An e-commerce business in India does not answer to one regulator. It answers to at least six — the Central Consumer Protection Authority (CCPA), the Data Protection Board, the Reserve Bank of India (RBI), the Bureau of Indian Standards (BIS), the Food Safety and Standards Authority of India (FSSAI) and the GST administration — each enforcing a different statute with its own disclosure duties, timelines and penalty scales. The obligations sort into five pillars: consumer protection, data privacy, product liability and advertising, payments and tax, and platform governance. None is optional, none can be deferred to a later funding round, and the cost of getting one wrong now runs from lakh-level compounding to penalties of Rs 250 crore, delisting orders and criminal exposure for management.
Pillar One: Consumer Protection and the E-Commerce Rules
The Consumer Protection (E-Commerce) Rules, 2020, notified on 23 July 2020 under the Consumer Protection Act 2019 and amended on 17 May 2021 to reach entities incorporated abroad that offer goods or services to Indian consumers, are the sector's baseline rulebook. Violations are treated as contraventions of the parent Act, exposing entities to penalties that can extend to Rs 10 lakh and suspension of business.
Classification comes first
The Rules distinguish marketplace e-commerce entities — platforms on which third-party sellers transact, in the manner of Amazon or Flipkart — from inventory e-commerce entities, which own their stock, sell directly and are treated as ordinary sellers for all compliance purposes. The classification is not a labelling exercise: it drives FDI ceilings, GST treatment and liability exposure across the rest of the framework.
Disclosures and grievance redressal
Marketplace operators must prominently publish seller particulars: business name and address, customer care contacts, and seller ratings and feedback. They must obtain undertakings from sellers that product descriptions and images correspond to the actual appearance, nature, quality and features of the goods, that advertisements match real characteristics and usage conditions, and that price, warranty, delivery and return-and-refund information is transparently displayed. Country of origin must be clearly marked, and the government has proposed making country-of-origin filters mandatory on platforms.
Every e-commerce entity must also maintain a grievance redressal mechanism with a named grievance officer whose designation and contact details are displayed on the platform. Complaints must be acknowledged within 48 hours and resolved within one month of receipt, and the mechanism must be easily accessible and integrated with the National Consumer Helpline. For marketplaces the responsibility is joint: the platform cannot shift grievance handling onto the seller.
Thirteen dark patterns and a self-audit mandate
The CCPA's Guidelines for Prevention and Regulation of Dark Patterns, issued on 30 November 2023, prohibit thirteen manipulative design practices on e-commerce platforms: false urgency, basket sneaking, confirm shaming, forced action, subscription traps, interface interference, bait and switch, drip pricing, disguised advertisements, nagging, trick questions, unauthorised recurring "SaaS billing" charges and rogue malware. Deploying any of them is an unfair trade practice under the Consumer Protection Act 2019. By an advisory of 5 June 2025, the CCPA required every platform to self-audit for dark patterns within three months and issue a self-declaration that its interfaces are free of them.
Enforcement is no longer theoretical
The CCPA, established on 24 July 2020, had by March 2026 issued 477 class-action notices, imposed penalties aggregating Rs 3,00,40,500 and closed 177 cases with Rs 1,56,10,500 in penalties realised. Recent actions include notices over misleading discount and product-quality advertising; orders and consumer advisories on goods failing mandatory safety standards, from helmets and pressure cookers to gas cylinders and household electrical appliances; compounding of Rs 1.03 crore for non-declaration of country of origin, MRP and net quantity under the Legal Metrology (Packaged Commodities) Rules 2011; the delisting of 13,118 car seat-belt alarm stopper clips from major platforms; and mandatory removal of pre-ticked consent boxes that implemented forced-consent dark patterns.
The BIS has been similarly active, conducting 79 search-and-seizure operations during 2024–25 at e-commerce warehouses and seller premises connected with Amazon, Flipkart, Meesho, Myntra, BigBasket and Blinkit. Categories under mandatory BIS certification — electronic appliances such as power banks, chargers and laptops, toys and children's products, pressure cookers, cooking gas cylinders, safety helmets and electrical installation materials — cannot lawfully be listed without valid certification. Non-certified listings face removal, and sellers face compounding of penalties under the BIS Act 2016.
