DPDPA and Quick Commerce: Data Protection Compliance for Zepto, Blinkit & Swiggy Instamart

Introduction

India's quick commerce sector has exploded into a $6 billion-plus market, with platforms like Zepto, Blinkit (owned by Zomato), and Swiggy Instamart promising deliveries in 10 to 30 minutes. But the speed that delights consumers depends on a vast, continuous stream of personal data — real-time GPS coordinates, granular purchase histories, saved delivery addresses, payment credentials, and behavioural profiles that predict what you will order before you even open the app. Under the Digital Personal Data Protection Act (DPDPA), 2023, every byte of this data carries compliance obligations. With the DPDP Rules 2025 now published and the phased compliance timeline already in motion, quick commerce platforms face a reckoning: the same hyper-personalisation that drives 10-minute delivery could trigger penalties of up to ₹250 crore if data protection obligations are not met. This article examines the specific DPDPA compliance challenges facing India's quick commerce giants and provides a practical roadmap for addressing them.

The Personal Data Footprint of Quick Commerce

Quick commerce platforms are among the most data-intensive consumer applications in India. Every order generates a cascade of personal data points that, when aggregated, create an extraordinarily detailed profile of the consumer. According to EY India's 2026 DPDP readiness survey, retail and e-commerce platforms process an average of 47 distinct personal data attributes per customer — and quick commerce platforms likely exceed this figure given the frequency and granularity of interactions. Under the DPDPA's framework, all of this data qualifies as digital personal data and triggers the full spectrum of data classification and protection obligations.

• Location data — real-time GPS coordinates tracked continuously during order placement, delivery partner routing, and even passive app usage. This data reveals home addresses, workplace locations, and daily movement patterns
• Purchase history — itemised order records that, over time, reveal dietary preferences, health conditions (e.g., diabetic-friendly purchases), religious practices (e.g., halal or vegetarian preferences), and household composition
• Delivery addresses — saved addresses including home, office, and frequently visited locations, often with specific instructions ('gate code 4521', 'leave with security guard Ramesh') that constitute personal data
• Payment data — saved UPI IDs, card tokens, wallet balances, and transaction histories processed in conjunction with payment partners
• Behavioural data — search queries, browsing patterns, time-of-day ordering habits, price sensitivity signals, and A/B test group assignments used for personalisation algorithms
• Device and network data — device identifiers, IP addresses, app version, OS details, and network information collected through SDKs and analytics tools

Real-Time GPS Tracking and the Consent Challenge

The most distinctive data protection challenge for quick commerce is continuous location tracking. Unlike traditional e-commerce where a delivery address is provided once, quick commerce apps often request 'always-on' or 'while using the app' location permissions to enable features like live delivery tracking, dark store proximity calculations, and location-based promotions. Under the DPDPA, location data is unambiguously personal data, and its collection requires free, specific, informed, and unambiguous consent. The consent must clearly specify each purpose for which location data is collected — and bundling location consent for delivery with location consent for marketing is not compliant. A 2025 study by Mozilla Foundation's *Privacy Not Included* project found that 78% of food delivery apps globally collect location data beyond what is necessary for core service delivery. Indian quick commerce platforms are no exception. The DPDPA's principle of purpose limitation means platforms must justify every location data collection point and provide granular consent options — not a single 'accept all' toggle.

• Delivery-specific consent — location access limited to the duration of an active order, with automatic permission revocation after delivery confirmation
• Marketing consent (separate) — explicit, separately obtained consent for using location data to serve proximity-based promotions or recommend nearby dark stores
• Background tracking disclosure — clear notice if the app collects location data when not actively in use, with an easy mechanism to disable this without losing core functionality
• Delivery partner GPS — separate consent and data protection obligations for delivery partners whose real-time locations are tracked and shared with consumers during order fulfilment

Dark Patterns in Quick Commerce Consent Flows

Quick commerce platforms are particularly susceptible to deploying dark patterns in their consent flows — deceptive design choices that nudge users toward sharing more data than they intend. The DPDPA explicitly requires that consent be 'free' and 'unambiguous', which means consent obtained through manipulative design is legally invalid. The Central Consumer Protection Authority (CCPA) has already issued guidelines against dark patterns in e-commerce, and the DPDPA adds data-specific enforcement teeth. According to a LiveLaw analysis, platforms that use dark patterns to obtain consent risk not only DPDPA penalties but also consumer protection enforcement actions — a dual liability exposure.

