A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Flipkart was reviewed on 2026-02-10.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce

Flipkart

Ready Score 52/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 10 Feb 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-02-10
  • Company: Flipkart
  • Readiness score: 52/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No DPDP Act 2023 terminology used
  • Consent bundled with terms — not freely given
  • No explicit data retention policy
  • Third-party data sharing overly broad
  • No mention of Data Protection Board

✅ Strengths

  • Detailed data collection categories
  • Grievance officer contact provided
  • Cookie management options available

Overview

Flipkart is India’s largest e-commerce marketplace, handling personal data of over 400 million registered users. The volume and sensitivity of data processed — including addresses, payment information, and purchase history — makes DPDP compliance a top priority.

DPDP Readiness Assessment

Section 4: Consent & Notice 🔴

Flipkart’s consent mechanism is bundled within the Terms of Use — users cannot selectively accept or reject specific data processing activities. Under DPDP Section 4, consent must be free, specific, informed, and unconditional. Bundled consent is non-compliant.

Section 5: Lawful Purpose ⚠️

The policy lists multiple purposes for data processing, but several (such as “improving services” and “personalization”) are vaguely defined. DPDP requires each purpose to be clearly specified at the time of consent.

While users can delete their account, there is no granular mechanism to withdraw consent for specific processing activities while maintaining the account. This is a clear gap under Section 6.

Section 8: Data Security ✅

Flipkart maintains industry-standard security measures. As a Walmart subsidiary, it benefits from enterprise-grade security infrastructure.

Section 11: Data Principal Rights ⚠️

The policy provides for data access and deletion but lacks provisions for data correction, nomination rights, and a clear timeline for responding to data access requests as required by DPDP.

Section 17: Cross-Border Transfer ⚠️

Given Walmart’s global presence, data is likely transferred internationally. The policy does not specify which jurisdictions receive data or whether they are on the approved list.

Recommendations

  1. Unbundle consent from Terms of Use — implement granular consent
  2. Define specific purposes with clear descriptions for each data use
  3. Implement granular consent withdrawal without requiring account deletion
  4. Publish data retention schedule with specific timelines per data category
  5. Restrict third-party sharing with clear justifications and named parties
  6. Establish Data Principal rights portal with response timeline commitments

Risk Assessment

Risk CategoryLevelImpact
Regulatory fine riskHighUp to ₹250 Cr — massive user base increases scrutiny
Customer trust impactMediumPrivacy-conscious segment growing
Operational readinessMedium-HighSignificant policy + technology updates needed

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call