BIS Draft Guidelines for E-Commerce: Safeguarding Personal Data

Posted on April 23, 2025 by Vijayashankar Na

By Advocate Sri M G Kodandaram , IRS

Introduction

India’s e-commerce sector has experienced significant growth in recent years, establishing itself as a crucial contributor to economic development. However, despite this remarkable progress, the sector has long struggled with a lack of a comprehensive regulatory framework due to its fragmented and unorganized structure. This has led to various issues, including consumer deception and fraud resulting from inadequate compliance with consumer protection laws. Added to this, the frequent personal data breaches have created risks to consumers, as no dedicated regulation or Authority currently exists to safeguard personal data.

To establish order and accountability, the Ministry of Consumer Affairs, Food, and Public Distribution enacted the ‘ Consumer Protection (E-Commerce) Rules, 2020’ . While these regulations laid the groundwork for consumer rights and business accountability, they did not offer an all-inclusive governance model, leaving critical areas such as fair-trade practices, data security , which include personal data security , and ethical business conduct insufficiently addressed. Recognising this gap, the Bureau of Indian Standards (BIS) has circulated a ‘ Draft Indian Standard ‘E-Commerce – Principles and Guidelines for Self-Governance’ (herein after ‘ Guidelines ’ for brevity), which provide a structured approach to addressing the sector’s evolving challenges, for feedback from the stake holders. These Guidelines aim to enhance consumer confidence by ensuring transparency, preventing unfair business practices, and aligning e-commerce operations with existing data protection laws. Moreover, they emphasize self-regulation, thereby allowing businesses to implement responsible practices while reducing the need for stringent government oversight.

Significance of DPDP Act

In today’s digitally interconnected and rapidly evolving cyber society, safeguarding personal data has become a critical legal, ethical, and operational challenge for businesses, governments, and societies. Inadequate management of personal information often leads to unauthorized access, data breaches, identity theft, and misuse of sensitive data, which can be exploited for fraudulent activities or even sold on the dark web. Recognizing the significance of data security, governments across the globe are implementing comprehensive data protection laws to regulate the collection, processing, storage, and usage of personal information.

An important development in this regard is India’s Digital Personal Data Protection Act, 2023 (DPDP Act), which received presidential assent on August 11, 2023. The Draft DPDP rules 2025 are being circulated for necessary Public Consultations. The primary objective of this legislation is to establish a structured compliance and regulatory framework that governs the handling of digital personal data while ensuring transparency and accountability. Organizations handling Indian consumers’ data must reassess their internal policies, operational structures, and data governance frameworks to align with the new regulatory landscape.

The DPDP Act reflects the growing public consciousness regarding privacy rights and the ethical management of personal data. Compliance with this law is no longer a mere legal formality but a strategic necessity for businesses operating in India, particularly those in the e-commerce sector and other digital marketplaces.

This article critically examines whether the ‘ Draft Indian Standard Guidelines for Self-Governance ’ effectively integrate the important provisions of the DPDP Act and evaluates their strategic implications for shaping a robust e-commerce ecosystem. By doing so, it aims to provide insights into how companies can proactively adapt to the evolving data protection regime and establish trust-based digital ecosystems.

Draft Indian Standard -E-Commerce – Guidelines

As the e-commerce sector expands rapidly, it brings immense opportunities but also challenges related to consumer trust and protection. Establishing clear governance guidelines are essential for promoting fairness, transparency, and ethical business practices while preventing fraudulent activities. Recognizing this need, the BIS has circulated the drafts guideline standards to regulate online transactions effectively. These Guidelines define core principles applicable to various stages of an e-commerce transaction – pre-transaction, contract formation, and post-transaction responsibilities. Their primary aim is to nurture consumer confidence, ensure seller accountability, and maintain fair competition. By addressing critical areas such as seller verification, transaction security, product listings, grievance redressal, and anti-counterfeiting, these Guidelines provide a structured framework for ethical and transparent e-commerce operations in India.

