and end users.

To ensure adherence to these laws, sellers and service providers involved in the collection and processing of personal data are advised to examine their customer onboarding processes, the methods used to obtain consent, the extent of disclosure of crucial information to customers, and to implement suitable data security practices and additional measures when handling data pertaining to minors.