DPDP Rules 2025 are now in effect. How ready is your business? Most Indian companies don't know yet.Find out in 10 minutes — free →
SaralPrivacy emblem
Industry Guide

DPDPA for D2C Brands and E-commerce Businesses

D2C brands run on customer data: checkout details, remarketing audiences, WhatsApp lists, analytics tools, loyalty signals, and behavioural targeting. Under DPDPA, the biggest problems usually show up in bundled consent, undisclosed tracking, sloppy opt-ins, and indefinite retention. This guide shows D2C teams how to keep growth systems running without turning the customer funnel into a compliance minefield.

If checkout consent is doing three jobs at once, it is probably doing all three badly.

Marketing Consent at Checkout

Critical Risk

Most D2C checkouts bundle marketing consent with purchase acceptance — pre-ticked boxes or embedded T&Cs. This is non-compliant under DPDPA.

Action: Redesign checkout to include separate, unchecked consent boxes for email, SMS, and WhatsApp marketing. Separate from order processing.

WhatsApp and SMS Campaigns

High Risk

WhatsApp Business API campaigns require documented opt-in. Sending marketing messages to customers who only gave transactional consent is a violation.

Action: Audit your WhatsApp subscriber list. Run a re-consent campaign for existing subscribers. Implement separate opt-in at checkout for WhatsApp.

Third-Party Analytics and Pixels

High Risk

Meta Pixel, Google Analytics, Clevertap, and similar tools process customer personal data. They must be disclosed in your Privacy Notice.

Action: Update your Privacy Notice to list all tracking tools. Consider a cookie/tracking consent banner if you use non-essential tracking.

Customer Data Retention

Medium Risk

Holding personal data of customers who haven't purchased in 2+ years without a purpose creates unnecessary risk and clutter.

Action: Define a retention policy: e.g., active customers indefinitely (with consent); inactive for 12 months post-last-purchase with a notice.

Loyalty and Personalisation Data

Medium Risk

Rich behavioural profiling for personalisation must be disclosed at the point of data collection.

Action: Update your Privacy Notice to describe your personalisation and loyalty data use. Obtain consent where profiling is significant.

Take the Free Assessment

8 questions. Check your D2C data practices.

Start Assessment →

Free White Paper

45-page DPDPA compliance guide covering D2C and e-commerce.

Download White Paper →

Related Briefings

→ WhatsApp Marketing Consent→ Consent Notice Requirements
Request Consultation →

Last reviewed: March 2026

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.