I am informed that spam mails are being sent from the optimum.net server to many using the email Vijayashankar Nagarajarao (archer83@optimum.net).
Kindly ignore them and if possible file a complaint with abuse@optimum.net.
I don’t use any service from optimum.net and the email archer83@optimum.net does not belong to me. This scam seems to originate from a compromised optimum.net server which is extracting emails of contacts from the customers and using it for spamming.
Naavi
It is observed that UIDAI website is experiencing some serious technical issues. It is downloading aadhaar cards of persons other than for which a request is submitted and OTP is authenticated.
Though the downloaded file is protected by the password, this is a serious flaw which needs to be corrected.
UIDAI has recognized the bug and has posted a message on the website. I hope it would be set right soon.
This could be considered as a “Potential Data Breach” and needs to be addressed as such under ITA 2000/DPDPA
Naavi
One of the queries I have received on Linked in by a discerning Privacy Professional is
” As we observe, organizations have begun aligning with the Digital Personal Data Protection (DPDP) Act in India. However, several provisions remain ambiguous, awaiting further clarification through governmental rules. For instance, the practical implementation of roles like the Consent Manager is still not fully defined.
In light of these uncertainties, how can organizations proactively work towards compliance? What preliminary steps can be undertaken even before the complete regulatory framework is established?”
Let me try to provide my feedback on this.
Compliance to DPDPA is a cost that any organization have to absorb. Even conduct of a DPDPA Gap assessment will need a budget. If an organization is a Data Fiduciary of some responsibility, the costs are likely to be higher since they have to immediately take the decision to designate a new senior position of the Data Protection officer with a team of his own. Once the DPO is in place, he will demand an “Implementation Plan” which includes in house measures such as drawing up of policies which may need external consultancy of expert organizations like FDPPI which also requires investments. Then comes the bigger investment and a decision about acquisition of software for compliance which is a long term higher level investment.
The CFOs, CEOs and the Board members of any organization would naturally take their time to commit on these expenses and would like to take as many excuses as possible not to sign on the DPDPA implementation budget. However this “Judicious Contemplation” should not turn into procrastination and policy paralysis.
The first action required for any responsible corporate entity is to pass a resolution at the Board level to the effect
“The Board has taken note of the passage of DPDPA2023 and the imminent release of detailed rules and
a) has resolved to conduct and document a Business Impact Analysis on the passage of DPDPA 2023 on our organization immediately.
b) resolved that a committee of Directors consisting of …….., ….. and ….. is formed with immediate effect under the chairmanship of the independent Director ……………, to consult relevant experts and report to the Board by the next Board meeting on further actions to be taken.
c) resolved that the following shall be the terms of reference shall be addressed by the Committee
i) To determine when should the Company start a DPDPA Gap assessment program.
ii) To determine if we designate a “DPO” for our organization
iii) To determine the budget to be allocated for the next quarter and the current year for DPDPA Compliance
The above actions are necessary and can be implemented immediately by the Company Secretary who is drafting the minutes for the next Board meeting. If an organization has already passed through this stage, they may encounter the questions raised in the query above. This needs to be discussed by the committee and their views presented to the Board. In that process, they can take into account the following thoughts.
Ambiguity of provisions
DPDPA is a law and the law is by nature meant to provide broad principles which are to be interpreted in the context of its implementation.
Rules are expected to provide the procedural guidelines and cannot re-interpret the law. Rules cannot therefore be expected to provide “Legal Clarity” where the law has failed to do so.
Hence if there are any ambiguities in the law as we perceive, we need to live with it. As regards the Consent Manager the law is clear and it is the Draft rules that are creating complications. But “Consent manager” is not “mandatory” for implementation of DPDPA by an organization and hence organizations need not wait for this ambiguity on “Consent Manager” if any to be cleared.
Consultants like FDPPI and the Frameworks like DGPSI has provided a “Jurisprudential Interpretation” of all aspects of DPDPA 2023 and unless a company wants to ignore them, there is no reason to delay the start of implementation waiting for further clarification from the Government.
