You have built the store, wired up Razorpay, and you are about to run your first ads. Then the payment aggregator asks for your privacy policy, your terms, your refund policy and a proper Contact Us page before it activates your account. Suddenly you are copy-pasting legal text at 1am from a random blog.
On top of that, India now has a real data privacy law. The Digital Personal Data Protection Act (DPDP Act) was passed in 2023, and the detailed DPDP Rules were notified on 13 November 2025. If you collect a customer's name, phone, address or email, and every D2C store does, this law applies to you. It is not just for the big tech companies.
This guide sorts out both problems in one place. What legal pages your store is legally required to show, what the DPDP Act actually asks of a small brand, and how to get compliant without hiring a law firm. Written by Ravikant Tyagi for founders, not lawyers.
Every Indian D2C store legally needs five pages live before it takes an order: Privacy Policy, Terms of Service, Return/Refund and Cancellation Policy, Shipping Policy, and a Contact Us page with a real address and grievance contact. These are required under the Consumer Protection (E-Commerce) Rules, 2020, and your payment gateway checks them before activating you. On top of that, the DPDP Act 2023 (rules notified Nov 2025, full compliance by 13 May 2027) says you must take clear consent before collecting customer data, tell people what you collect and why, use it only for that purpose, and let them withdraw consent or ask for deletion. Penalties for a serious security failure run up to ₹250 crore, but the practical fix is simple: publish the required pages and collect only the data you actually use.
Why this matters before you take a single order
Two separate rulebooks apply to an Indian online store, and founders confuse them.
The first is the Consumer Protection (E-Commerce) Rules, 2020. These came into force on 23 July 2020 under the Consumer Protection Act, 2019, and they cover what an e-commerce business must disclose to a buyer: who you are, how to reach you, your return and refund terms, and a grievance officer. Miss these and you are non-compliant from day one, plus your payment gateway will not activate you.
The second is the DPDP Act 2023, India's first proper data privacy law. It governs how you collect and handle personal data. The detailed rules were notified on 13 November 2025, with a phased rollout and full compliance expected by 13 May 2027 (EY India). So you have runway, but the direction is clear and the notice-and-consent parts are what a small store must get right first.
You do not need a lawyer to start. You need to understand what each page must say and set up honest data habits. Let's go rule by rule.
The five pages every Indian D2C store must have
Under the E-Commerce Rules, your store must clearly display your legal business name, headquarters address, contact details, and full terms on returns, refunds, exchange, delivery and grievance handling (Department of Consumer Affairs). In practice this maps to five pages, all linked in your footer.
| Page | What it must cover | Why it exists |
|---|---|---|
| Privacy Policy | What personal data you collect, why, how it is stored, who you share it with, and how a customer can access or delete it | DPDP Act notice duty + gateway requirement |
| Terms of Service | Rules of buying from you, pricing, order acceptance, liability limits, governing law | Sets the contract with the buyer |
| Return / Refund & Cancellation Policy | Return window, conditions, refund method, and clear timelines like 5 to 7 working days | Mandatory disclosure under E-Commerce Rules |
| Shipping Policy | Dispatch time, delivery estimate, courier partners, serviceable areas, charges | Mandatory disclosure + sets expectations |
| Contact Us | Real business address, phone, email, and a named grievance officer with contact details | Required; gateway reads this page manually |
One point founders miss: the E-Commerce Rules require a grievance officer. You must display a name and contact, acknowledge any complaint within 48 hours, and resolve it within one month (Consumer Affairs Rules). For a solo founder, that officer is you. Just put your name, email and phone on the Contact Us page.
If you are on Shopify, these live under Settings, then Policies, and you can edit the templates. Do edit them. A refund policy that still says "30 days" when you actually give 7 will burn you in a dispute.
Copy-pasting a US store's privacy policy that mentions California rights and a Delaware address, then leaving it live for a year. It reads fake, it does not match Indian law, and it names the wrong data rights. When Razorpay's compliance team opens the page (they genuinely read it before activating your merchant ID), a mismatched or missing policy is a common reason for rejection. The cost is not a fine at your stage. It is a week of delay and a blocked launch while you scramble to rewrite pages you should have set up in an afternoon.
What the DPDP Act actually asks of a small D2C brand
Strip away the jargon and the DPDP Act has a simple spine. If you handle someone's personal data, you are a data fiduciary (the one who decides how data is used). Your customer is the data principal (the person the data belongs to). Personal data is anything that can identify a person: name, phone, email, address, order history.
Here is what the law expects, in founder language.
1. Give a clear notice and take consent
Before you collect data, you must show a plain-language notice that itemises what you collect and exactly why. This notice has to be separate from your long terms of service, not buried inside them (Fisher Phillips). A pre-ticked box does not count as consent. The customer must actively agree.
2. Use data only for the stated purpose (purpose limitation)
Purpose limitation means you use the data only for what you said. You took an email to send an order update, you cannot later sell that list or blast unrelated promotions without fresh consent. If you want to add someone to a marketing newsletter, ask for that specifically.
3. Honour data-principal rights
Customers can ask for a summary of the data you hold, ask you to correct it, and ask you to delete it. They can withdraw consent, and withdrawing must be as easy as giving it. Under the rules, requests like erasure or access must be handled within about 90 days (CookieYes DPDP guide). Practically: give an email like privacy@yourbrand.com and actually answer it.
4. Report serious breaches
If customer data leaks, you must notify affected people and the Data Protection Board. This is where the big numbers live, and it is worth being accurate about them rather than scaring yourself.
Deciding what data to collect at checkout? If you use the field to fulfil, ship, or legally invoice the order (name, address, phone, email) → collect it. If it is "nice to have" for some future idea (date of birth, gender, second phone number) → do not collect it yet. Every extra field is data you must now protect, justify and be able to delete. The safest privacy posture is the smallest honest dataset.
The penalties, stated honestly
You will see "₹250 crore" thrown around online. Here is the real picture so you neither ignore it nor panic.
The DPDP Act sets maximum penalties for specific failures, decided by the Data Protection Board case by case (EY India):
- Up to ₹250 crore for failing to take reasonable security safeguards that lead to a breach.
- Up to ₹200 crore for failing to notify the Board and affected people about a breach, or for failing children-related obligations.
- Up to ₹50 crore for other breaches of duty.
These are ceilings for serious, negligent failures, not automatic fines on a small store with a slightly imperfect page. The rollout is phased, and full enforcement lands by 13 May 2027. So the sane response is not fear. It is basic hygiene: collect little, protect it, publish honest pages, and be reachable. Do that and you are in a strong position well before the deadline.
Launch Readiness Score™ · legal layer: before you spend the first rupee on ads, score yes or no on eight items. Business name and address shown · Contact Us with grievance officer · Privacy Policy that matches what you actually collect · Terms of Service · Refund and Cancellation Policy with real timelines · Shipping Policy · consent taken at signup and checkout, not pre-ticked · a working privacy email. Eight yes means you are launch-ready on the legal layer. Any no is a blocker, not a "later".
Cookies and consent, kept simple
If your store loads Meta Pixel, Google Analytics or any tracker, those drop cookies that collect behaviour data. Under DPDP thinking, that is personal data you need consent for. You do not need a heavy enterprise setup at your stage. A simple cookie banner that lets a visitor accept or reject non-essential cookies, plus a short cookie section in your privacy policy explaining what you run and why, covers the basics for a small D2C store.
Keep the banner honest. Do not make "Reject" a tiny grey link while "Accept" is a giant green button. Regulators worldwide are cracking down on that pattern, and it damages trust with the exact customers you want to keep.
I have watched founders treat legal pages as decoration and treat customer data as free inventory to be mined later. Both backfire. The store that collects a phone number and address, uses them only to ship and update the order, and answers a deletion request within a day builds the kind of trust that lowers RTO and lifts repeat rate. Good privacy is not a cost. It is quietly a retention lever.
What it costs and how long it takes
The legal layer is one of the cheapest things you will set up. Here is the honest range.
| Approach | Cost | Time | Good for |
|---|---|---|---|
| Shopify policy templates, edited yourself | Free (in your plan) | An afternoon | Most early-stage stores |
| Free policy generator + your edits | Free to ₹2,000 | Half a day | Custom builds, WooCommerce |
| A lawyer-reviewed set of pages | ₹8,000 to ₹25,000 | 1 to 2 weeks | Higher-ticket or funded brands |
| Cookie consent tool | Free tier to ₹1,000/mo | An hour | Stores running ad pixels |
Most founders should start with edited templates and upgrade to a lawyer review once revenue justifies it, typically once you are past a few lakh a month or raising money. The mistake is not "cheap pages". The mistake is no pages, or pages that lie about what you do.
- Register your business name and note the exact legal name and address you will display.
- Publish Privacy Policy, Terms, Refund/Cancellation, Shipping, and Contact Us in your footer.
- Put a named grievance officer, email and phone on Contact Us.
- Edit templates so refund windows and shipping timelines match what you actually do.
- Add an active checkbox for consent at signup and checkout (never pre-ticked).
- Add a cookie banner if you run any pixel or analytics tracker.
- Set up a privacy@yourbrand.com and commit to answering data requests within days.
- Audit your checkout: delete every field you do not actually use.
- Run the payment gateway activation only after all pages are live and honest.
Next action
Today, open your store's policy section and check whether all five pages exist and match reality. If any are missing or copied from a US template, fix that first, before you touch your ad account. It is a one-afternoon job that unblocks your entire launch and keeps you clean under both the E-Commerce Rules and the DPDP Act.
Once your legal layer is set, the next money decisions are your tax setup and your returns process, both tied to compliance. Read GST for e-commerce sellers in India and returns, refunds and reverse logistics next. If you are still setting up the store itself, the Shopify store setup guide shows where these pages plug in, and how to start a D2C brand in India covers the full launch order. When you are ready to spend on acquisition, your unit economics decide whether that spend is safe.
If you'd like the complete execution system, calculators, SOPs, templates and operating frameworks behind this process, continue inside D2C Acquisition.Lab.