Pillar Two: Data Protection under the DPDP Act
The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) received Presidential assent on 11 August 2023 and was brought into force on 13 November 2025 alongside the Digital Personal Data Protection Rules, 2025. It applies to digital personal data processed within India and to processing outside India connected with offering goods or services to individuals in India — which places cross-border e-commerce squarely within scope. In the Act's scheme, the platform is a data fiduciary, the customer a data principal, and the cloud, analytics and logistics vendors processing data on the platform's behalf are data processors.
Consent that actually means consent
Consent under Section 6 must be free, specific, informed, unconditional and unambiguous, signified by clear affirmative action — an opt-in. Pre-ticked boxes are invalid, and consent cannot be bundled with acceptance of unrelated terms. Section 5 requires a notice, preceding or accompanying every consent request, stating the personal data to be processed, the purpose, the rights available to the user and the route for complaining to the Data Protection Board.
The Act enforces data minimisation through an unusual mechanism: consent extending beyond what is necessary for the stated purpose is void to the extent of the excess. The statute's own illustration is a telemedicine app that seeks access to a user's contact list; even if the user agrees, that portion of the consent fails because contact-list access is unnecessary to the service. The e-commerce analogue is a platform seeking consent to process payment card data for marketing beyond the transaction — the excess is simply invalid.
Retention, erasure and processor contracts
Section 8 requires erasure when the user withdraws consent or when the specified purpose is no longer served, whichever comes first, unless retention is required by law — tax and GST obligations can require retention for six years in certain cases. The DPDP Rules 2025 add a hard ceiling for the largest platforms: e-commerce entities and social media intermediaries above the prescribed registered-user threshold must not retain personal data for more than three years after the user's last interaction, absent a legal mandate.
Data processors may be engaged only under valid written contracts that hold the processor accountable to the platform for compliance with the Act, restrict processing to the platform's instructions and require appropriate security measures. The fiduciary remains answerable for its processors; the contract can allocate cost, but it cannot shift statutory responsibility.
Rights, significant data fiduciaries and breach duties
Data principals hold a right of access to a summary of their data and the identities of every entity with which it has been shared; rights of correction, completion and erasure; a right to grievance redressal through readily available mechanisms; and a right to nominate a person to exercise these rights after death or incapacity (Sections 11 to 14).
Platforms designated significant data fiduciaries — a status the Central Government confers by reference to the volume and sensitivity of data processed, risk to data principals' rights, and implications for sovereignty, electoral democracy and security — carry an additional layer: an India-based Data Protection Officer answerable to the board of directors, an annual data protection impact assessment, an annual independent audit and demonstrable security safeguards.
On discovering a personal data breach — a term covering unauthorised processing, accidental disclosure, acquisition, sharing, alteration, destruction or loss of access — the platform must notify the Data Protection Board without undue delay, file an updated report within 72 hours setting out remedial action and findings, and promptly inform affected users through registered communication channels.
The penalty schedule
| Breach | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards, resulting in a data breach | Rs 250 crore |
| Failure to notify the Board or affected data principals of a breach | Rs 200 crore |
| Breach of obligations relating to children's data (Section 9) | Rs 200 crore |
| Breach of significant data fiduciary obligations (Section 10) | Rs 150 crore |
| Breach of any other provision of the Act or the Rules | Rs 50 crore |
In fixing penalties the Board weighs the nature, gravity and duration of the breach, the type and sensitivity of the data affected, repetition, gains realised or losses avoided, mitigation efforts and deterrence. The Act also retires the old regime: Section 43A of the IT Act 2000, the earlier remedy of damages up to Rs 5 lakh for negligent handling of sensitive personal data, stands omitted, though the 2011 sensitive-personal-data rules retain residual relevance for legacy assessments and where sectoral regulators still reference their standards.
There is no general data localisation mandate. Section 16 permits the Central Government to restrict transfers of personal data to notified countries; as of June 2026 no such restriction had been notified, though sectoral regulators such as the RBI and SEBI impose their own localisation requirements within their domains.
Pillar Three: Product Liability and Advertising Standards
Liability runs down the supply chain
Chapter VI of the Consumer Protection Act 2019 creates a statutory product liability regime with distinct heads of liability for product manufacturers, product sellers and product service providers, and imposes joint and several liability across the chain — manufacturer, importer, distributor, seller and e-commerce platform alike.
