E-commerce regulation in India: what you need to know if you want to sell online

E-commerce regulation in India for foreign companies

Since 2015, 100% Foreign Direct Investment has been allowed in the Indian e-commerce market, but that does not mean that every foreign company can open its own webshop and start selling to the Indian consumer. The Indian government uses two different models within the e-commerce market with specific rules and restrictions for foreign investors:

The inventory model

In the inventory model, which we know from companies such as Amazon, goods and services become the property of the e-commerce company and are then sold directly to the customer. The e-commerce company is therefore the owner of the inventory and the platform on which the goods are sold.

Current Indian regulations do not allow Foreign Direct Investment in the inventory model. This means that a foreign company in India is not allowed to run a webshop on which it sells goods and services from its own inventory, because the regulations do not allow a foreign company to be 100% owner of the sales platform and of this inventory.

There are exceptions to this rule. A foreign entity can hold up to 49% of the shares of an Indian e-commerce platform with an inventory model if:

• Made in India products are sold on the platform;
• The founder is an Indian citizen;
• The company is headed by Indian management;
• The company raises funds domestically, which results in large Indian companies reinvesting in new start-ups in the sector.

The Marketplace Model

In the marketplace model, the e-commerce entity only owns the online platform and is therefore the facilitator between sellers and buyers. In addition, the e-commerce company is allowed to provide support services to its sellers such as logistics, warehousing, call center and payment collection.

In the marketplace model, 100% Foreign Direct Investment is allowed and foreign companies can therefore fully own an e-commerce platform, as long as they do not own the inventory. However, there are more rules for foreign-owned e-commerce platforms:

• E-commerce platforms are not allowed to sell products from companies in which they have shares; The e-commerce entity must not have any influence or ownership over the goods/services sold on the platform. For example, an e-commerce platform cannot take the initiative to offer products with deep discounts, the company will then automatically be considered an e-commerce entity with the inventory model, with all the consequences that entails.
• A company selling through an Indian e-commerce platform must not contribute more than 25% to the total turnover of the platform.
• Online exclusive brands are not allowed. It is prohibited for an e-commerce entity to make exclusive agreements with a seller to sell its products exclusively on one platform.
• The name & contact details of the seller must be on the website.
• After sales activities are the sole responsibility of the seller. The entity that manages the e-commerce platform must not offer this service.

Consumer Protection Act 2019

At the end of July 2020, the Indian government introduced a new law with obligations for e-commerce retailers. The Consumer Protection Act 2019 aims to provide consumers with more transparency into the business and products, so that they can make informed decisions. From 2020, e-retailers will therefore be required to provide details of returns, refunds, exchanges, warranty, delivery and shipping, payment methods and complaint procedures, and the ‘country of origin’ on their platforms. The country of origin must also be mentioned on the products themselves.

International companies that offer their goods and services on the marketplace of an Indian e-commerce entity will be required to provide the above details to that entity. From 2020, e-commerce platforms will be required to provide as much information as possible about the sellers on their platforms to consumers. This includes the name of the company, address, customer service number, and any reviews or other feedback about the seller or the products.

Finally, the product must state the ‘total price’, along with any hidden extra charges such as shipping costs, and platforms are not allowed to ‘manipulate’ the price of the goods and services offered to make unreasonable profits.

Digital Personal Data Protection (DPDP) Act

The Digital Personal Data Protection Act, 2023 is a law that provides a comprehensive framework for the protection of personal data of Indian citizens. The law affects how e-commerce companies collect, process and protect personal data.

Key aspects for companies to consider:

1. Data localization: One of the most impactful aspects of the law is the requirement to store certain categories of data (particularly “critical personal data”) within India’s borders. For e-commerce companies, this may mean setting up local data centers or using Indian cloud providers.
2. Categorization of data: The law distinguishes between “personal data”, “sensitive personal data” and “critical personal data”, each with different levels of protection and compliance requirements.
3. Consent: Explicit and informed consent is a central pillar, comparable to the European General Data Protection Regulation (GDPR). Companies must draw up clear, comprehensible privacy policies in local languages and always ask for consent before storing data.
4. Right to erasure: Consumers will have rights such as the right to withdraw consent, and the right to correct and erasure of data, similar to the GDPR.
5. Data Protection Authority: The law provides for the establishment of a Data Protection Authority (DPA) that will oversee compliance and can impose sanctions for violations.
6. Mandatory data breach reporting: Companies will have to report data breaches to the authorities within a certain period of time.
7. Fines and sanctions: Significant fines are proposed for non-compliance, which can amount to a percentage of a company’s global turnover.

This is how foreign companies ensure they are complaint with e-commerce regulation in India

Companies that are already GDPR-compliant are in a good starting position, but must take specific Indian requirements such as data localization into account. Hiring local legal experts who specialize in data protection is no superfluous luxury to ensure that you fully comply with Indian legislation in this area.

In addition, it is important that you evaluate where your data is stored and processed, and whether you need local servers or cloud solutions in India. You must also ensure that you have a clear, multilingual privacy policy that complies with Indian requirements and that you report data breaches and can implement requests regarding stored data quickly and securely.

The e-commerce rules are enforced by the Central Consumer Protection Authority (CCPA) in India, and violations of these new acts carry hefty fines. Therefore, make sure that your entity in India is always compliant with the latest regulations.