Securing Consumer Data in the E-commerce Sector

By Anuradha Gandhi and Rachita Thakur

Introduction

In September 2024, a major E-commerce Food Delivery Platform released its updated Draft Red Herring Prospectus cautioning its consumers regarding vulnerability of its platform and back-end infrastructure to cyber-attacks and security breaches through social engineering, ransomware and other malware, third party breaches, employee malfeasance and errors in storage. The platform also admitted to have suffered two data breaches in the last two years which included exposure of customers’ card details and UPI handles.[1] This disclosure by E-commerce platforms raises significant concerns regarding Data Privacy in the E-Commerce Sector.

To address these concerns, in January 2025, The Bureau of Indian Standards released a draft framework for self-regulation of E-commerce entities substantially widening the scope of data privacy obligations in the E-commerce sector. [2]

What are the risks associated with Data Privacy in the E-Commerce Sector?

1. Business centric risks:
   1. Loss of Consumer Confidence – As per PwC’s Voice of the Consumer Survey 2024[3], 82% of Indian consumers consider protection of their personal data as one of the most crucial factors to earn their trust. Further, the survey showed that 42% of the Indian consumers were unsure if they would continue using the services of a company post a data breach.[4] In the United States, this figure is as high as 66%.[5]
   2. Third Party Data Breach – A security breach affecting third party systems could potentially be leveraged against the Company as well. On July 4, 2024, a user known as “888” shared information on a hacking forum including data originating from an e-commerce entity. The leaked information reportedly comprised a range of sensitive user data, such as names, email addresses, and phone numbers. The entity attributed the data leak to a third-party app integrated with its platform.[6]
   3. Financial Losses –A potential security breach could result in a partial or complete disruption of Services causing significant financial losses. In October 2022, the owner entity of an e-commerce fashion platform was fined USD 1.9 Million (INR 16.5 crores) for a 2018 data breach affecting approximately 39 million (3.9 crore) user accounts. The stolen data included names, email addresses, passwords, and credit card information of tens of millions of the platform’s account holders, which were subsequently sold online.[7]
   4. Loss of Vendor Trust – In certain situations, vendors including sellers might be affected by a data breach in the company’s systems. On January 8, 2019, a global E-commerce marketplace encountered a technical glitch on its Indian Portal, impacting its sellers and vendors by exposing sensitive financial including sales data, category-wise splits, and inventory information.[8]
2. Labor centric risks – In November 2024, an e-commerce marketplace confirmed reports of a data breach where hackers leaked over 2.8 million records of its employees on a dark web forum called Breach Forums. The exposed data included employees’ names, phone numbers, work email addresses, and office locations. However, Amazon emphasized that no sensitive personal data, such as Social Security numbers or financial information, was compromised.[9] Such data breaches can lead to friction between the company and its employees resulting in disruptions in business operations.[10]
3. Consumer centric risks – A data breach may expose sensitive personal information of consumers including Names, address, mobile numbers, email IDs and financial information. This unauthorized access to data may result in identity theft, phishing scams, social engineering and fraudulent activities.[11]

How does India regulate Data Privacy in the E-Commerce Sector?