Basic Regulations in the Guidelines

The pre-transaction phase emphasizes rigorous seller verification, requiring platforms to authenticate business credentials through Know Your Customer (KYC) procedures. Additionally, platforms must disclose their contact details and clearly define policies on cancellations, exchanges, and refunds, ensuring informed purchasing decisions.

During the contract formation phase, explicit consumer consent is mandatory, with pre-selected checkboxes prohibited. Secure payment mechanisms are crucial, ensuring compliance with financial regulations and transparency in service fees.

The post-transaction phase focuses on consumer protection, requiring compliance with the Consumer Protection Act, 2019. Platforms must establish a grievance redressal system accessible through multiple communication channels. Real-time order tracking via SMS and email is essential, along with strict return and refund policies, particularly for counterfeit goods.

Beyond transactions, the Guidelines enforce ethical e-commerce practices. Fair competition, counterfeit prevention, and transparent sponsored content are prioritized.

Addressing Digital Personal Data Security

The rapid expansion of e-commerce and the digital transformation necessitates a robust framework to ensure consumer protection, data security, and transaction integrity. The BIS draft guidelines are aimed at safeguarding digital personal data security. These guidelines outline a structured approach to consumer consent, transaction records, payment security, subscription transparency, data protection, and commercial communication.

  • Express Informed Consent (Para 4.3.1): A fundamental principle of digital commerce is ensuring that consumers have control over their purchasing decisions. The BIS draft mandates that e-commerce entities must obtain explicit, informed consent from consumers before recording their agreement to purchase goods or services. Automatic consent mechanisms, including pre-ticked checkboxes, are strictly prohibited. This provision enhances consumer autonomy and prevents inadvertent purchases, thereby fostering a fair and transparent online marketplace.
  • Transaction Record Maintenance (Para 4.3.4): Accountability in e-commerce transactions is critical for both consumers and businesses. The BIS draft requires e-commerce platforms to maintain complete, accurate, and durable records of all transactions. Consumers should have access to these records and be able to retain copies for the duration specified under applicable law. This measure ensures traceability, dispute resolution, and compliance with regulatory requirements, thereby strengthening consumer confidence in digital transactions.
  • Payment Principles (Para 4.3.5): Secure and transparent payment processing is vital to the integrity of online commerce. The BIS draft mandates that e-commerce platforms must offer diverse payment methods, including credit/debit cards, mobile payments, e-wallets, and bank transfers, ensuring inclusivity for all users. Additionally, platforms must disclose all associated costs, such as processing fees, before the consumer finalizes the transaction. Security remains a top priority, with platforms required to implement encryption, two-factor authentication, and other fraud prevention measures.
  • Recurring Charges and Subscription Transparency (Para 4.3.7): The BIS draft stipulates that e-commerce platforms must provide comprehensive disclosure on the duration, intervals, and exact amounts related to recurring payments. Consumers must also have a straightforward process to opt-out or cancel subscriptions at any time. In cases where terms and conditions, including pricing, are altered during the subscription period, consumers must be pre-informed, and continued service must require their express consent.
  • Data Protection Measures (Para 4.5.2): The BIS draft establishes stringent data protection norms to ensure that consumer data is used exclusively for transaction facilitation or other explicitly disclosed purposes with consumer consent. E-commerce platforms, acting as data custodians (called as data fiduciary in DPDP Act) are prohibited from misusing data for commercial or alternative purposes. This reinforces consumer privacy and mitigates risks associated with unauthorized data exploitation.
  • Unsolicited Commercial Communication (Para 4.5.3): The prevalence of unsolicited commercial communication has raised concerns about consumer privacy and digital harassment. The BIS draft mandates that all communication from e-commerce entities to consumers must be based on explicit consent or directly related to a transaction. Non-transactional communication must require an express opt-in from the consumer and include an option to cease such messages at any time. These provisions aim to curtail spam and intrusive marketing practices, ensuring that consumers retain control over their digital interactions.

