Sector wise readiness
E-commerce: the 2 crore user line that changes everything
One misconception I keep seeing when e-commerce startups read DPDP checklists: they assume every box applies from day one. It does not.
A D2C store on its first 5,000 customers is not expected to operate like Amazon or Flipkart. A small marketplace does not need every compliance product a national platform buys. A sector map is a superset, not a launch checklist.
What applies from the start, whatever your size
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards (encryption, access control, logging)
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts
- ✅ Breach response
- ✅ Tokenise or mask card and UPI data end to end. This one is not size gated, it applies from your first transaction.
What may not apply to you yet
- ❌ The 3 year inactivity erasure regime. This is the Third Schedule regime. It switches on automatically at 2 crore registered users, not before. Below that line you are not obliged to auto erase 3 year inactive accounts.
- ❌ 48 hour pre erasure notice, which follows from the same 2 crore threshold.
- ❌ SDF obligations. Separate again. These switch on only if the Central Government notifies you. Crossing 2 crore users triggers the retention regime, but it does not by itself make you an SDF.
- ❌ Annual DPIAs
- ❌ Independent audits
- ❌ Dedicated DPO
Keep the three triggers straight
There are three different lines, and people blur them. The 2 crore mark triggers the Third Schedule retention rules automatically. SDF status is separate and needs Government notification. And the 1 year transaction log duty applies to everyone from day one, even on deleted accounts. Three triggers, three mechanisms. Confusing them is how teams either over build or miss a basic.
A warning auditors look for
Do not game the threshold. Splitting into multiple branded entities, or narrowing how you count "registered users" to stay under 2 crore, is the first thing an auditor probes. Group structure and your definition of "registered user" get scrutinised under Section 8.
The better question
The better question is not "does e-commerce have this requirement?"
It is "have I actually triggered this requirement?"
Law creates obligations. Scale and risk influence implementation. Confusing the two is how e-commerce startups spend on tools they do not need while missing the basics.
Which obligation do you see e-commerce startups over implementing most? Drop it in the comments.