DPDP Compliance for E-commerce Companies

Myntra's privacy policy page currently displays an error message, rendering it completely inaccessible. This presents a critical compliance failure under the DPDP Act, as users cannot be informed about data practices, nor can the company's adherence to legal obligations be assessed.

Country Delight’s policy covers the basics of data collection but fails the 'Notice' and 'Control' tests of the DPDP Act. Its reliance on 'all-or-nothing' consent and lack of specific deletion timelines creates significant compliance risks for a company handling daily household location data.

JioMart’s policy is a classic example of 'old law' compliance, leaning heavily on the IT Act 2000. While it is transparent about what it collects, it fails the DPDP Act’s strict requirements for clear, affirmative consent and specific data deletion timelines.

Meesho's privacy policy, while detailed about data collection, is primarily built on the outdated IT Act 2000. Its biggest weaknesses lie in the bundled consent mechanism, vague data retention periods, and a complete absence of DPDP Act 2023 specific provisions for Data Principal rights and cross-border data transfers, creating substantial regulatory risk.

Pepperfry’s policy is a classic example of an 'IT Act era' document that hasn't been updated for India's new privacy regime. While it covers the basics of data collection, it fails the DPDP Act’s strict requirements for granular consent, clear retention limits, and modern user rights.

BigBasket's grocery data creates one of the most detailed household profiles in Indian commerce — diet, health needs, baby care, income bracket — all from weekly orders. As a Tata Group entity, the 43/100 score raises questions about enterprise data sharing and DPDP readiness across the conglomerate.

Lenskart's privacy policy is comprehensive in outlining data collection and security, but it doesn't explicitly reference the DPDP Act 2023. Significant gaps exist around granular consent, specific data retention periods, and a full DPDP-aligned framework for Data Principal rights and grievance redressal.

Tata Neu is India's most ambitious data aggregation play — combining flights (Air India), hotels (IHCL), groceries (BigBasket), medicines (1mg), luxury (Tanishq), insurance (Tata AIG), and more into one profile via NeuPass. At 44/100, aggregating consumer behavior across 20+ Tata companies under a single privacy policy creates the country's most comprehensive consumer profile.

Nykaa's privacy policy makes a commendable effort by explicitly mentioning the DPDPA’23 for certain Data Principal rights. However, it faces significant challenges with bundled consent, vague data retention periods, and broad legitimate use claims, requiring substantial alignment with India's new privacy law.

Flipkart's privacy policy is comprehensive in scope but relies on pre-DPDP frameworks. Key concerns include bundled consent, broad third-party sharing provisions, and no specific DPDP Act alignment.

Amazon India operates under a global privacy policy that benefits from mature US/EU compliance but lacks India-specific DPDP alignment. At 58/100, the combination of e-commerce, voice assistant (Alexa), payment (Amazon Pay), and entertainment (Prime Video) data creates a multi-dimensional profile — all flowing to US-headquartered infrastructure.

Blinkit’s privacy policy, last updated in January 2025, remains heavily influenced by the IT Act 2000 framework. While it provides high transparency regarding 'what' is collected, it fails the 'how' of DPDP Act 2023—specifically regarding granular consent, the right to be forgotten, and the new statutory rights of nomination. The reliance on 'implied consent' through platform usage is a high-risk area under the new regulatory regime.