For above specific guidelines refer Appendix to this article.

Fusion of DPDP Act Provisions in the Guidelines

Under the DPDP Act 2023, all e-commerce entities who process digital personal data qualify as data fiduciaries and are required to comply with its provisions. A review of the guidelines clearly indicates that they emphasize integrating the fundamental principles of the DPDP Act into business operations in India. Some of these key provisions are summarised below for reference.

  • Data Collection and Consent Mechanisms: The BIS draft Guidelines emphasise the necessity of obtaining explicit user consent before collecting personal data, aligning with Section 6 of the DPDP Act, 2023, which mandates that consent must be free, specific, informed, unconditional, and unambiguous. E-commerce platforms must ensure that consumers are fully aware of how their data will be used, stored, and shared. The guidelines advocate for opt-in mechanisms where users must actively provide consent rather than relying on pre-checked consent boxes, mirroring the affirmative consent requirement under the DPDP Act.
  • Data Storage and Protection Measures: The BIS guidelines require e-commerce platforms to adopt robust data security measures, which correspond with Section 8 of the DPDP Act, emphasizing the duty of data fiduciaries to implement appropriate security safeguards to prevent unauthorized access, data breaches, or misuse. Platforms must incorporate encryption techniques, secure cloud storage, and stringent access controls. Furthermore, the guidelines encourage businesses to store personal data within India, in alignment with Section 16, which outlines data localization norms to ensure better oversight and security.
  • Consumer Rights and Data Access: The BIS draft guidelines support consumers’ rights to access, modify, and delete their personal data, in accordance with Section 12 of the DPDP Act, which grants individuals the right to correction, erasure, and access to their personal information. E-commerce platforms must provide user-friendly mechanisms that allow consumers to review their data and exercise their rights easily. This provision enhances transparency and ensures that users have greater control over their information, reinforcing the principle of data ownership under the DPDP Act.
  • Third-Party (Processors)Data Sharing Regulations: Given the frequent data exchanges between e-commerce platforms and third-party entities like advertisers, service providers, and analytics firms, the BIS guidelines impose strict data-sharing regulations. These align with Section 6 of the DPDP Act, which mandates explicit user consent before sharing personal data with third parties. Moreover, under Section 8, data fiduciaries must ensure that third-party recipients (processors) adhere to the same data protection obligations as the primary data fiduciary. This prevents unauthorized data processing and ensures a uniform standard of data protection.
  • Data Breach Notification and Response Mechanisms: To minimize the impact of data breaches, the BIS draft guidelines require e-commerce platforms to follow stringent notification protocols. This requirement corresponds to Section 8(6) of the DPDP Act, which obligates data fiduciaries to notify affected users and the Data Protection Board in case of a personal data breach. Additionally, businesses must establish incident response mechanisms, including risk assessments and remedial measures, to prevent future breaches and ensure accountability.
  • Grievance Redressal Mechanisms: To enhance consumer trust, the BIS guidelines mandate that e-commerce platforms establish effective grievance redressal mechanisms, reflecting Section 13 of the DPDP Act, which requires the appointment of a grievance officer to handle user complaints. Companies must set up dedicated customer support channels such as helplines and online portals and resolve complaints within a time-bound framework, ensuring swift action on data security and service-related grievances.

Enhancing Data Security Under Guidelines and DPDP Act

To ensure the seamless implementation of the BIS draft guidelines and strengthen digital personal data protection, some of the following strategic measures can be adopted:

  • Stakeholder Engagement and Industry Collaboration: Actively involving industry leaders, consumer advocacy groups, and policymakers can help refine the guidelines and address practical challenges in implementation.
  • Leveraging Advanced Technologies for Data Security: Promoting the integration of artificial intelligence, blockchain, and other emerging technologies can enhance data protection frameworks and minimize security risks.
  • Regular Audits and Compliance Monitoring: Conducting periodic audits, risk assessments, and compliance checks will ensure continued adherence to regulatory norms under Guidelines and DPDP Act and boost consumer trust.
  • Consumer Awareness and Digital Literacy Programs: Both the government and private sector should undertake initiatives to educate consumers about their data rights, security practices, and responsible digital behaviour, promoting a culture of data protection.