Government cannot provide a clarification that is not in tune with the Act and if they do so by a mistaken interpretation, there is a possibility of the law being challenged in a Court of law.
The current mood of the Supreme Court which in the past has been aggressive in taking on the executive’s role of drafting rules for the Act and adding its own interpretations to the laws is not to pass any “Stay” on the operation of the law. If therefore any “Andolan Jeevies” challenge the specific provisions of the law as “Ambiguous”, the issues will be taken up for discussion but no decision is expected immediately.
We therefore consider that it is not wise for companies to keep waiting for clarifications from the Government.
Our view on this is clear as follows:
1.DPDPA 2023 is an expansion of Section 43A of ITA 2000 and is therefore considered as “Due Diligence” under the current law which is ITA 2000.
2. DPDPA 2023 provides a detailed clarity on the concept of “Reasonable Security Practice” under Section 43A of the ITA 2000.
3. The limitation of applicability of Section 43A of ITA 2000 to “Sensitive Personal Information” has now lost the meaning since there is no specific definition of Sensitive personal information under DPDPA and it is the responsibility of all Data Fiduciaries to determine the harm likely to be caused to a Data Principal on account of their processing and take appropriate action to protect their interests.
4. Since the “Data Fiduciary” is a “Fiduciary”, he is self responsible for determining what is the harm likely to be caused and accordingly expected to develop the compliance.
5. While section 43A is limited to the provision of compensation to a data principal, it does not bar the Adjudicator under ITA 2000 to impose any penalty on the Data Fiduciary.
6. Section 43A of ITA 2000 remains in tact till Section 44 of DPDPA 2023 along with the penalty section 33 is not specifically notified. Till then, Penalty under Schedule I of DPDPA 2023 may be considered only as a “Legislative intent” and the Adjudicator under his powers to pay compensation upto Rs 5 crores can provide compensation to the affected victim and also exercise its Suo-Moto powers to impose deterrent penalties as well as recommend action under Section 43 and Section 66 of ITA 2000.
7. Ambiguity if any on the role of a “Consent Manager” may be ignored. If any organization has the intention of registering themselves as “Consent managers”, they may do so after the Data Protection Board is set up.
8. When in doubt, the Company may obtain and document an opinion from an appropriate management consultant or a legal consultant. Such opinion may be a Legal Opinion from a law firm or a Management Advise from a Management consultancy firm.
I suppose this provides a reasonable response to the query raised. Further comments are welcome.
Naavi
The ongoing discussion on Linked in has brought a query which I thought could be answered in greater detail here.
Query:
“I would really love to hear your thoughts on why India is adapting the path of “data should not be transferred to certain countries, which is completely a different approach from GDPR wherein they have taken a positive approach of transferring data to the listed countries who has adequate safeguards”. Do you think this is the right approach?”
The provision under Section 16 of DPDPA 2023 states that
“the Government may by notification restrict the transfer of data by a Data Fiduciary for processing to such country or territory outside India as may be so notified”.
It goes on to further state
“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.“
Under the draft rules proposed, it is stated that “transfer of personal data within India or outside shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”
The minister has made a statement publicly that the Meity will form a committee which from time to time review the requirements and suggest what restrictions should be applied and under what context.
The provisions read together is flexible and will cover the provisions of EU GDPR under article 45 as well as 46,47,48 and 49.
The Committee can take a decision like “Biometric data will not be transferred to any country including USA or EU Countries” and ignore the claim that in that country there is a stringent data protection law. On the other hand Committee may allow transfer of data for a social media company handling non-sensitive information to most countries. Committee can also decide that a particular Data Fiduciary is in defence sector and it shall not transfer data anywhere even within the country and the data centres of the company shall reside in premise.
