By Rakesh Maheshwari, Former Sr. Director and Group Co-ordinator, Cyber Laws and Data Governance, MeitY & Indranuj Pathak, Sr. Consultant – Public Policy, Primus Partners
India’s e-commerce sector, moving towards a projected $300 billion valuation by 2030 , has thrived on the free flow of data. Every click or search or abandoned cart paints a detailed portrait of the consumer, fuelling product recommendations. The Digital Personal Data Protection (DPDP) Act of 2023 will now put transformative influence in the form of e-commerce companies (data fiduciaries) notifying consumers or users (data principals) on what, how long and with what purpose such data is to be collected, processed and stored. That is, users are equipped with more control of their personal data.
Examining the intersection, it is important to delve into the Act’s distinct clauses, outlining its impact on e-commerce players, the opportunities and the need to clarify few aspects.
DPDP act’s impact on e-commerce practices
Broadly, the “personal data” of users that comes under the Act’s mandate will include data such as personal information including name, e-mail, phone number, user’s service history and interactions, and payment and card details. The Act’s provisions will not come into force if the data is made available by the user publicly, or when the platform uses the data for any collective business analysis or research without identifying anyone.
The Act empowers individuals with a comprehensive set of rights over their personal data, including the right to access, rectify, and erase it. This will create a fundamental shift wherein data was often collected, aggregated, and processed with minimal user oversight. For instance, on targeted advertising, the Act will restrict the profiling of individuals without their explicit consent. The potential impact on conversion rates and ad revenues would be noteworthy.
E-commerce platforms would have to make changes in their user interfaces of websites and apps, with clearer communication with users for consent, processing, erasing or grievance addressal. Moreover, the e-commerce platforms will have to completely erase all personal data when the user refutes the continuity of consent or when the purpose intended is served.
The platforms will also have to now carry out a verifiable parental consent mechanism to provide services to children below 18 years of age but cannot track or carry out behavioural monitoring of the child, unless exempted separately by the government. This is a complex subject, as many e-commerce platforms already follow due checks for ensuring parental control below a certain age. Moreover, payments in e-commerce for principals below 18 years of age would anyway require guardianship of a parent or legal guardian, as per mandated by RBI . E-commerce players, however, will still need to adopt the additional obligations.
For AI systems, which are now becoming increasingly integral to the operations of e-commerce platforms, this means a shift towards more transparent and ethical data usage practices. AI algorithms, used for personalized recommendations, customer service, and supply-chain management, would now need to comply with the principles of data minimization and purpose limitation as outlined in the DPDP Act. This will lead to a greater emphasis on developing AI models that are not only efficient but also respectful of user privacy, synonymous to the principles of Responsible AI.
It is important to note that the Act’s provisions can also effectively apply to the sellers or retailers, if the e-commerce companies share the personal information of the users with the former. Herein, measures like a strengthened confidentiality agreement incorporating details of data erasure, consequence management, creating awareness among the involved parties, etc, will persist. Such voluntary practice for limited exposure to personal data will also extend when other parties like delivery or logistical personals are involved.
Opportunities for a privacy-first r-commerce future
By prioritising user’s data privacy, India has the potential to carve a niche for itself as a global leader in ethical and responsible e-commerce.
Firstly, the Act fosters a climate of trust between consumers and businesses. By granting individuals greater control over their data, e-commerce platforms can build stronger relationships based on transparency and consent. This, in turn, can lead to increased customer loyalty and brand advocacy.
Secondly, with targeted advertising facing limitations, e-commerce players will need to explore alternative methods of personalisation that respect user privacy. This could lead to the development of novel recommendation engines, powered by anonymised data or user-defined preferences.
Thirdly, the DPDP Act mandates that personal data may not be allowed to be processed or transferred to certain countries. This may present a minor operational hurdle for global e-commerce players who currently leverage a network of data centers spread across the globe. This, however, also presents an opportunity for them, to leverage the lower operational and labour costs inside the country, as well as growing favourable policy ecosystem around cloud and data centres.
Furthermore, the Act’s focus on data security, to be further strengthened by the upcoming Digital India Act, presents a lucrative opportunity for domestic cybersecurity companies. As e-commerce platforms continue to invest in robust security solutions including encryption methods, it is a win-win for every stakeholder.
The DPDP Act’s path to transforming India’s e-commerce landscape has points that need further deliberations. The lack of clarity around certain provisions, such as the definition of “sensitive” personal data, creates some environment of uncertainty for businesses. This also becomes relevant in the context of classifying Significant Data Fiduciaries (SDFs). Currently, while the Act has mentioned few overarching principles, it is however not clear what would be the specific benchmark for classifying the fiduciaries as an SDF.
Moreover, the Data Fiduciary mandated to give Data Principals the option to access the contents of the notice in different languages can become a resource and time intensive requirement for companies, especially for smaller firms with limited resources. However, it is also an opportunity towards inclusivity and accessibility in the digital space. Clarifications are still required on the same.
Further, the applicability of consent managers who will “manage” the data on behalf of the user, needs detailing on its effective implementation. Who will pay for it, and can it be similar to the Account Aggregator model, etc, needs discussion.
To address these queries, more stakeholder consultations and strategic inputs sharing will be key. The government, industry leaders, and data privacy experts must work together to develop clear and implementable rules.
As an example of global data protection standard, EU’s GDPR compliance requirements have created a booming market for privacy-tech solutions in the continent. Startups are developing innovative tools for data anonymisation, encryption, and consent management, which benefit both businesses and individuals. This has led to a more vibrant and competitive privacy ecosystem. The GDPR has eventually become a de facto standard for data privacy regulations around the world. GDPR has also forced companies to be more transparent about how they collect, use, and store personal data. This has led to the development of new tools and dashboards that allow individuals to easily access and manage their data privacy settings. For example, many companies now offer “data subject access requests” where individuals can request a copy of all the data a company holds about them.
However, it can also be argued that the GDPR’s strict data protection requirements could hinder certain types of data-driven innovation, such as in the field of online marketplaces or artificial intelligence, or other digital sectors who are actively leveraging similar emerging technologies. It’s strict parental consent for using children data has also become a point of contention, specially where the other leading tech innovators like the US and the UK have relative relaxation.
It is important to note that legislations like EU’s GDPR comes with its own complexities, and with a different socio-economic context. While it encompasses both optimism and challenges for the technology space, India’s subsequent implementation of its own data protection rule can learn from such global cases for navigating the data web tailored to its socio-cultural and economic needs.
The DPDP Act marks a watershed moment for India’s online marketplaces. While its immediate impact may be perceived as challenging at parts, it also holds the potential to usher in a new era of privacy-first commerce. By embracing the Act’s principles and channelling its transformative power, India can carve a unique path in the global e-commerce landscape, one that prioritises user trust, fosters innovation, and unlocks the true potential of a data-driven future. Finally, open communication and knowledge-sharing will be crucial in educating consumers about their rights within the e-commerce ecosystem.