1. Consumer Protection Act, 2019 (hereinafter referred to as ‘CPA’): The CPA prohibits the disclosure, to any other person, any personal information given in confidence by the consumer unless such disclosure is made in accordance with the provisions applicable laws. CPA declares any such action as unfair trade practice.[12]
2. Consumer Protection (E-Commerce) Rules, 2020 (hereinafter referred to as ‘E-Commerce Rules’): The E-Commerce rules prohibit any E-commerce entity from engaging in any unfair trade practice including the unauthorized disclosure of personal information.[13]
3. Guidelines for Prevention and Regulation of Dark Patterns, 2023 (hereinafter referred to as ‘Dark Patterns Guidelines’): The Dark Patterns Guidelines specify 11 types of dark patterns which amount to unfair trade practices.[14] Dark Patterns which may have adverse impact on privacy of consumer data include Forced actions, subscription traps, and nagging. Forced action coerces users to share unnecessary personal details or buy unrelated goods/services for their intended purchase, like mandating Aadhaar-linked data when not needed. [15] Subscription traps trick users into providing payment details or enabling auto-debits for “free” subscriptions, leading to unintended financial commitments. [16] Nagging disrupts users with relentless interactions, such as constant requests, information overload, or interruptions aimed at driving transactions for commercial gain, unless explicitly allowed by the user. [17]
4. Digital Personal Data Protection Framework (hereinafter referred to as ‘DPDP Framework’) – The DPDP Framework defines e-commerce entities as Data Fiduciaries, specifically governing their data retention policy. E-commerce entities with over two crore registered users in India must not retain personal data beyond three years from the last interaction for the specified purpose or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later, unless necessary for account access.^[18] The framework also mandates general data protection compliances, including consent, reporting data breaches, disclosing privacy policies, and enabling data principals’ rights to erasure, update, and correction of personal information.
5. Bureau of Indian Standards’ Draft E-Commerce Principles for Self Governance, 2025[19]: These Principles include self-governing data privacy obligations of E-commerce entities along with defining specific points during a transactions when such obligations must be carried out.
   1. Data Privacy Obligations during the Pre-transaction stage – This stage starts from the moment when a customer begins to browse through a website or an online store:
      1. Clear disclosure of Policies: The E-commerce entity must disclose the Privacy policy, and Terms and Conditions of Use.[20]
      2. Clear disclosure of Safety warnings: The E-commerce entity must disclose any applicable restrictions, limitations or conditions of purchase, including geographic limitations, resale prohibitions, or parental / guardian approval or supervision requirements for minors.[21]
      3. Manner of Disclosure: E-commerce entity must provide disclosure in a phased manner, relevant information at every stage of decision making of the consumer, and must publish it prominently on the platform/website/app in a manner in a clear, legible and accessible manner.[22]
   2. Data Privacy Obligations during the Contract Formation stage – This include creation of a binding agreement between the buyer and the seller. It commonly includes Offer and Acceptance, Consideration, Intent to Create Legal Relations, Capacity to Contract, Consent, etc.:
      1. Express Informed Consent: Every e-commerce entity shall record the consent of a consumer for the purchase of any good or service offered on its platform only when such consent is explicitly expressed. The Draft Self Governance Principles prohibits automatically recorded consent, including through the use of pre-ticked checkboxes.[23]
      2. Review of Information: E-commerce entities shall provide consumers with an opportunity to review all transaction-related, personal, and goods-related information at the Confirmation Point. This allows consumers to edit or modify any necessary details or cancel the transaction in its entirety[24]
      3. Transaction Record: E-commerce entities shall maintain a complete, accurate, and durable record of every transaction carried out on their platform. They shall enable consumers to access and retain a copy of their particular record for the duration required under applicable law. its entirety[25]
      4. Payment Principles: E-commerce platforms must ensure that payment transactions are secure and protected from fraud and other security breaches. This is usually achieved through the use of encryption, two-factor authentication, and other security measures. E-commerce platforms must comply with all relevant laws and regulations related to payment processing, including data protection and privacy laws, anti-money laundering regulations, and other financial laws.[26]
   3. Dispute Redressal Mechanism – E-commerce entities shall ensure that there is an appropriate dispute resolution mechanism process ‘Consumer Complaints and Redressal Mechanism’ with regard to any dispute that may arise in relation to a transaction over their platform. The entities shall provide a single point of contact toll-free customer care number, token number, and estimated time of resolution of problem, tracking facility and mechanisms and points of contact for escalations.[27]
   4. General Principles related to Consumer Privacy
      1. Data Protection: E-commerce entities shall ensure that all personal data collected from a consumer is used solely for the purpose of facilitating transactions on the platform and for any other purposes disclosed to the consumer at the pre-transaction stage, for which express consent has been given.[28]
      2. Unsolicited Commercial Communication and Privacy: The E-Commerce entity shall ensure that all commercial communication shall be made only with the express consent of the consumer, or in relation to a transaction made by the consumer on the platform. All non-transactional communication shall be on the basis of an express opt-in by the consumer and shall be accompanied with an option to silence or cease such communications[29]