A manufacturer answers for manufacturing defects, design defects, deviation from manufacturing specifications, failure to meet an express or implied warranty and inadequate safety instructions or warnings. An e-commerce entity answers as a seller where it exercises significant control over the design, testing, manufacturing, packing or labelling of goods — a quality-guarantee badge or "platform verified" stamp can suffice; where it modified the product and the modification caused the injury; where it issued its own express guarantee that the product failed to meet; where the manufacturer cannot be located, served or made to satisfy a judgment, in which case the seller steps into the manufacturer's shoes; or where it failed to exercise reasonable care in inspection or maintenance, or failed to pass on the manufacturer's warnings at sale.
Counterfeits: the platform cannot look away
Recent precedent requires marketplaces to verify seller authenticity and product compliance at onboarding and continuously during listing, and forbids passivity once the platform is aware of counterfeit or non-compliant goods. In Hamdard National Foundation (India) v. Amazon India, the court required Amazon to delist Rooh Afza products originating from Pakistan and not manufactured by the Indian trademark owner once it was put on notice, applying the E-Commerce Rules' requirements of accurate product information and seller verification. After notice, removal, stay-down measures and enhanced monitoring of repeat infringers become obligatory rather than discretionary.
The sectoral gates: FSSAI, BIS, Legal Metrology, Drugs and Cosmetics
Food commerce runs through the Food Safety and Standards Act 2006 and the FSSAI's 2011 regulations. Sellers must be registered food business operators, and every packaged food listing must declare manufacturer and packer details, ingredients and allergens, nutritional information per 100g, net quantity in metric units, dates of manufacture and expiry, the manufacturer's licence number, colourants and additives, storage instructions and import details where applicable. FSSAI advisories hold platforms jointly liable for sales by unlicensed operators, listings without mandatory declarations, and expired or contaminated food.
The Legal Metrology (Packaged Commodities) Rules 2011 require every packaged commodity sold online to display accurate net quantity in metric units, MRP, the manufacturer's or packer's name and address, country of origin, date of manufacture or packing, instructions for use and a consumer grievance address — the head under which the CCPA has already compounded offences worth Rs 1.03 crore against platforms.
Health and beauty products attract the Drugs and Cosmetics Act 1940: sourcing only from licensed manufacturers, valid pharmacy licences for medicine sellers, sale only of approved drugs, compliant packaging and labelling, and display of the drug licence number, batch number and manufacture and expiry dates on listings.
Misleading advertising and ASCI's caseload
An advertisement is misleading under the 2019 Act if it falsely represents a product's characteristics, quality, durability, performance or safety, makes false claims about the manufacturer, origin or approvals, deploys deceptive comparative claims, or omits material facts — selling secondhand goods as new being the classic example. The Advertising Standards Council of India (ASCI), the self-regulatory body with a statutory backstop in the Cable TV Networks (Regulation) Act 1994, reported for 2024–25 that 94% of violative advertisements appeared on digital media (Meta platforms 79%, websites 12%, Google 2%, e-commerce 1%), that misleading product descriptions and unsafe products were the most common e-commerce violations, and that offshore betting and gambling advertisements reported to government surged to 3,081 from 1,311 the previous year. Voluntary compliance with ASCI orders runs at 83%; roughly 14% of violations are escalated to the CCPA and other regulators.
Pillar Four: Payments, GST and the Cross-Border Rules
Registration and tax collected at source
GST registration is mandatory for e-commerce operators regardless of turnover: Section 24(x) of the CGST Act 2017 removes the threshold exemption, so registration must precede the first transaction. Where the operator collects payment from buyers and remits it to sellers, Section 52 requires tax collection at source (TCS) at 0.5% of the net value of taxable supplies — 0.25% CGST plus 0.25% SGST on intra-state supplies, 0.5% IGST on inter-state supplies — the rate having been halved from 1% by Notification No. 15/2024-Central Tax with effect from 10 July 2024. Net value is the aggregate of taxable supplies made through the operator in the month, less supplies returned in that month. Collections must be deposited within ten days of month-end, and the operator must file the monthly GSTR-8 return by the 10th of the following month, itemising supplies facilitated and TCS collected per supplier; the supplier's credit then flows through GSTR-2B into its electronic cash ledger.
