MARCH 25, 2025

By M G Kodandaram, IRS. Assistant Director (Retd) ADVOCATE and CONSULTANT

Introduction

THE Indian e-commerce sector has experienced rapid expansion, becoming a crucial driver of economic growth. However, this growth has also highlighted significant vulnerabilities arising from a historically weak and fragmented regulatory framework. The absence of a cohesive governance framework has resulted in an increase in consumer grievances, fraudulent practices, and the heightened risk of personal data breaches leading to cybercrimes. This underlines the urgent need for a healthy regulatory mechanism to safeguard consumer interests and to enhance business accountability.

In response, the Ministry of Consumer Affairs, Food, and Public Distribution introduced the 'Consumer Protection (E-Commerce) Rules, 2020¹'. While these rules provided a fundamental framework for consumer rights and business responsibilities, they failed to comprehensively address fair trade practices, data security, and ethical business conduct. Recognising these gaps, the Bureau of Indian Standards (BIS) released the 'Draft Indian Standard E-Commerce - Principles and Guidelines for Self-Governance ²' (referred to as 'Guidelines') for stakeholder feedback. These Guidelines aim to instil consumer confidence through transparency, prevent unfair business practices, and align e-commerce operations with existing data protection laws. Notably, they emphasize self-regulation, encouraging businesses to adopt responsible practices and reducing the need for extensive governmental oversight.

Impact of DPDP Act on E-Commerce Entities

In the digital age, protecting personal data has become a legal, ethical, and operational priority. Mismanagement of personal information can lead to unauthorized access, data breaches, identity theft, and misuse of sensitive data. High-profile incidents of data breaches in India's e-commerce sector, where personal information of millions of users was compromised, illustrate the pressing need for stringent data protection measures.

A landmark development in India's data protection framework is the Digital Personal Data Protection Act, 2023 ³ (DPDP Act), which received Presidential assent on August 11, 2023. The draft DPDP Rules, 2025⁴ are currently under public consultation. This legislation aims to establish a structured compliance and regulatory framework governing the handling of digital personal data, ensuring transparency and accountability. (For more details refer - Proposed Indian privacy law - DECEMBER 21, 2020 - by the Author)

Under the said Act all consumers are treated as data Principals as the personal data of the individuals are involved in all transactions and the e-commerce entities as data fiduciary as they process the said personal data for their service purposes. Fiduciary organizations processing Indian consumer data must now re-evaluate their internal policies, operational structures, and data governance frameworks to align with this new regulatory environment. Failure to comply with the DPDP Act may subject the data fiduciary (e-commerce entities) to substantial penalties as outlined in the Act's schedule. (For more details refer - Are commercial interests interfering with the Citizens' Privacy Rights? - NOVEMBER 08, 2021, and - The Delay Dynamics - SEPTEMBER 17, 2024 - by the Author)

The DPDP Act reflects growing public awareness of privacy rights and ethical data management. Compliance is no longer just a legal obligation but a strategic necessity for businesses, especially in the e-commerce sector. This article explores how the DPDP Act's key provisions integrate with the BIS Guidelines and assesses their strategic implications for shaping a secure and trustworthy e-commerce ecosystem.

BIS Draft E-Commerce Guidelines: A Framework for Trust

The Guidelines outline core principles applicable to various stages of an e-commerce transaction, including pre-transaction, contract formation, and post-transaction responsibilities. The primary objective is to raise consumer confidence, ensure seller accountability, and maintain fair competition. The fundamental aspects addressed in these Guidelines include seller verification, transaction security, product listing authenticity, grievance redressal, and anti-counterfeiting measures. By setting these standards, the Guidelines provide a structured approach to ethical and transparent e-commerce operations in India. Some of the Key Regulatory Provisions in the Guidelines are stated here -

(1) Pre-Transaction Phase: Seller verification is emphasized, requiring platforms to authenticate business credentials through Know Your Customer (KYC) procedures. Platforms must also disclose their contact details and provide clear policies on cancellations, exchanges, and refunds.

(2) Contract Formation Phase: Consumer consent is mandatory, and pre-selected checkboxes are prohibited. Secure payment mechanisms must comply with financial regulations and ensure transparency in service fees.

(3) Post-Transaction Phase: Platforms must comply with the Consumer Protection Act, 2019. Key requirements include establishing accessible grievance redressal mechanisms, providing real-time order tracking, and implementing strict return and refund policies, particularly for counterfeit goods. Ethical e-commerce practices such as fair competition, counterfeit prevention, and transparent sponsored content are also enforced.

Integration of DPDP Act Provisions in the Guidelines

The Guidelines play a crucial role in reinforcing digital personal data security by integrating important provisions of the DPDP Act into e-commerce operations in India. These Guidelines establish structured approaches to consumer consent, transaction records, payment security, subscription transparency, data protection, and commercial communication, ensuring a secure and accountable digital commerce ecosystem.

