Shopify is the platform of choice for thousands of Indian D2C brands. If your store has Indian customers — whether you're based in India or abroad — you're covered by the DPDP Act 2023. This is your complete compliance checklist.
Why Shopify Stores Are Covered
Your Shopify checkout collects name, email, phone, and delivery address for every order. That's personal data under Section 2(t) of the DPDP Act. Your store is a Data Fiduciary and every customer is a Data Principal whose rights must be respected.
Additionally, your Shopify store almost certainly uses third-party apps and services that handle customer data: Razorpay or PayU for payments, Shiprocket or Delhivery for fulfillment, Klaviyo or WhatsApp for marketing, Google Analytics or Meta Pixel for advertising. Each of these makes you a Data Fiduciary sharing data with Data Processors — and you are responsible for their compliance too.
The Compliance Checklist
✅ 1. Consent at Checkout
Add a DPDP-compliant consent checkbox to your Shopify checkout. This checkbox must:
- Not be pre-checked (consent must be a positive action)
- Link to your Privacy Notice
- State what data is collected and why
- Be separate from your Terms & Conditions acceptance
In Shopify, you can add this via the checkout customization settings (Shopify Plus) or via a consent app. EasyDP's Shopify app adds this automatically.
✅ 2. Publish a DPDP-Compliant Privacy Notice
Your existing privacy policy likely doesn't meet DPDP requirements. Under Section 5, your notice must state:
- What personal data is collected (enumerate: name, email, phone, address, payment data, browsing behaviour via pixel)
- The specific purpose for each type of data
- Which Data Processors you share data with (list them: Razorpay, Shiprocket, Klaviyo etc.)
- How long you retain data and the deletion policy
- How customers can exercise their rights (access, correction, erasure, withdrawal of consent)
- Contact method for data requests
✅ 3. Data Processor Agreements
As the Data Fiduciary, you are responsible for ensuring your Data Processors (apps and services that handle customer data) comply with DPDP obligations. Review each app's terms and check if they have a Data Processing Agreement (DPA) or similar. Prioritise:
- Payment gateways (Razorpay, PayU, Cashfree)
- Fulfillment and shipping (Shiprocket, Delhivery, EcomExpress)
- Email and SMS marketing tools
- Analytics and advertising pixels (Meta, Google)
✅ 4. Set Up a DSR (Data Subject Request) Process
Customers can ask to see their data, correct it, or delete it. You need a documented process to handle these requests. At minimum:
- A contact email or form specifically for data requests
- A process to retrieve and export a customer's data from Shopify and all connected apps
- A process to delete data across Shopify, your email tool, and your fulfillment system
- A target response time (aim for 7 days, maximum 30)
✅ 5. Implement Data Retention and Deletion Policies
You cannot keep customer data indefinitely. Define:
- How long you keep order data (commonly 7 years for tax purposes)
- How long you keep marketing data (consent must be re-obtained if not used for 3+ years)
- An auto-deletion process for inactive customer accounts
✅ 6. Prepare a Breach Response Plan
If customer data is ever compromised — a hack, a misconfigured database, an employee error — you have 72 hours to notify the Data Protection Board and affected customers. Prepare now:
- Know who in your team handles breach response
- Have the DPB notification process ready (via the DPB portal)
- Have a draft customer notification email/WhatsApp ready
✅ 7. Review Your Marketing Consent
The opt-in checkbox at checkout must explicitly cover marketing communications. A customer who consents to "order processing" has NOT consented to promotional WhatsApp messages. You need separate consent for marketing — either at checkout or at sign-up.
✅ 8. Handle Shopify's Built-In Customer Data
Shopify stores customer data in its admin panel indefinitely by default. You need to:
- Enable Shopify's built-in data deletion tools for erasure requests
- Use Shopify's customer privacy settings to restrict data sharing
- Configure cookie consent banners via a Shopify consent app
Get Compliant in 10 Minutes with EasyDP
EasyDP's Shopify app handles items 1, 3, 4, and 7 automatically after a one-click install. The app adds a DPDP consent checkbox to checkout, creates a DSR handling portal for your customers, generates your privacy notice, and logs all consents with timestamps. Shopify merchants are typically live and compliant in under 10 minutes.