Way Forward

The DPDP framework supplements E-commerce regulatory framework by emphasizing on the necessity of express consent of the consumer and disclosure of purpose of data processing. It also puts a specific limit on the period of data retention of e-commerce entities to ensure data minimization. This would also help in restricting the magnitude of future data breaches by eliminating data points of previous consumers, no longer availing the services of the platform, from the data base of the entities. This makes the e-commerce entities less prone to major data security breaches.

Prateek Chandgothia , Assessment Intern at S.S. Rana & Co. has assisted in the research of this article.

[1]https://www.medianama.com/2024/10/223-despite-two-major-data-breach-incidents-in-2022-2024-swiggy-plans-to-collect-more-user-data/

[2]https://www.medianama.com/2025/01/223-govt-guidelines-e-commerce-accountability-self-governance/

[3]https://www.pwc.in/press-releases/2024/82-of-indian-consumers-consider-protection-of-personal-data-as-most-crucial-factor-in-building-trust-pwcs-voice-of-the-consumer-survey-2024.html

[4]https://www.business-standard.com/industry/news/consumers-express-concern-over-data-breaches-says-pwc-india-survey-124102200854_1.html

[5]https://www.securitymagazine.com/articles/100296-66-of-consumers-would-not-trust-a-company-following-a-data-breach

[6]https://www.esecurityplanet.com/trends/shopify-data-leak/

[7]https://www.bbc.com/news/technology-63255661

[8]https://cisomag.com/amazon-india-suffers-data-breach-sellers-financial-information-exposed/#google_vignette

[9]https://www.strongdm.com/what-is/amazon-data-breach

[10]https://www.forbes.com/sites/larsdaniel/2024/11/11/amazon-confirms-data-breach-exposed-2800000-lines-of-employee-data/

[11]https://www.metacompliance.com/blog/data-breaches/5-damaging-consequences-of-a-data-breach#:~:text=A%20data%20breach%20can%20easily,accounts%20or%20making%20unauthorised%20purchases

[12]Section 2(47) of the Consumer Protect Act, 2019 – https://consumeraffairs.nic.in/sites/default/files/CP%20Act%202019.pdf

[13]Rule 4(3) of the Consumer Protection (E-Commerce) Rules, 2020 – https://consumeraffairs.nic.in/sites/default/files/E%20commerce%20rules.pdf

[14]https://consumeraffairs.nic.in/sites/default/files/The%20Guidelines%20for%20Prevention%20and%20Regulation%20of%20Dark%20Patterns%2C%202023.pdf

[15]Clause 4, Annexure 1, Guidelines for Prevention and Regulation of Dark Patterns, 2023

[16]Clause 5, Annexure 1, Guidelines for Prevention and Regulation of Dark Patterns, 2023

[17] Clause 10, Annexure 1, Guidelines for Prevention and Regulation of Dark Patterns, 2023

[18]Point 8 of MeitY’s Explanatory note r/w Schedule III of the Draft Digital Personal Data Protection Rules, 2025

[19]https://www.services.bis.gov.in/tmp/WCSSD41126940_21022025_3.pdf

[20]Guideline 4.2.3 (3) of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[21]Guideline 4.2.3 (6) of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[22] Guideline 4.2.5 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[23] Guideline 4.3.1 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[24]Guideline 4.3.2 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[25]Guideline 4.3.4 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[26]Guideline 4.3.5 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[27]Guideline 4.4.2 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[28]Guideline 4.5.2 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025

[29]Guideline 4.5.3 of the Draft E-Commerce- Principles And Guidelines For Self-Governance, 2025