One of the primary aspects covered is express informed consent (Para 4.3.1), where e-commerce platforms are required to obtain explicit consumer consent before processing transactions, prohibiting automatic or pre-selected consent mechanisms. This aligns with Section 6 of the DPDP Act, which emphasizes user consent in data collection and processing. Furthermore, transaction record maintenance (Para 4.3.4) is mandated to ensure traceability and facilitate dispute resolution, ensuring that consumers and regulatory authorities have access to transaction histories when required. This provision enhances accountability and compliance with legal requirements.

To boost financial security, the Guidelines establish payment principles (Para 4.3.5) that mandate secure payment methods, transparent disclosure of associated costs, and robust security measures to protect consumer financial information. Additionally, platforms offering subscription-based services must ensure recurring charges and subscription transparency (Para 4.3.7) by fully disclosing terms and conditions while providing a straightforward opt-out process, preventing unauthorized deductions or misleading billing practices.

Data protection measures (Para 4.5.2) are another critical component, requiring that consumer data be used solely for transaction facilitation or other explicitly disclosed purposes with informed consent. This is consistent with Section 8 of the DPDP Act, which mandates stringent data security measures to prevent unauthorized access or misuse of personal information. Furthermore, third-party (processor) data sharing regulations (Para 4.5.2) impose strict controls over how consumer data is shared with external processors, ensuring compliance with Sections 6 and 8 of the DPDP Act. Platforms are obligated to secure explicit consumer consent before sharing personal data with third parties, thereby preventing unauthorized data exploitation.

In the event of a data breach, the Guidelines stipulate stringent notification protocols (Para 4.5.2) that require platforms to promptly inform affected consumers and take corrective measures. This aligns with Section 8(6) of the DPDP Act, which mandates timely disclosure of breaches to mitigate potential consumer harm. Additionally, platforms must implement robust unsolicited commercial communication (Para 4.5.3) policies, ensuring that all marketing messages and promotional content are either consent-based or directly related to recent transactions. Consumers must also be provided with an opt-out option, reinforcing their control over digital interactions.

Beyond data security, the BIS Guidelines uphold consumer rights and data access (Para 4.5.2), enabling users to access, modify, and request the deletion of their personal information, consistent with Section 12 of the DPDP Act. This empowers consumers with greater autonomy over their personal data and aligns with global best practices in data privacy protection. Moreover, platforms are required to establish effective grievance redressal mechanisms (Para 4.5.2) in accordance with Section 13 of the DPDP Act, ensuring that consumer complaints related to privacy breaches, unauthorized transactions, or data misuse are addressed promptly and effectively.

By embedding these legal provisions into e-commerce operations, the BIS Guidelines create a structured and ethical digital commerce environment that balances consumer protection with business responsibilities. The alignment with the DPDP Act strengthens regulatory oversight, enhances consumer trust, and fosters fair competition in India's rapidly evolving online marketplace. Through stringent data protection measures, transparent business practices, and robust consumer rights enforcement, the Guidelines contribute to the development of a secure and accountable digital economy. From the above, it is evident that a significant aspect of the BIS Guidelines is their seamless integration with the DPDP Act, reinforcing stringent data security practices and ensuring consumer privacy in digital transactions.

Data Security Under Guidelines and DPDP Act

To ensure effective implementation of the BIS Guidelines and strengthen digital personal data protection, the following strategic measures are recommended:

- Stakeholder Engagement and Industry Collaboration: Continuous dialogue between regulators, businesses, and consumers to refine policies.

- Leveraging Advanced Technologies for Data Security: Adoption of AI-driven fraud detection, encryption protocols, and blockchain technology for secure transactions.

- Regular Audits and Compliance Monitoring: Periodic audits to assess compliance with the DPDP Act and BIS Guidelines.

- Consumer Awareness and Digital Literacy Programs: Initiatives to educate consumers about data privacy rights and best practices.

The BIS Draft Guidelines for e-commerce align closely with the DPDP Act, reinforcing digital personal data security, transparency, and consumer rights. While challenges remain in implementation, proactive collaboration between regulators, businesses, and consumers will be crucial in ensuring compliance and fostering trust. As India continues to refine its digital data protection framework, these Guidelines serve as a critical step toward responsible and sustainable e-commerce growth.

¹ https://consumeraffairs.nic.in/sites/default/files/E%20commerce%20rules.pdf

² https://www.services.bis.gov.in/tmp/WCSSD41126940_16012025_1.pdf

³ https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

⁴ https://innovateindia.mygov.in/dpdp-rules-2025/

[The views expressed are strictly personal.]