These measures, aligned with the DPDP Act, 2023, will contribute to a more secure and privacy-centric e-commerce ecosystem in India.

Conclusion

The BIS draft Guidelines for e-commerce align closely with the DPDP Act, 2023, reinforcing digital personal data security, transparency, and consumer rights. By addressing key aspects such as data collection, storage, third-party sharing, and breach response, these guidelines lay the foundation for a more secure and ethical digital marketplace. While challenges in implementation remain, proactive collaboration between regulators, businesses, and consumers will be crucial in ensuring compliance and cultivating trust. As India continues to refine its digital data protection framework, these guidelines serve as a critical step toward responsible and sustainable e-commerce growth.

Mr. M. G. Kodandaram,

Appendix: Extracts from Draft Indian Standard (WC Draft) (For comments only) E-COMMERCE- PRINCIPLES AND GUIDELINES FOR SELF-GOVERNANCE

Para 4.3.1 Express Informed Consent

Every e-commerce entity shall only record the consent of a consumer for the purchase of any good or service offered on its platform where such consent is expressed through an explicit and no such entity shall record such consent automatically, including in the form of pre-ticked checkboxes.

Para 4.3.4 Transaction Record

E-commerce entities shall maintain a complete, accurate and durable record of every transaction carried out on its platform and shall enable the consumers to access and retain a copy of their particular record for such time as required under applicable law.

Para 4.3.5 Payment Principles

E- commerce platforms shall strive to offer a variety of payment methods that are accessible to all users irrespective of the type of product or seller chosen by the user, including credit/debit cards, mobile payments, e-wallets, and bank transfers. While choosing the mode of payment all the associated costs including processing charges, shall be disclosed to the consumer.

E-commerce platforms shall ensure that payment transactions are secure and protected from fraud and other security breaches through the use of encryption, two-factor authentication, and other security measures. E-commerce platforms shall comply with all relevant laws and regulations related to payment processing, including data protection and privacy laws, anti- money laundering regulations, and other financial laws.

Para 4.3.7 Recurring Charges and Subscriptions

Any payment option or transaction involving a specified recurring charge, automated repeat purchases, transaction renewals or a subscription contract ‘Recurring Obligations’, shall carry a full disclosure on the specific duration, intervals, and exact amount in relation to the Recurring Obligations, as well as information, and a clear, accessible process to opt-out from or cancel such Recurring Obligations at any time before or during the tenure/currency of such subscription.

If a customer has subscribed for a stated period, any changes in the terms and conditions including any changes in price, quantity, service conditions shall be pre-informed to the consumers and shall be continued after the express consent of the consumer. In case the consumer seeks to discontinue the subscription due to a change in the terms and conditions, he shall be permitted to do so. Any subscription services provided by the E-commerce platform shall be the responsibility of such platform.

Para 4.5.2 Data Protection

E-commerce entities shall ensure that it complies with all applicable laws in relation to data protection. Specifically, they shall ensure the following:

  1. All personal data collected from a consumer, at any time, shall be used solely for the purpose of facilitating transactions on the platform, and for such other purposes that are disclosed to the consumer at the pre-transaction stage and for which he has given express consent; and
  2. As a custodian of the data, every marketplace platform shall ensure that there is no misuse of data for any other commercial or alternative use.

Para 4.5.3 Unsolicited Commercial Communication

E-commerce entities shall ensure compliance with all applicable law pertaining to commercial communications, including the following:

  1. All communication originating from the e-commerce entity to the consumer shall be made only with the express consent of the consumer, or in relation to a transaction made by the consumer on the platform.
  2. All non-transactional communication originating from the e-commerce entity to the consumer shall be on the basis of an express opt-in by the consumer and shall be accompanied with an option to silence or cease such communications.

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.