A Project by Meridian Bridge Strategy
Book Consultation
E-commerce

Flipkart

Ready Score 52/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 10 Feb 2026

Executive Summary

Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.

⚠️ Compliance Gaps

  • No DPDP Act 2023 terminology used
  • Consent bundled with terms — not freely given
  • No explicit data retention policy
  • Third-party data sharing overly broad
  • No mention of Data Protection Board

✅ Strengths

  • Detailed data collection categories
  • Grievance officer contact provided
  • Cookie management options available

Overview

Flipkart is India’s largest e-commerce marketplace, handling personal data of over 400 million registered users. The volume and sensitivity of data processed — including addresses, payment information, and purchase history — makes DPDP compliance a top priority.

DPDP Readiness Assessment

Section 4: Consent & Notice 🔴

Flipkart’s consent mechanism is bundled within the Terms of Use — users cannot selectively accept or reject specific data processing activities. Under DPDP Section 4, consent must be free, specific, informed, and unconditional. Bundled consent is non-compliant.

Section 5: Lawful Purpose ⚠️

The policy lists multiple purposes for data processing, but several (such as “improving services” and “personalization”) are vaguely defined. DPDP requires each purpose to be clearly specified at the time of consent.

While users can delete their account, there is no granular mechanism to withdraw consent for specific processing activities while maintaining the account. This is a clear gap under Section 6.

Section 8: Data Security ✅

Flipkart maintains industry-standard security measures. As a Walmart subsidiary, it benefits from enterprise-grade security infrastructure.

Section 11: Data Principal Rights ⚠️

The policy provides for data access and deletion but lacks provisions for data correction, nomination rights, and a clear timeline for responding to data access requests as required by DPDP.

Section 17: Cross-Border Transfer ⚠️

Given Walmart’s global presence, data is likely transferred internationally. The policy does not specify which jurisdictions receive data or whether they are on the approved list.

Recommendations

  1. Unbundle consent from Terms of Use — implement granular consent
  2. Define specific purposes with clear descriptions for each data use
  3. Implement granular consent withdrawal without requiring account deletion
  4. Publish data retention schedule with specific timelines per data category
  5. Restrict third-party sharing with clear justifications and named parties
  6. Establish Data Principal rights portal with response timeline commitments

Risk Assessment

Risk CategoryLevelImpact
Regulatory fine riskHighUp to ₹250 Cr — massive user base increases scrutiny
Customer trust impactMediumPrivacy-conscious segment growing
Operational readinessMedium-HighSignificant policy + technology updates needed

This analysis is for informational purposes based on publicly available privacy policies. For a comprehensive compliance assessment, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation