India’s e-commerce sector has been built, in large part, on the intelligence that comes from data. The ability to show you a product you didn’t know you wanted, remind you of something you left in a cart, or offer a discount at precisely the right moment — all of it is powered by the collection and analysis of behavioural data at scale. The DPDPA 2023 does not make personalisation illegal. But it does require that the data powering it be collected honestly, with clear consent, for a purpose the customer actually understood when they agreed.
The challenge is that most consent today is bundled. When you create an account on a retail platform, a single terms acceptance covers data collection for order processing, personalisation, marketing, analytics, third-party sharing, and more — often in a single paragraph buried in a privacy policy. Under the DPDPA, this approach is inadequate. Consent must be specific to purpose. If a customer consents to their purchase history being used for order fulfilment, that data cannot then be used to build a recommendation engine or shared with a brand partner without a separate, clear ask. The practical implication is that consent must become granular, and customers must be genuinely given the choice to say yes to some uses and no to others.
This will feel disruptive to growth teams and product managers who have operated with broad data access as a given. But it is also an opportunity. Platforms that build transparent, granular consent mechanisms will learn something valuable — which customers actually want personalisation, and which are tolerating it. That is more useful signal than a forced agreement ever provided. The brands that treat DPDPA compliance as a prompt to build genuine customer trust, rather than a compliance obstacle to route around, will find themselves on stronger ground as Indian consumers become more aware of their rights.