Where more than one operator sits in a single transaction — the ONDC pattern — Circular No. 194/06/2023-GST fixes the obligation on the seller-side operator that ultimately releases payment to the supplier. If a buyer-side operator collects Rs 1,000, deducts its commission and remits Rs 900 to a seller-side operator, which pays the supplier Rs 850 after its own fees, the seller-side operator collects the TCS. Composition-scheme taxpayers are barred by Section 10(2)(d) of the CGST Act from selling through TCS-collecting operators and must take regular registration.
When the platform is the supplier
For services notified under Section 9(5) of the CGST Act, the operator is deemed the supplier and pays the full GST itself — no TCS, no GSTR-8, reporting through the regular GSTR-1, with input tax credit available on related inputs:
| Notified service | GST borne by the operator | Examples |
|---|---|---|
| Restaurant food delivery | 5% (2.5% CGST + 2.5% SGST) | Swiggy, Zomato, cloud kitchens |
| Cab and auto rides | 5% (2.5% CGST + 2.5% SGST) | Uber, Ola |
| Accommodation up to Rs 7,500 per night | 12% | OYO, MakeMyTrip |
Hybrid operations must apply both mechanisms: a platform facilitating notified food-delivery services pays full GST on that leg, while collecting TCS on supplies falling outside Section 9(5).
Payment aggregators under the RBI rulebook
Payments compliance flows from the RBI's circular of 18 March 2020 and its Master Direction on Payment Aggregators and Payment Gateways of December 2021, updated in March 2025. A payment aggregator acquires merchants and processes payments on their behalf without holding merchant funds as its own; a payment gateway supplies the technology that encrypts and transmits payment data and never handles funds. Non-bank aggregators must be registered with the RBI and maintain the prescribed minimum capital. All aggregators and gateways must adopt PCI-DSS 3.2 or higher for card data, implement API security standards, undergo annual third-party security audits, carry cyber liability insurance and resolve customer grievances within 30 days. Merchant monies must sit in a nodal (escrow) account with an authorised bank — never the aggregator's own account — with settlement to merchants within T+2 days and monthly reconciliation statements.
The platform carries its own duties: due diligence before integrating a payment provider, verification of the aggregator's registration on the RBI website, maintenance of transaction audit trails, fraud detection and monitoring for suspicious patterns, and reporting of cybersecurity incidents to CERT-In within six hours. Through 2023–24 the RBI issued warnings and directions to non-compliant aggregators for inadequate security, delayed settlement and poor grievance redressal, with particular attention to smaller entities lacking capital and security infrastructure.
FEMA and the FDI perimeter
Cross-border trade brings the Foreign Exchange Management Act into play. Goods imported by Indian customers must clear customs and duty, with remittances routed through authorised dealer banks. Indian sellers exporting through platforms must realise export proceeds in foreign exchange within the prescribed window — six to nine months of shipment under the commodity export provisions — and file export declarations with customs. Service exporters must likewise receive payment in foreign exchange.
On the investment side, Press Note 2 of 2018 keeps the two business models on separate tracks. The marketplace model is open to 100% FDI on conditions: the platform cannot own inventory, cannot give preferential treatment to sellers in which it holds an interest, cannot mandate exclusive supply arrangements, cannot control sellers' pricing and must deal at arm's length. FDI in inventory-based e-commerce is restricted. Foreign-funded platforms must maintain the supporting record — incorporation certificates showing promoter and director nationality, shareholding patterns with beneficial ownership disclosure, and company secretary certifications of adherence to the FDI norms. Non-compliance can trigger divestment orders, suspension of operations, cancellation of GST registration and suspension of foreign inward remittance certificates.
Pillar Five: Safe Harbour, Intellectual Property and the Seller Agreement
Section 79's conditional shield
Section 79 of the Information Technology Act 2000 exempts intermediaries, e-commerce platforms included, from liability for third-party content — but conditionally. The platform must lack actual knowledge of the illegality; must act without recklessness or gross negligence once it receives actual knowledge or notice; must observe the due diligence prescribed by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021; and must not derive a financial incentive directly attributable to the specific unlawful content.