• Pre-selected data sharing — toggles for sharing order data with third-party advertisers enabled by default, requiring users to actively opt out rather than opt in
• Confirm-shaming — language like 'No thanks, I don't want faster deliveries' when a user declines to share location data, creating psychological pressure to consent
• Hidden privacy settings — burying data sharing controls deep within settings menus (five or more taps from the home screen) while making data collection prompts prominent and unavoidable
• Forced bundling — requiring acceptance of personalisation data processing as a condition for using the delivery service, violating the DPDPA's prohibition on making services conditional on unnecessary consent
• Difficult withdrawal — making it easy to grant consent (single tap) but requiring multiple steps, waiting periods, or customer support interaction to withdraw consent, violating Section 6(6) of the DPDPA

Children Ordering on Parent Accounts: Section 9 Implications

A uniquely challenging compliance issue for quick commerce is the widespread practice of children placing orders using their parents' accounts. When a 14-year-old opens a parent's Zepto app and orders snacks, the platform is processing a child's behavioural data — their product preferences, search queries, and interaction patterns — even though the account belongs to an adult. Section 9 of the DPDPA imposes strict obligations regarding children's data, including a requirement for verifiable parental consent before processing any personal data of a person under 18. The DPDPA also prohibits behavioural monitoring and targeted advertising directed at children. For quick commerce platforms, this creates a significant technical and operational challenge. According to IAPP's operational analysis, platforms must implement age-gating mechanisms that can reasonably identify when a child may be using an adult's account — through behavioural signals, device usage patterns, or explicit age verification prompts — and adjust data processing accordingly.

• Age verification at account level — platforms must implement mechanisms to verify the age of the actual user, not just the account holder, particularly for shared family devices
• No behavioural tracking for minors — if a child is identified as using the platform, all personalisation algorithms, recommendation engines, and behavioural analytics must be disabled for that session
• No targeted advertising — the DPDPA prohibits targeted advertising directed at children, meaning platforms cannot serve personalised promotions during sessions identified as child-initiated
• Parental consent workflows — platforms must build consent flows that allow parents to explicitly authorise data processing for minor family members, with granular controls over what data is collected

Third-Party Delivery Partner Data Sharing

Quick commerce operates through a complex data-sharing ecosystem involving the platform, delivery partners (gig workers), payment processors, dark store operators, and analytics providers. Under the DPDPA, the platform — as the Data Fiduciary that determines the purpose and means of processing — bears full liability for data protection compliance across this entire chain. When a consumer's name, phone number, and delivery address are shared with a delivery partner via the app, the platform remains responsible for ensuring that data is protected, used only for the delivery purpose, and deleted after the order is completed. A NITI Aayog report on India's gig economy estimates that over 7.5 million gig workers will be active in India by 2026 — each one a potential point of data leakage. The DPDPA requires platforms to establish contractual obligations with all data processors (including delivery partners) that ensure compliance with the Act's security and purpose limitation requirements.

• Data minimisation for delivery partners — share only the minimum data required for delivery (masked phone numbers, approximate address until proximity) rather than full customer profiles
• Automatic data deletion — delivery partner access to customer data must be automatically revoked upon delivery confirmation, with no local storage permitted on partner devices
• Contractual safeguards — binding agreements with delivery partners that specify data handling obligations, prohibited uses, and liability for breaches
• Payment processor compliance — ensure that payment data shared with processors like Razorpay, Paytm, or PhonePe is governed by data processing agreements that meet DPDPA standards
• Analytics and SDK providers — third-party SDKs embedded in the app (analytics, crash reporting, attribution) must be audited for data collection practices and governed by DPDPA-compliant agreements