Thus We have taken a fair and flexible approach. EU approach cannot be called “Positive” just because they give 11 countries out of 193 plus UN members, the status of adequacy and consider other 182 countries as “Prohibited countries”. Even GDPR adequacy has a restricted sectoral permissions within the adequacy countries. EU thinks that it has the right to decide what are “Adequate Security Safeguards” and suggests that other countries should follow its norms. India thinks that it is a sovereign country and we decide which processing outside the company is safe and should be allowed and which should be prohibited.
From the practical perspective, instead of hardcoding a list of countries, the committee reserves the right to make decisions from time to time.
Let us hope that the Committee will do its duty properly and if so it would be a better proposition than what GDPR proposes. It also gives us an opportunity to create our own “Data union/Trusted Counties for data transfer” as Naavi had proposed to MeitY during the JPC discussions on PDPB.
Naavi
Recently we saw that RBI came up with a circular (Refer TOI article here). RBI had in its earlier circulars (Refer here) starting from 1976 had indicated that the purpose of opening minor accounts was to encourage the habit of “Savings” at an early age. That was the time when there was no digital banking and not digital banking risks. The minors were allowed to open the account with the consent of the natural guardians and there was a limit to the transactions and no third party cheques could be issued. The minor could only come to the bank and withdraw or deposit the money.
Now the old guidelines are repealed and the new guidelines state that Banks are free to issue ATM/Debit Cards, Chequebook facility etc based on the risk management policy of the Banks. There is no limit on the balances.
In this context I want to ask the RBI officials including the Governor whether they are out of their minds? Are they aware of the Risks to Banking system because of this new grand gesture?
Today, Banks are no longer interested in promotion of “Savings”. They are as greedy as a commercial organization like Google or Meta or Amazon and today every account is seen as a profit center. They are also completely ignorant of the Banking law and through this circular RBI has also demonstrated that they donot respect Banking law.
I want to discuss here few specific issues for which I demand that RBI has to answer.
Banker Customer Relationship
It is an age-old Banking law that recognizes the Banker-Customer relationship as a “Debtor-Creditor” relationship where a Bank is a debtor who has borrowed money from the depositor and has the power to use it as he decides. The depositor is not the owner of the money deposited and is only a creditor who can claim the money bank as per rules and if not returned can sue the Bank. Bank deposit is not “Property” and is not in the control of the depositor once it passes onto the control of the Bank.
As a result, whenever a Bank fraud takes place, the money lost is not that of the customer but is of the Bank. If a customer observes that money ahs vanished from his account, his right to withdraw has been curtailed and like filing a complainant of any cognizable offence is expected to report the crime.
The RBI has rightly held that if the customer disputes any debit the Bank is obliged to repay the same instantly.
Indus Ind Bank does not care for RBI Circular
I came across a case of Indus Ind Bank Thane Branch recently where I filed an e-mail complaint to Mr. Dickson Baptista , Head – Customer Care OPUS Center 47, Central Road, Opp. Tunga Paradise Hotel MIDC Andheri (East) Mumbai 400093 pointing out a customer’s dispute of two transactions which ought to be refunded. This email was sent on 8th April 2025 and there is no response till date.
I am charging the Bank of “Denial Of Access” under Section 43 of ITA 2000 and read with Section 66 of ITA 2000 it is a report of a crime.
Does RBI have any answer to the impunity with which Bank refuses to even acknowledge the e-mail?
Is this post which is a public notice not sufficient for the vigilance department of both Indus Ind Bank and RBI to seek action?… Let me see how they react.
I fought the case of S Umashankar Vs ICICI Bank for 14 years before got a refund from the bank for a phishing fraud where Mr Umashankar was a victim. After the Zero liability circular came into effect many cases might have been settled without such a dispute resolution going through Adjudication, Appellate Tribunal and the Courts. But still there are many Banks who consider that their Fraud Customer is more valuable than the Victim customer and try to protect and shield the fraud by making it difficult for the victims to recover their losses.
Debit Freeze
In the above case of Indus Ind Bank, while the Bank has not acted on the refund of the disputed transactions, they have put a debit freeze on the balance. What should we say on the intelligence of the Indus Ind Bank to have considered that the victim should be further inconvenienced by such a debit freeze on the balance remaining after the fraudsters have withdrawn part of the money? (In the Umashankar case I did not have the problem since the fraudster had cleaned out the entire account)
I now ask the RBI whether their “Debit Freeze” applies to the balance remaining in an account where some fraudulent debits have occurred. If Banks are allowed to get away unpunished for this action, there will be a chilling effect on Cyber Crime victims and they will be hesitant to report frauds. As it is we the consultants tell victims that if the amount lost is small, then forget it since Police donot have time. Now we need to even consider that if there is a balance of one lakh in my account and there is a UPI fraud and there is a fraudulent debit of Rs 1000 and I report it to the Bank, Bank may classify the account as “Involved in a Cyber Crime and put a debit freeze.
Is RBI aware of this possibility? Will it take any action?
The debit freeze is defended under Section 106 of Bharatiya Nagarika Suraksha Samhita 2023 (BNSS 2023) as the power to seize “Property” .
In the context of the “Banker Customer Relationship” does the “Bank Balance” represent “Property”? What we claim today as “My Bank Balance”, is it not a “Right to withdraw money lent to the Bank”? Is it not an “Actionable Claim”. Is this not the argument under which Banks some times refuse premature closure of deposits even when the Bank is considered an insolvency risk?
Now in the case of digital banking, how can the binaries that show up on my computer withing the banking application as “Balance” be considered as “Property”?
If there is a debit freeze, the debit freeze is legally treated as “Denial of Access” which is an offence under Section 66 of ITA 2000.
Neither the RBI nor a Police officer wrongly using Section 106 of BNSS can cause denial of access under an excuse that he is trying to investigate a crime.
I want the Ministry of Home Affairs to confirm if this is part of the “Nagarika Suraksh” that they want to achieve under the new Act? Is it not a “Police Excess” using powers to investigate the criminal being applied to harass the victim?
I want lawyers who are fighting such cases to argue this with the Courts since even Courts have forgotten the concept of “Debtor-Creditor” relationship and make police, Banks and RBI answerable to the harassment that is going on in the name of Cyber Crime prevention?
The same denial of access charge is also applicable when Banks put a debit freeze on accounts for non updation of KYC which is randomly asked by the Bank from time to time. Banks think “Know Your Customer” is not satisfied when they “Know the Customer” in one account but not in “Another Account” and request multiple documentation for the same customer. The non Banking REs like the payment gateways also have their own ignorance and often refuse to update KYC for companies for lack of Aadhaar of a company.
I recently had an observation that my account with ICICI Bank in the Bengaluru urban area was inoperative for KYC non updation for more than 15 days and even after updation of the KYC, the papers remained in the drawers of an ignorant staff who had no clue to what is KYC. The manager confessed that the quality of staff are today so inadequate that it is difficult to get work done by them. In our times it was difficult to get work done by Bank staff because of Union problems but today it is the lack of awareness that is hurting the Bankers.
The MeitY/Ministry of Finance have their own share of ignorance when they declare such Banks as “Protected Systems under Section 70 of ITA 2000” and “Too Big to fail”.?
Is Meity imposing the restrictions envisaged under Protected System Security on Banks like ICICI Bank, HDFC Bank, Union Bank etc whom they have royally declared as “Protected Systems” as if it is a feather in their cap.
Minor Account
At this point of time what on earth makes RBI think that Bankers are capable of handing the “Minor’s” account in digital form?
As per the latest RBI circular, if Minors are allowed to issue cheques to third parties, what will be the impact on the rights of the beneficiary of the cheque? or more importantly the endorsee of the Cheque who is a “Holder in Due Course”? How will Courts determine the liability of the drawer of the cheque under Section 138?
Similarly since there is no upper limit on the balances on these accounts, are these minors not exposed to Cyber Frauds and Digital Arrest frauds? Will RBI take responsibility when some minors either commit suicides or start stealing from their own parents on the basis of teachings by fraudsters?
In Kannada there is a proverb “ಬೇಲಿಯೇ ಎದ್ದು ಹೊಲ ಮೈದರೆ ಕೇಳೋರ್ಯಾರು?” ( BEliye edhdhu hola maidare KEloryaru?) meaning: who will listen when the fence itself eats the crop?
Currently RBI has allowed “Freezing of Bank accounts” which itself is illegal. It is allowing Minor accounts which is illegal. Banks continue to support fraudster customers against victim customers. Police not Courts come to assist the victims and they are more concerned with their own interests. Even Supreme Court is supporting the Bitcoins and fraudulent Judges instead of the innocent citizens.
The situation has become so bad today that fraudsters are using this as a threat to genuine customers to say ” I will get your account frozen if you donot do this…”. A threat of this nature was received by a professor in Bangalore recently. This was a case where an unknown person had called and said I have wrongly credited some amount to your account and you should transfer it back. As most of us know this is one of the standard modus operandi for UPI frauds and the alleged recipient is advised not to act on such requests. In this case when the account holder has refused to talk to the person, he has threatened that he will get the account frozen.
We all know that these criminals have their supporters even in the Police Stations and it is not difficult to get a letter issued to the Bank for freezing the account. The Police should not have the power to issue such “Garnishee” orders in the first place and neither the RBI nor the Bank seem to mind. The Ministry of Home Affairs also does not mind such illegal practices.
How will RBI react to this new “Weaponization of debit freeze” by fraudsters?
I have been an ex-Banker and am aware that once the power to freeze bank accounts were only through “Garnishee Orders” from a Court. Today such powers are being exercised by all law enforcement agencies including a Police inspector and is therefore amenable for abuse. I refer to an article in manupatra which speaks of the Section 102 of CrPC or 106 of Bharatiya Nagarika Suraksha Samhita which states as under
(1)Any police officer may seize any property which may be alleged or suspected to have been stolen, or which may be found under circumstances which create suspicion of the commission of any offence.(2)Such police officer, if subordinate to the officer in charge of a police station, shall forthwith report the seizure to that officer.(3)Every police officer acting under sub-section (1) shall forthwith report the seizure to the Magistrate having jurisdiction and where the property seized is such that it cannot be conveniently transported to the Court, or where there is difficulty in securing proper accommodation for the custody of such property, or where the continued retention of the property in police custody may not be considered necessary for the purpose of investigation, he may give custody thereof to any person on his executing a bond undertaking to produce the property before the Court as and when required and to give effect to the further orders of the Court as to the disposal of the same:Provided that where the property seized under sub-section (1) is subject to speedy and natural decay and if the person entitled to the possession of such property is unknown or absent and the value of such property is less than five hundred rupees, it may forthwith be sold by auction under the orders of the Superintendent of Police and the provisions of sections 503 and 504 shall, as nearly as may be practicable, apply to the net proceeds of such sale.
It is clear that this section will hold only if we accept that Bank Balance in digital form is “Property”. I think this is not feasible unless the Courts forget the nature of Banker Customer relationship and treat it not as Debtor-Creditor relationship but as Bailor-Bailee relationship.
Concluding Remarks
It is a pain to attack several Government agencies in this one blog and watch the deterioration of RBI and Banks to a state that customers are the last of their priorities. I have in the past appreciated RBI for some of their bold stand against Bitcoin as well as the Zero liability circular. But it seems that the management has now changed and the new crop of Governors and Deputy Governors are not committed to the principles under which RBI was functioning so far. It is necessary for them to be reminded of the reports of the SR Mittal working group, Gopala Krishna working group and Damodaran Committee which appear to be a past golden era in Indian Banking.
The current generation of the society need to think Banking as “E Commerce” and either spread their risks or disable internet Banking in most of their accounts. In today’s regulatory scenario in Banking I am afraid that we are not ready for he “UPI Revolution”.
If there are any genuine souls in RBI who still respect the Banking customer, I want them to respond to the concerns expressed here. Minimum restrictions suggested to be mandated by RBI are:
Naavi
By Advocate Sri M G Kodandaram , IRS
India’s e-commerce sector has experienced significant growth in recent years, establishing itself as a crucial contributor to economic development. However, despite this remarkable progress, the sector has long struggled with a lack of a comprehensive regulatory framework due to its fragmented and unorganized structure. This has led to various issues, including consumer deception and fraud resulting from inadequate compliance with consumer protection laws. Added to this, the frequent personal data breaches have created risks to consumers, as no dedicated regulation or Authority currently exists to safeguard personal data.
To establish order and accountability, the Ministry of Consumer Affairs, Food, and Public Distribution enacted the ‘ Consumer Protection (E-Commerce) Rules, 2020’ . While these regulations laid the groundwork for consumer rights and business accountability, they did not offer an all-inclusive governance model, leaving critical areas such as fair-trade practices, data security , which include personal data security , and ethical business conduct insufficiently addressed. Recognising this gap, the Bureau of Indian Standards (BIS) has circulated a ‘ Draft Indian Standard ‘E-Commerce – Principles and Guidelines for Self-Governance’ (herein after ‘ Guidelines ’ for brevity), which provide a structured approach to addressing the sector’s evolving challenges, for feedback from the stake holders. These Guidelines aim to enhance consumer confidence by ensuring transparency, preventing unfair business practices, and aligning e-commerce operations with existing data protection laws. Moreover, they emphasize self-regulation, thereby allowing businesses to implement responsible practices while reducing the need for stringent government oversight.
In today’s digitally interconnected and rapidly evolving cyber society, safeguarding personal data has become a critical legal, ethical, and operational challenge for businesses, governments, and societies. Inadequate management of personal information often leads to unauthorized access, data breaches, identity theft, and misuse of sensitive data, which can be exploited for fraudulent activities or even sold on the dark web. Recognizing the significance of data security, governments across the globe are implementing comprehensive data protection laws to regulate the collection, processing, storage, and usage of personal information.
An important development in this regard is India’s Digital Personal Data Protection Act, 2023 (DPDP Act), which received presidential assent on August 11, 2023. The Draft DPDP rules 2025 are being circulated for necessary Public Consultations. The primary objective of this legislation is to establish a structured compliance and regulatory framework that governs the handling of digital personal data while ensuring transparency and accountability. Organizations handling Indian consumers’ data must reassess their internal policies, operational structures, and data governance frameworks to align with the new regulatory landscape.
The DPDP Act reflects the growing public consciousness regarding privacy rights and the ethical management of personal data. Compliance with this law is no longer a mere legal formality but a strategic necessity for businesses operating in India, particularly those in the e-commerce sector and other digital marketplaces.
This article critically examines whether the ‘ Draft Indian Standard Guidelines for Self-Governance ’ effectively integrate the important provisions of the DPDP Act and evaluates their strategic implications for shaping a robust e-commerce ecosystem. By doing so, it aims to provide insights into how companies can proactively adapt to the evolving data protection regime and establish trust-based digital ecosystems.
As the e-commerce sector expands rapidly, it brings immense opportunities but also challenges related to consumer trust and protection. Establishing clear governance guidelines are essential for promoting fairness, transparency, and ethical business practices while preventing fraudulent activities. Recognizing this need, the BIS has circulated the drafts guideline standards to regulate online transactions effectively. These Guidelines define core principles applicable to various stages of an e-commerce transaction – pre-transaction, contract formation, and post-transaction responsibilities. Their primary aim is to nurture consumer confidence, ensure seller accountability, and maintain fair competition. By addressing critical areas such as seller verification, transaction security, product listings, grievance redressal, and anti-counterfeiting, these Guidelines provide a structured framework for ethical and transparent e-commerce operations in India.
The pre-transaction phase emphasizes rigorous seller verification, requiring platforms to authenticate business credentials through Know Your Customer (KYC) procedures. Additionally, platforms must disclose their contact details and clearly define policies on cancellations, exchanges, and refunds, ensuring informed purchasing decisions.
During the contract formation phase, explicit consumer consent is mandatory, with pre-selected checkboxes prohibited. Secure payment mechanisms are crucial, ensuring compliance with financial regulations and transparency in service fees.
The post-transaction phase focuses on consumer protection, requiring compliance with the Consumer Protection Act, 2019. Platforms must establish a grievance redressal system accessible through multiple communication channels. Real-time order tracking via SMS and email is essential, along with strict return and refund policies, particularly for counterfeit goods.
Beyond transactions, the Guidelines enforce ethical e-commerce practices. Fair competition, counterfeit prevention, and transparent sponsored content are prioritized.
The rapid expansion of e-commerce and the digital transformation necessitates a robust framework to ensure consumer protection, data security, and transaction integrity. The BIS draft guidelines are aimed at safeguarding digital personal data security. These guidelines outline a structured approach to consumer consent, transaction records, payment security, subscription transparency, data protection, and commercial communication.
For above specific guidelines refer Appendix to this article.
Under the DPDP Act 2023, all e-commerce entities who process digital personal data qualify as data fiduciaries and are required to comply with its provisions. A review of the guidelines clearly indicates that they emphasize integrating the fundamental principles of the DPDP Act into business operations in India. Some of these key provisions are summarised below for reference.
To ensure the seamless implementation of the BIS draft guidelines and strengthen digital personal data protection, some of the following strategic measures can be adopted:
These measures, aligned with the DPDP Act, 2023, will contribute to a more secure and privacy-centric e-commerce ecosystem in India.
The BIS draft Guidelines for e-commerce align closely with the DPDP Act, 2023, reinforcing digital personal data security, transparency, and consumer rights. By addressing key aspects such as data collection, storage, third-party sharing, and breach response, these guidelines lay the foundation for a more secure and ethical digital marketplace. While challenges in implementation remain, proactive collaboration between regulators, businesses, and consumers will be crucial in ensuring compliance and cultivating trust. As India continues to refine its digital data protection framework, these guidelines serve as a critical step toward responsible and sustainable e-commerce growth.
Mr. M. G. Kodandaram,
Every e-commerce entity shall only record the consent of a consumer for the purchase of any good or service offered on its platform where such consent is expressed through an explicit and no such entity shall record such consent automatically, including in the form of pre-ticked checkboxes.
E-commerce entities shall maintain a complete, accurate and durable record of every transaction carried out on its platform and shall enable the consumers to access and retain a copy of their particular record for such time as required under applicable law.
E- commerce platforms shall strive to offer a variety of payment methods that are accessible to all users irrespective of the type of product or seller chosen by the user, including credit/debit cards, mobile payments, e-wallets, and bank transfers. While choosing the mode of payment all the associated costs including processing charges, shall be disclosed to the consumer.
E-commerce platforms shall ensure that payment transactions are secure and protected from fraud and other security breaches through the use of encryption, two-factor authentication, and other security measures. E-commerce platforms shall comply with all relevant laws and regulations related to payment processing, including data protection and privacy laws, anti- money laundering regulations, and other financial laws.
Any payment option or transaction involving a specified recurring charge, automated repeat purchases, transaction renewals or a subscription contract ‘Recurring Obligations’, shall carry a full disclosure on the specific duration, intervals, and exact amount in relation to the Recurring Obligations, as well as information, and a clear, accessible process to opt-out from or cancel such Recurring Obligations at any time before or during the tenure/currency of such subscription.
If a customer has subscribed for a stated period, any changes in the terms and conditions including any changes in price, quantity, service conditions shall be pre-informed to the consumers and shall be continued after the express consent of the consumer. In case the consumer seeks to discontinue the subscription due to a change in the terms and conditions, he shall be permitted to do so. Any subscription services provided by the E-commerce platform shall be the responsibility of such platform.
E-commerce entities shall ensure that it complies with all applicable laws in relation to data protection. Specifically, they shall ensure the following:
E-commerce entities shall ensure compliance with all applicable law pertaining to commercial communications, including the following:
