All posts
·7 min read

Shopify + DPDP Act 2023: the 2026 compliance guide for Indian merchants

India's DPDP Act takes effect 14 May 2027. What it actually requires from Shopify stores — consent, notice, grievance officer, and the audit trail — plus how to be compliant before the deadline without a legal team.

dpdpindiashopifycompliance

If you run a Shopify store that ships into India — or just runs Meta Pixel and Google Ads on Indian visitors — you've probably heard about the Digital Personal Data Protection Act 2023 by now. Here's the straight version: the Act passed in August 2023, the DPDP Rules 2025 were notified on 14 November 2025, and substantive obligations on Data Fiduciaries take effect on 14 May 2027. That's roughly eleven months from the date of this post.

This guide covers what DPDP actually requires from a typical Shopify merchant, what Shopify's defaults give you, and the shortest path from "I have no idea what to do" to "I'm covered before May 2027".

Who is in scope?

DPDP applies to anyone — Indian or otherwise — who processes personal data of a Data Principal in India. There is no minimum store size, no revenue threshold, no carve-out for SMBs. If you have one Indian customer, or even one Indian visitor whose IP your analytics pipeline records, you're in scope.

The only meaningful out: if your store has zero Indian visitors and you can demonstrate it (typically by geo-blocking IN traffic at the CDN), DPDP doesn't apply. For ~99% of Shopify stores, it does.

What DPDP actually requires (in plain English)

Strip away the legalese and DPDP boils down to five things:

  1. Issue a notice before or at the moment you collect personal data. The notice must describe what data you're collecting, the purposes, and how the Data Principal can exercise rights. It must be in clear, plain language — English or any of the 22 Eighth-Schedule languages (the most common being Hindi, Bengali, Tamil, Telugu, Marathi).
  2. Obtain consent that is free, specific, informed, unconditional, and unambiguous — language closely modelled on GDPR Article 4(11). A "by using this site you agree" banner is not consent. Pre-ticked checkboxes are not consent. A dismiss-with-X is not consent.
  3. Make withdrawal as easy as giving consent. If clicking Accept All takes one click, withdrawing should also take one click. This kills off most "preferences modal hidden three menus deep" patterns.
  4. Publish a grievance officer contact (DPDP §13). An email or a URL where any Data Principal can raise a concern. The Data Fiduciary must respond within a reasonable time.
  5. Maintain demonstrable evidence of consent. You need to be able to show, after the fact, what notice the visitor saw and what they agreed to. A simple yes/no flag in your database is not enough — that doesn't prove the consent was specific to a particular notice.

If this list feels familiar, that's because four of the five items are also GDPR requirements. The big new one is the grievance officer.

What Shopify gives you out of the box (and what it doesn't)

Shopify ships:

  • A Customer Privacy API for storefront-side consent state. Originally built for GDPR; works just as well for DPDP because the underlying mechanic is the same (consent → toggle scripts).
  • A Privacy Policy generator under Settings → Policies that you can customise.
  • Data subject request handlers for customers/data_request, customers/redact, and related webhooks.

Shopify does not ship:

  • A consent banner.
  • A DPDP-shaped notice (the GDPR templates don't mention rights specific to DPDP, withdrawal, or grievance officer).
  • A grievance officer contact line item in Settings (you have to bolt this on yourself).
  • An audit trail that ties each consent decision to the specific banner text the visitor saw. Shopify records "consent given: yes/no", which is not enough under DPDP §6.

That last point is the most-overlooked. If a Data Protection Board investigation asks "what notice did this user agree to on 12 February 2027?", Shopify can't answer. You need a separate consent-management layer.