Within its conditions, the shield covers seller-listed counterfeits, third-party copyright and trademark infringement, defamatory user content, sellers' consumer-law violations and breaches of third-party data. It does not cover the platform's own conduct: its own use of customer data (discriminatory pricing, for instance), active conduct approximating a seller's — authenticity guarantees, order fulfilment, inventory control — failure to honour government or judicial removal orders, or fraud perpetrated by the platform itself.
Due diligence under the IT Rules 2021
To keep the shield, the IT Rules 2021 — amended repeatedly since notification, with a comprehensive 2026 update addressing synthetic content — demand published, transparent terms of use defining prohibited content, user conduct expectations and enforcement consequences; a privacy policy aligned with the DPDP Act; and a grievance apparatus stricter than the consumer-law one. A designated grievance officer with published contact details must acknowledge complaints within 24 hours and resolve them within 15 days (30 for complex matters, with reasons recorded), with an appellate route and multiple access channels. A nodal officer must be available around the clock for law enforcement coordination — non-compliance with lawful requests itself forfeits safe harbour. Complaint handling must be documented and time-stamped, records maintained for 180 days, and complaint volumes reported in monthly transparency reports. For high-risk content categories, platforms must run detection and filtering, escalate criminal content to law enforcement and apply progressive enforcement — warning, temporary suspension, permanent ban — to repeat offenders.
From notice-and-takedown to tiered liability
On trademark and copyright, the case law of 2023–24 has moved from a purely reactive notice-and-takedown model to a tiered assessment of the platform's involvement. A pure intermediary — no knowledge of infringement, no preferential treatment of counterfeit sellers, prompt removal on notice — keeps its immunity. A platform that participates actively — authenticity guarantees and quality badges that influence consumers, fulfilment and warehousing services, ranking algorithms that favour counterfeit products — loses it, steps into the seller's shoes and becomes directly liable for infringement and damages. Specific notice creates duties even for the passive: heightened verification, stay-down measures preventing relisting by the same seller, and enhanced monitoring of repeat offenders, with removal mandatory rather than discretionary for high-risk categories such as luxury goods, health products and goods regulated under the Drugs and Cosmetics Act.
In Amazon Seller Services Pvt Ltd v. Jaspreet Kaur (High Court, 20 February 2024), the court reiterated that Section 79 confers conditional immunity only: an intermediary cannot claim blanket protection from seller misconduct once put on notice. Losing the shield means joint and several liability for the seller's infringement, damages awards to trademark owners that have exceeded Rs 50 lakh in individual cases, criminal liability where counterfeit goods offend penal statutes, and interim orders reaching the platform's own operations, from website blocking to suspension of payment processing.
The seller agreement as compliance infrastructure
Much of this pillar is drafted rather than litigated. Seller agreements should carry representations and warranties of product authenticity, clear title and statutory compliance across the applicable regimes — consumer protection, BIS standards, FSSAI requirements, the Drugs and Cosmetics Act, weights-and-measures rules and packaging norms; a robust indemnity covering claims by trademark owners, consumers, regulators and other third parties, with the seller bearing legal costs and damages; compliance obligations including GST registration disclosure, licence and certification disclosure and six-year record-keeping; a data processing agreement aligned with the DPDP Act wherever the seller handles customer personal data, including breach notification to the platform; an intellectual property warranty over listings, descriptions and images, together with a licence for the platform's marketing use; and a graduated termination architecture — immediate suspension for counterfeits and safety hazards, thirty days' notice to cure remediable breaches. Caps on the platform's own liability (commonly pegged to twelve months of fees earned from the seller) and exclusions of consequential loss are usual, to the extent enforceable under the Indian Contract Act 1872.
The Sale of Goods Act 1930 adds implied conditions of merchantable quality, fitness for a known purpose and good title. Breach of these conditions by sellers flows through to consumer-facing liability for the platform — which is precisely why the contract must push compliance upstream.
Scale Raises the Stakes
The framework tightens as a platform grows. Designation as a significant data fiduciary brings the Data Protection Officer, impact assessment and audit obligations. CCPA enforcement intensity tracks platform prominence and consumer complaint volume. Non-compliance can cascade into penalties, suspension, delisting and criminal exposure for senior management. The Competition Commission of India's inquiries into major platforms — over exclusive fulfilment arrangements, seller preferencing and category pricing — remain pending, with final orders expected in late 2026.
