Everything Shopify store owners need to know about India's Digital Personal Data Protection Act 2023.
₹250 Cr
Max penalty for data breach
72 hrs
Breach notification window
May 2027
Compliance deadline
Yes — if your Shopify store collects personal data from Indian customers (names, addresses, phone numbers, email addresses, payment details), you are a Data Fiduciary under Section 2(i) of the DPDP Act 2023. This applies regardless of your store size.
Checkout data
Name, email, phone, shipping address
Payment data
Razorpay / Stripe transaction references
Account data
Customer login, order history, wishlist
Analytics
IP addresses, device IDs, browsing behaviour
Third-party apps
Review apps, loyalty programs, chat widgets
Shipping processors
Shiprocket, Delhivery — processor liability
Add a DPDP-compliant consent notice at checkout
Must state what data is collected, why, and for how long. Cannot be pre-ticked. Must be in the customer's preferred language.
Handle Data Subject Requests within 72 hours
Customers can request access to their data, correction, or complete erasure. You must respond within the statutory window.
Sign Data Processing Agreements with your processors
Razorpay, Shiprocket, Delhivery, and every third-party app are your Data Processors. You are responsible for their compliance.
Notify DPB within 72 hours of any breach
Any unauthorised access, disclosure, or loss of personal data must be reported to the Data Protection Board of India.
Maintain an audit log
Keep records of every consent event, DSR request, and data processing activity. Minimum retention: 5 years.
EasyDP's Shopify app installs in 10 minutes. Join the beta free.