BigBasket ↗

Overview

BigBasket, now a Tata Digital subsidiary, delivers groceries to millions of Indian households. Weekly grocery orders reveal more about a household than almost any other data source: dietary practices (religious indicators), health products (medical conditions), baby products (family composition), premium vs. budget choices (income level), and organic preferences (health consciousness). This household-level profiling is under-addressed in their privacy policy.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Single consent covers all grocery data processing. No separate consent for:

• Household profiling based on order patterns
• Health product purchase tracking
• Baby/child product pattern monitoring
• Sharing data within Tata Group entities

DPDP concern: Grocery data is deceptively intimate. A household’s weekly orders reveal religion, health, family stage, income, and lifestyle — all without explicit consent for such inferences.

Section 7 — Certain Legitimate Uses ⚠️

Order fulfillment is legitimate. But BigBasket extends processing to:

• Purchase pattern analytics for supplier partnerships
• Household classification for targeted marketing
• Tata ecosystem cross-selling (Tata Neu, 1mg, Croma integration)

These go beyond service delivery and need separate justification under DPDP.

Section 8 — Obligations of Data Fiduciary ⚠️

Standard security measures. However:

• Delivery personnel access customer addresses and order contents
• Warehouse staff process orders revealing personal information
• No mention of enhanced handling for health or baby product orders

Section 9 — Data Retention 🔴

No retention timelines. Particularly concerning for:

• Health product orders: Revealed medical conditions stored indefinitely
• Baby product patterns: Family lifecycle data persisted
• Delivery address history: Housing patterns tracked
• Order frequency and timing: Household routine mapping

Section 11 — Rights of Data Principal 🔴

• No mechanism to delete order history selectively (e.g., delete medicine purchases but keep grocery history)
• No transparency on household profile inferences
• No nomination rights
• No right to prevent cross-Tata-entity profiling

Section 12 — Right of Grievance Redressal ⚠️

Basic grievance officer. No DPB pathway.

Section 16 — Cross-Border Data Transfer ⚠️

As a Tata Group entity, data may flow within the conglomerate’s global infrastructure. Policy doesn’t specify whether household grocery data is processed or accessible outside India.

Risk Assessment

The Grocery Data Intelligence Problem

Weekly grocery orders create the most detailed household profile available in Indian digital commerce:

Recommendations

1. Classify health product purchases as sensitive data — Enhanced consent and retention rules for medicines, health products
2. Implement household profiling transparency — Let users see and control inferences made from their purchase patterns
3. Establish Tata Group data boundaries — Clear rules on what BigBasket data is shared with other Tata entities
4. Add granular retention — “Active orders: 6 months; health products: 1 year; general purchase: 2 years; addresses: until user deletion”
5. Separate consent for cross-platform sharing — Distinct consent for Tata Neu integration, 1mg health cross-referencing
6. Deploy inference protection — Don’t combine grocery patterns to create religious, health, or family profiles without explicit consent

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.