Overview
Ecom Express is a logistics giant. If you’ve ever ordered something online in India, chances are an Ecom Express delivery partner has knocked on your door. To do their job, they handle a goldmine of your personal info: your full name, home address, phone number, and sometimes even your ID for high-value shipments.
In legal speak, Ecom Express is a Data Fiduciary (the person or company that decides how your data is used). You are the Data Principal (the person the data belongs to). Because they handle “last-mile” data, they have a massive responsibility under the new law to keep that info safe and delete it when the delivery is done.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
This is where most logistics companies trip up. Ecom Express largely relies on the fact that because you ordered a package, you’ve automatically agreed to everything in their policy.
What the policy says: “By using our website or services… you express your agreement to the terms of this Policy.”
What the law requires: The DPDP Act says consent must be free, specific, informed, and unconditional. You can’t just bundle everything together. If I want a package delivered, I have to give my address, but that doesn’t mean I’ve consented to my phone number being used for “promotional SMS” from their partners.
The problem: There is no “notice” that meets the new standards. A notice must be a separate document or clear popup explaining exactly what is being collected and why, in plain language.
Section 7 — Certain Legitimate Uses ✅
Logistics is one of the few industries where “legitimate use” actually makes sense.
What the law says: A company can process your data without a fancy consent form if it’s for a “specified purpose” for which you voluntarily gave your data.
The reality: If you give Ecom Express your address to get a Zara package delivered, they don’t need a separate DPDP consent form just to print that label. That is a legitimate use. However, they cannot use that same “legitimate use” excuse to track your location history or sell your shopping habits to advertisers.
Section 8 — Obligations of Data Fiduciary ⚠️
Ecom Express is responsible for what their delivery partners do with your data.
What the policy says: “We use reasonable security measures… to protect your information.”
The problem: Under Section 8 of the DPDP Act, if a delivery boy leaks a customer’s phone number or uses it to harass them, Ecom Express (the Data Fiduciary) is the one the government will fine. Their policy mentions security, but it doesn’t explicitly state how they ensure their thousands of sub-contractors and vendors follow the same rules.
Section 9 — Data Retention 🔴
This is the biggest red flag in the policy.
What the policy says: “We will retain your information for as long as it is required for the purposes for which it was collected.”
What the law requires: Once the package is delivered and the return window has closed, the “purpose” is fulfilled. Under Section 9, the company must erase the data.
The problem: “As long as required” is too vague. Does that mean 1 year? 10 years? Forever? The DPDP Act is very strict: if the purpose is over, the data must go. Ecom Express needs to set a hard deadline (e.g., “Data deleted 180 days after delivery”).
Section 11 — Rights of Data Principal ⚠️
The DPDP Act gives you “superpowers” over your data, including the right to correct it, erase it, and even nominate someone else to manage it if you pass away.
What the policy says: They allow you to “review and correct” your info.
The problem: It’s missing the big one: The Right to Erasure. You should be able to tell Ecom Express, “I no longer want you to store my home address in your database,” and they must comply unless there’s a legal reason to keep it. Their current policy doesn’t give a clear path for this.
Section 12 — Right of Grievance Redressal ⚠️
If you’re upset about how your data is handled, you need a clear way to complain.
What the policy says: They provide an email address for a Grievance Officer.
The problem: The DPDP Act says you must be able to escalate your complaint to the Data Protection Board of India if the company doesn’t solve it. Ecom Express doesn’t mention this at all. This leaves the “Data Principal” (you) feeling like the company has the final say, which isn’t true anymore.
Section 16 — Cross-Border Data Transfer ✅
What the policy says: They don’t explicitly mention sending your personal data outside India for standard domestic deliveries.
The reality: Since Ecom Express is primarily a domestic player, this is less of a risk than a global tech company. However, if they use foreign cloud servers (like AWS or Google Cloud), they are technically “transferring” data. As long as they don’t send it to “blacklisted” countries (which the government will name soon), they are likely okay here.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory Fine | High | Fines up to ₹250 Cr for failing to prevent a data breach. |
| Consent Validity | Medium | Their current “bundled” consent is legally weak under Section 6. |
| Data Retention | Critical | Keeping millions of addresses indefinitely is a major DPDP violation. |
| Vendor Liability | High | They are responsible for how thousands of delivery agents handle data. |
Recommendations
- Stop “Bundling” Consent: If you are an SMB owner, learn from this: don’t make people agree to marketing just to get a service. Give them a checkbox.
- Add an “Expiry Date” to Data: Tell users exactly when their data will be scrubbed. “We delete delivery logs after 6 months” is much safer than “as long as necessary.”
- Update Legal References: Remove mentions of the “IT Act 2000” and replace them with the “DPDP Act 2023.” It shows you’re actually paying attention to the new law.
- Create a Deletion Portal: Make it easy for customers to request that their data be wiped. A simple web form is better than making them email a grievance officer.