Case Study · Data Protection & Privacy Advisory
DPDPA 2023 Compliance Programme: Consent Architecture, AI Data Governance, and Cross-Border Transfer Framework for a D2C E-Commerce Platform
Home → Case Studies → Data Protection Advisory → DPDPA 2023 Compliance Programme: Consent Architecture, AI Data Governance, and Cross-Border Transfer Framework for a D2C E-Commerce Platform
Engagement Background
The Situation When We Were Engaged
A Bengaluru-based D2C e-commerce company serving 8.4 million registered users across India, the EU, and the US was operating a data architecture built for marketing performance rather than regulatory compliance. As the DPDPA 2023 notification deadline approached, the company faced simultaneous compliance obligations under three frameworks: DPDPA for Indian users, GDPR for approximately 340,000 EU customers, and CCPA for 180,000 California-based users.
The company’s AI personalisation engine processed purchase history, browsing patterns, and price sensitivity signals to generate personalised offers. A visual try-on tool processed facial imagery — biometric data under DPDPA. A customer chatbot had been fine-tuned on historical customer service transcripts. None of the AI systems had a compliant consent basis or AI governance policy.
SIRI Law LLP conducted a full data protection compliance programme: data flow mapping, DPDPA gap assessment, consent architecture redesign, AI governance policy implementation, cross-border transfer framework, and DPO designation and training. The programme covered all three regulatory frameworks simultaneously — producing a single integrated compliance architecture rather than three separate work streams.
Client Profile
Assessment Scope
Multi-Jurisdiction Privacy Compliance — DPDPA, GDPR, CCPA
DPDPA Gap Assessment & Consent Architecture
Full data flow mapping across 23 data categories. DPDPA gap assessment against all obligations. Consent architecture redesign — granular consent for each processing purpose, biometric consent as separate explicit consent. Privacy notice framework in plain language.
AI Data Governance
AI governance policies for all three AI systems: personalisation engine (purpose limitation), visual try-on (biometric data governance), and chatbot (training data consent and PII scrubbing). Machine unlearning procedure for data erasure requests involving AI training data.
Cross-Border Transfer Framework
Transfer mechanism analysis for data flows to EU and US cloud infrastructure, analytics vendors, and CDN providers. GDPR Standard Contractual Clauses for EU. CCPA data sale opt-out mechanism. DPDPA cross-border transfer whitelist monitoring.
Key Findings
What We Found
Each finding documented with evidence. Root cause and remediation guidance provided for every item.
The visual try-on tool processed users’ facial imagery to simulate clothing placement — constituting processing of biometric personal data under DPDPA. The existing consent was bundled within a general terms acceptance checkbox with no specific biometric consent. DPDPA requires explicit consent for biometric data processing. Under GDPR, facial imagery processing requires explicit consent under Article 9. Immediate consent architecture redesign required — processing suspended for EU users pending compliant consent implementation.
The chatbot had been fine-tuned on 14 months of customer service transcripts. Those transcripts contained personal data — names, addresses, order details, complaints — collected with consent for customer service purposes only. Use for AI training constituted a purpose limitation violation under DPDPA and GDPR. Machine unlearning assessment commissioned. Chatbot retraining on PII-scrubbed corpus required.
Data flow mapping identified 14 data categories being collected and retained without a documented processing purpose — including device fingerprint data retained for 3 years, precise geolocation history retained indefinitely, and social media profile scrapes for audience matching. All 14 categories required purpose documentation or deletion. Six categories were deleted on the basis of no legitimate processing purpose being identifiable.
The company was sharing personal data with 34 third-party vendors — analytics platforms, email service providers, retargeting networks, CDN providers — with no signed DPAs. Under DPDPA, a data fiduciary must enter into DPAs with all data processors. Under GDPR, Article 28 DPAs are mandatory. A vendor DPA programme was implemented — 34 DPAs executed within 60 days.
Engagement Timeline
Phase-by-Phase Execution
Data Flow Mapping and DPDPA Gap Assessment
Complete data inventory across all 23 data categories, 34 vendor relationships, and 3 AI systems. Data flow diagrams produced. DPDPA gap assessment: 41 gaps identified across consent, purpose limitation, data minimisation, retention, cross-border transfer, and AI governance. Priority ranking and remediation roadmap produced.
