Flipkart's Privacy Policy vs the DPDP Act: 500 Million Users, Zero Mentions
Flipkart serves 500 million users. Its privacy policy never names the DPDP Act. We read it against the Digital Personal Data Protection Act: blanket consent, prescription data, and no retention schedule.
Flipkart serves 500 million users. Its privacy policy, last updated April 2026, never names the Digital Personal Data Protection Act. The closest it gets is a generic line:
“governed by the laws of India including but not limited to the laws applicable to data protection and privacy”
That is boilerplate. It names no statute and commits to nothing specific. The Information Technology Act, meanwhile, is cited by name for the Grievance Officer requirement. The one law that actually governs consent, retention, and breach response from November is not cited anywhere, by name or by section.
Gap 1: Prescription data with no health-specific safeguard (§8, Rule 6)
Flipkart requires "confirmation that a valid prescription has been uploaded" before processing certain orders, and connects users to teleconsultants for prescription issuance. The policy treats this the same way it treats a phone case purchase.
Under §8 and Rule 6, security safeguards must scale with sensitivity and with the harm exposure could cause. A prescription record carries a very different harm profile than an electronics order, and the policy does not distinguish between them.
Gap 2: KYC and financial data under blanket consent (§6)
PAN, credit information reports, GST numbers, and government ID are collected to assess eligibility for lending and insurance products, then shared with "Credit Bureaus and business partners (such as UPI platform)." Each of those is a distinct processing purpose under §6.
“by providing your personal data, you consent to the collection, use, storage, disclosure and otherwise processing”
One blanket sentence covering all of it. That is not itemised consent. That is a waiver, and §6 was written specifically to end it.
Gap 3: Retention with no schedule (Rule 8)
“We retain your personal data... for a period no longer than is required for the purpose for which it was collected.”
Rule 8 does not accept a self-defined purpose window. It expects a category-by-category schedule: a number, a trigger, a deletion date.
Worth noting alongside this: Flipkart's own Plus membership clause shares your name, email, and number with Netflix and other partners, with no retention period attached to that sharing at all. The data leaves, and nothing in the policy says when it is supposed to be deleted at the other end.
What Flipkart gets right
A named Grievance Officer, Karthik R, Associate Director, with a direct email and a full physical address. That is the floor requirement under Rule 9 and Rule 14, and unlike many platforms in this series, they have actually met it.
Flipkart also says it does not operate outside India and stores data primarily in-country. That is a reasonable data-residency posture, and it will help under Rule 15.
The core problem: an IT Act policy for a DPDP world
Good data residency does not substitute for a DPDP-mapped consent and retention framework. Right now this policy runs entirely on Information Technology Act 2000 logic, for a law that changes the rules from November 2026.
If your own policy still cites the IT Act and treats consent as a single blanket sentence, that is the same gap at a smaller scale. Our DPDP compliance checklist covers what to fix first, and the free Compliance Score below will tell you in 60 seconds whether your policy has the same three problems.
Frequently asked questions
Is Flipkart DPDP compliant?
Flipkart's published privacy policy, as of April 2026, does not name the DPDP Act and relies on blanket consent language and an undefined retention window, which do not meet §6 and Rule 8 as written. Whether that amounts to non-compliance is for the Data Protection Board to determine once substantive obligations become enforceable in May 2027.
Does the DPDP Act allow one blanket consent clause?
No. §6 requires consent to be free, specific, informed, unconditional, and unambiguous, with separate consent for each distinct purpose. A single sentence covering collection, use, storage, disclosure, and sharing with credit bureaus does not satisfy that standard.
What does the DPDP Act require for e-commerce retention?
Rule 8 requires a defined retention period per data category. Additionally, the Third Schedule specifies that e-commerce entities with at least two crore registered users must erase personal data three years after a Data Principal last approached them, subject to certain exceptions for account access.