Where the Framework Is Still Settling
Several edges remain provisional. Procedural detail under the DPDP Rules 2025, including impact assessment formats and consent manager registration, awaits further government guidance. The 2026 update to the IT Rules, addressing synthetic content and algorithmic amplification, was published in April 2026 with implementation timelines still unclear. The RBI's March 2025 update to the payment aggregator regime is still bedding in among smaller providers. The CCPA has published no methodology for penalty quantum, which keeps risk assessment approximate. And the meaning of "preferential treatment" and "related sellers" under Press Note 2 continues to vary case by case.
Practical Takeaways
- Classify before launch. Business model (marketplace or inventory), user geography, product categories and funding source determine which of the five pillars bind hardest — FDI ceilings, GST mechanism, sectoral certification and data obligations all follow from this classification.
- Build grievance machinery to the strictest applicable timeline. The consumer rules demand 48-hour acknowledgment and 30-day resolution; the IT Rules demand 24-hour acknowledgment and 15-day resolution. Appoint the grievance and nodal officers and publish their details.
- Rebuild consent flows for the DPDP Act. Granular opt-in consent per purpose, plain-language notices, erasure workflows keyed to withdrawal and retention limits, processor contracts, and a breach notification SOP covering the Board, the 72-hour report and user communication.
- Gate regulated categories at onboarding. Verify FSSAI licences for food, BIS certification for regulated goods and drug licences for health products before listing; maintain proof; and operate a notice-to-delisting escalation with stay-down for repeat offenders.
- Get the GST classification right. Determine whether each service leg falls under Section 52 (TCS) or Section 9(5) (deemed supplier); deposit TCS within ten days; file GSTR-8 monthly; and integrate only RBI-registered payment aggregators with current PCI-DSS certification and escrow arrangements.
- Paper the seller relationship. Warranties, indemnities, GST and licence disclosure, DPDP-aligned data processing terms and graduated termination rights are the platform's first line of defence — and documented seller verification is its best answer to counterfeit liability.
- Calendar the compliance cadence. Track CCPA enforcement and advisory deadlines monthly, audit consent and breach readiness quarterly, audit seller contracts and licence renewals semi-annually, and certify shareholding and FDI compliance (and run the data protection impact assessment, where applicable) annually.
Key Authorities
- Consumer Protection (E-Commerce) Rules, 2020 (notified 23 July 2020, amended 17 May 2021) — disclosure, grievance redressal and marketplace obligations. Source
- Digital Personal Data Protection Act, 2023 (No. 22 of 2023) — consent, data fiduciary obligations and the penalty schedule. Source
- Consumer Protection Act, 2019, Chapter VI — statutory product liability of manufacturers, sellers and service providers, with joint and several liability along the supply chain.
- Information Technology Act, 2000, Section 79, read with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — conditional safe harbour and due diligence obligations.
- Central Goods and Services Tax Act, 2017, Section 52; Notification No. 15/2024-Central Tax (10 July 2024); Circular No. 194/06/2023-GST — TCS mechanics for e-commerce operators. Source
- Amazon Seller Services Pvt Ltd v. Jaspreet Kaur, High Court, 20 February 2024 — Section 79 immunity is conditional; no blanket protection once the intermediary is put on notice. Source
- Hamdard National Foundation (India) v. Amazon India — platform required to delist unauthorised-origin products on notice, applying the E-Commerce Rules' seller verification requirements.
- CCPA, Guidelines for Prevention and Regulation of Dark Patterns, 2023 (30 November 2023) and Advisory of 5 June 2025 mandating platform self-audits. Source
- RBI, Master Direction on Payment Aggregators and Payment Gateways (December 2021, updated March 2025), with the circular of 18 March 2020 — registration, security, escrow and settlement norms.
- ASCI, Annual Complaints Report 2024–25 (14 May 2025) — digital advertising violation data. Source
- Government of India, Ministry of Consumer Affairs, Lok Sabha Unstarred Question No. 5415 (25 March 2026) — CCPA and BIS enforcement statistics. Source
This analysis reflects the law as at June 2026. It is published for general information and does not constitute legal advice.