The minimum viable DPDP setup for a Shopify store

For a typical store, the practical to-do list is:

  1. Install a consent banner that defaults to deny (no analytics or marketing fires until consent), shows distinct Accept All / Reject All / Customise actions, and writes a per-visitor consent record. We obviously recommend Consentico here — it's the lowest-friction option for Shopify and has a one-click India / DPDP mode that handles the next three items for you.
  2. Add a grievance officer contact to the banner notice and to your privacy policy. An email like grievance@yourstore.com is fine; a URL pointing to a contact form is also fine. The DPDP Rules don't require a registered postal address.
  3. Translate the notice to Hindi at minimum. Other Eighth-Schedule languages are nice-to-have but Hindi covers the largest visitor pool. With Consentico, this is automatic for hi/hi-IN browsers.
  4. Update your privacy policy to mention DPDP. The standard addition: name DPDP alongside GDPR/CCPA in the legal-basis section, name your grievance officer, and describe the rights Data Principals have (access, correction, erasure, withdrawal, grievance).
  5. Retain a consent audit trail that captures, for each consent decision: timestamp, visitor pseudonym, IP-derived country, the banner text shown, the categories offered, and the privacy policy URL at decision time. Consentico's policySnapshot field is built for exactly this — it captures the live banner state on every consent click.

That's it. There's no DPB registration step yet (the Data Protection Board commences operations on a date the central government will notify; this hasn't happened as of June 2026). There's no consent-manager registration step for Data Fiduciaries — that's a different licensing regime for a separate category of entity.

No, and this matters. The DPDP Rules 2025 introduce a licensed entity called a Consent Manager that brokers consent across multiple Data Fiduciaries — somewhat like an open-banking aggregator but for personal data. Consent Managers must register with the Data Protection Board.

Consentico is not a registered Consent Manager and does not aspire to be one. We're a Data-Fiduciary-side tool — we help your Shopify store collect, log, and honour consent on your storefront. The Consent Manager licensing regime is targeted at standalone aggregator services, not at app-installed banner tools.

If a vendor markets itself to you as "DPDP-registered" or "RBI-approved", ask which category. If they say Consent Manager, verify with the actual public registry; if they say "registered Data Fiduciary", that registration step doesn't yet exist for the category they're claiming.

Penalties

DPDP §33 caps penalties at ₹250 crore (approximately $30M USD) for the most serious violations — failure of significant Data Fiduciaries to take reasonable security safeguards. The smaller-scale penalties are still material:

  • Up to ₹50 crore (~$6M) for failure to notify a personal data breach.
  • Up to ₹50 crore for failure to fulfil obligations relating to children's data.
  • Up to ₹10,000 for a Data Principal furnishing false particulars (this one cuts the other way).

For typical SMB Shopify merchants, first-instance penalties are widely expected by Indian privacy practitioners to land in the lakhs-of-rupees range — material but not catastrophic. The point is that the regime is real: the Data Protection Board has explicit penalty authority, and unlike the pre-DPDP IT Rules, complaints can be filed by any Data Principal, not just the central government.

Timeline

  • Now → 14 November 2026 (12 months from Rules notification): voluntary good-practice posture. No penalty for opting in early. Use this period to roll out the banner, capture audit trails, and update your privacy policy without time pressure.
  • From 14 May 2027 (18 months from Rules notification): mandatory. Substantive obligations on Data Fiduciaries are enforceable. The Data Protection Board's complaint mechanism activates.

The single biggest mistake to make right now is to do nothing because the deadline feels far away. Eleven months pass quickly when you're also running a store. Get the banner in, get the audit trail flowing, and you'll be done before the holiday season.

How Consentico handles DPDP

Consentico ships with an opt-in India / DPDP mode under Settings → Geo. Enabling it:

  • Adds India to the regulated-region gate, so the banner shows for IN visitors (in addition to the EU/UK/CH default).
  • Switches the banner copy to a DPDP-shaped notice that names rights, withdrawal, and your grievance contact.
  • Auto-translates to Hindi for hi/hi-IN browsers; falls through to English for other languages.
  • Captures a policySnapshot on every consent decision — the banner title, description, locale, categories offered, privacy URL, and grievance contact at decision time. That's your audit trail under DPDP §6.

You fill in a single field (your grievance contact) and the rest is automatic. Plan availability: Pro plan and above. Setup takes about 90 seconds.

Get started with Consentico → — free for up to 1,000 banner views per month, no credit card.

Related reading