Consent Architecture Redesign
Layered consent architecture designed: general consent for core e-commerce functions, separate granular consent for personalisation AI, explicit separate consent for biometric (visual try-on), and marketing preferences. Cookie consent for web (GDPR) and privacy preference centre for all users (DPDPA + CCPA). Implementation guidance provided to engineering team.
AI Governance Policies and Cross-Border Transfer Framework
AI governance policies drafted for all three AI systems — purpose, consent basis, data minimisation, retention, and erasure procedures. Machine unlearning procedure for chatbot training data. Cross-border transfer framework: SCCs for EU transfers, vendor DPAs for all 34 third parties, CCPA data sale disclosure and opt-out mechanism.
DPO Designation, Training, and Regulatory Readiness
Data Protection Officer designated and trained. Records of Processing Activities (RoPA) completed across all processing activities. Data Protection Impact Assessments (DPIAs) for high-risk processing: biometric data, AI personalisation, and cross-border transfers. Data subject rights handling procedures implemented and tested. Regulatory enquiry response protocols prepared.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
DPDPA — Data Protection Board Proceedings and Penalties
DPDPA penalties for significant data protection failures can be substantial — up to ₹250 crore for certain violations. Biometric data processing without compliant consent, purpose limitation violations in AI training, and absence of DPAs with 34 processors each constituted independent violations. The compliance programme was designed to address all identified violations before the Data Protection Board becomes fully operational.
GDPR — Supervisory Authority Action and GDPR Penalties
For the 340,000 EU customers, GDPR violations — particularly the biometric data processing without explicit consent under Article 9 — carry penalties up to 4% of global annual turnover or €20 million, whichever is higher. Processing was suspended for EU users pending compliant consent — avoiding ongoing GDPR violation accrual during the remediation period.
CCPA — Right to Opt-Out of Sale
For California users, the CCPA’s ‘do not sell’ right applies to data sharing with retargeting and advertising networks — a data practice the company was conducting without CCPA disclosure or opt-out. The retargeting data sharing constitutes a ‘sale’ under CCPA. CCPA opt-out mechanism and privacy policy update required and implemented.
IT Act Section 43A — Negligent Data Security for AI Systems
AI systems processing large volumes of sensitive personal data — biometric data, purchase history, price sensitivity signals — without adequate governance constitute negligent data security under IT Act Section 43A. The AI governance policies implemented create documented security safeguards, providing a defence against negligence claims in any future data breach scenario.
Outcomes & Remediation
What Changed After Our Assessment
DPDPA Compliant Consent Architecture — 8.4M Data Principals Covered
Granular consent architecture deployed across web and mobile apps. Biometric consent implemented as separate explicit consent flow. Personalisation AI consent separate from core e-commerce consent. All 8.4 million existing users re-consented through progressive consent collection.
34 Vendor DPAs Executed — Processor Chain Compliant
All 34 vendor data processing agreements executed within 60 days. Sub-processor chains documented. Data sharing agreements with advertising networks restructured to comply with CCPA and DPDPA.
AI Governance Policies — All Three AI Systems Covered
Purpose limitation, consent basis, data minimisation, retention, and erasure procedures documented for personalisation engine, visual try-on, and chatbot. Chatbot retrained on PII-scrubbed corpus. Machine unlearning procedure tested.
DPO Designated — Regulatory Enquiry Ready
DPO designated, trained, and registered. RoPA completed. DPIAs for high-risk processing documented. Data subject rights portal deployed — erasure, correction, and access requests handled within DPDPA timelines.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Multi-jurisdiction compliance — DPDPA, GDPR, and CCPA in one integrated programme
AI data governance expertise — not just traditional privacy law
Legal + technical team — policy drafting and engineering implementation guidance
DPIA and RoPA completed by qualified advocates — regulatory-grade documentation
Director GRC & Legal — Adv. Chetan Seripally
Navigating DPDPA, GDPR, or AI Data Governance?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.