Cross-Border Data Flows in Quick Commerce Tech Stacks

Many quick commerce platforms use global technology infrastructure — cloud services hosted outside India, analytics tools operated by US-based companies, and AI/ML models trained on servers in Singapore or Ireland. Under Section 16 of the DPDPA, personal data can be transferred to any country not on the government's restricted list. However, platforms must maintain clear documentation of all cross-border data transfers, including the categories of data transferred, the receiving entities, and the purposes. As highlighted by PwC's regulatory analysis, the restricted country list could be updated at any time, potentially disrupting existing data flows overnight. Quick commerce platforms should conduct a thorough data flow mapping exercise to identify all cross-border transfers in their technology stack and establish contingency plans for data localisation if required. For platforms processing data at the scale of Blinkit or Swiggy Instamart — millions of orders daily — this mapping exercise is a substantial undertaking that should be initiated immediately.

DPDPA Penalty Exposure for Quick Commerce Platforms

The financial exposure for quick commerce platforms under the DPDPA is substantial. Given the volume and sensitivity of personal data processed, a single compliance failure could trigger multiple penalty categories simultaneously. The DPDPA penalty framework provides for fines of up to ₹250 crore for failure to implement reasonable security safeguards, up to ₹200 crore for children's data violations, and up to ₹150 crore for breach notification failures. For a platform like Zepto, which reportedly processes over 1 million orders daily, a data breach affecting customer location data could trigger penalties under multiple heads — security safeguards (₹250 crore), breach notification delays (₹150 crore), and children's data if minor users are affected (₹200 crore). The cumulative exposure could exceed ₹500 crore for a single incident. Beyond DPDPA penalties, quick commerce platforms face enforcement risk from the CERT-In six-hour reporting requirement, RBI guidelines for payment data, and CCPA consumer protection actions — creating a multi-regulator enforcement environment that demands comprehensive compliance.

• ₹250 crore — for failure to implement reasonable security safeguards leading to a breach of customer location, payment, or profile data
• ₹200 crore — for non-compliance with children's data obligations under Section 9, including behavioural tracking of minors on parent accounts
• ₹150 crore — for failure to notify the Data Protection Board and affected customers of a data breach within the prescribed timeline
• ₹50 crore — for other DPDPA violations including consent deficiencies, purpose limitation breaches, and failure to honour data erasure requests

How Kraver.ai Helps Quick Commerce Platforms Achieve Compliance

Kraver.ai's AI-native compliance platform is purpose-built for data-intensive industries like quick commerce. Our automated data discovery engine maps every personal data touchpoint across the platform — from app-level SDKs and API integrations to dark store management systems and delivery partner applications. Our consent management module enables granular, purpose-specific consent flows that meet DPDPA requirements without degrading the user experience — because in quick commerce, every additional friction point costs conversions. Our data classification engine automatically identifies and tags sensitive data categories including children's data signals, health-indicating purchase patterns, and religious preference indicators. For breach notification, Kraver.ai provides automated detection, impact assessment, and regulatory reporting workflows that meet both DPDPA and CERT-In timeline requirements. And our penalty risk assessment module provides real-time visibility into compliance gaps and their financial exposure — enabling quick commerce leadership to prioritise remediation where it matters most.

Conclusion

India's quick commerce revolution has been built on data — but the DPDPA demands that this data be collected, processed, and protected in ways that respect the rights of every Data Principal. Platforms that treat DPDPA compliance as an afterthought risk not only penalties of up to ₹250 crore but also the consumer trust that drives repeat orders and growth. The compliance challenges are real — continuous location tracking, dark patterns in consent flows, children using parent accounts, complex third-party data sharing, and cross-border tech stacks each require dedicated attention. But the platforms that solve these challenges will emerge stronger, with a data governance foundation that supports sustainable growth in an increasingly privacy-conscious market. With the Phase 2 compliance deadline of November 2026 approaching and full compliance required by May 2027, the time for quick commerce platforms to act is now. Kraver.ai is ready to help India's fastest-growing industry move just as fast on compliance.