From the 2022 amendments to 2026 β consumer protection, DPDP Act, GST TCS, Section 194-O and FDI rules shaping every Indian e-commerce business today.
No Coupler.io data-pipeline skills apply to a content-writing task. Proceeding directly with the blog post.
AMENDMENTS OF E-COMMERCE
India's e-commerce regulatory stack is not one law β it is at least five, running in parallel, each with its own filing calendar and penalty regime. By FY 2026-27, a marketplace or seller operating in India must simultaneously comply with the Consumer Protection (E-Commerce) Rules, the Digital Personal Data Protection (DPDP) Act and its Rules, the GST framework under the Central Goods and Services Tax (CGST) Act 2017, Section 194-O of the Income-tax Act 1961, and the Foreign Exchange Management Act (FEMA) / FDI Policy. Miss any single layer and you face penalties that range from GST late fees to Data Protection Board levies of up to Rs. 250 crore.
Why the Regulatory Stack Matters More Than Any Single Law
Most compliance guides treat each law in isolation. That is a mistake, because the obligations interact. A platform that correctly deducts TCS at 1% under Section 52 but fails to give sellers a clear TCS credit through their GST portal account β because it filed GSTR-8 late β has created a reconciliation crisis downstream. A marketplace that runs a compliant flash sale under the Consumer Protection Rules but collects customer location data without granular DPDP consent has solved one problem and created a bigger one.
Think of the five layers as concentric rings: consumer protection sits at the outermost ring (visible to every buyer), data protection governs the infrastructure behind the experience, GST and income-tax obligations govern money flows, and FEMA governs the ownership structure that makes everything else possible. You must pass all five rings simultaneously.
Consumer Protection (E-Commerce) Rules: The Seller Transparency Regime
The Consumer Protection (E-Commerce) Rules, 2020, notified under the Consumer Protection Act, 2019, have been progressively tightened. The current framework β as amended and clarified through successive notifications β imposes distinct obligations on marketplace model operators and inventory model operators.
Mandatory Product Information Display
Every product page must show:
- Country of origin β not a generic "imported" label, but the actual country
- Expiry / best-before dates for consumables and pharmaceuticals
- Name and contact details of the importer for imported goods
- Net quantity, MRP, and all-inclusive price before checkout
- Return, refund, and exchange policy, specific to that product category
A marketplace that aggregates third-party sellers is jointly responsible for ensuring this information is present on the listing. If a seller fails to upload it, the marketplace's "fall-back liability" is triggered under Rule 6(9) β making the platform liable for the deficiency as if it were the seller.
Grievance Redressal: Timelines That Have Teeth
You must appoint a Grievance Officer whose name, email, and escalation mechanism are displayed prominently β not buried in a footer. Prescribed turnaround times: acknowledge a complaint within 48 hours; resolve it within 30 days of receipt. The Consumer Protection Act allows a consumer to approach the District Commission for redress if a platform fails to respond, and the CCPA (Central Consumer Protection Authority) can impose a penalty of up to Rs. 10 lakh for misleading advertisements and up to Rs. 50 lakh for a subsequent violation.
Flash Sales, Dark Patterns, and Related-Party Sellers
The Rules do not ban flash sales outright. What they prohibit is a specific type of flash sale where a related-party seller (a seller in which the marketplace or its group entity has an equity interest, or which sells predominantly on one platform under an exclusive arrangement) uses the flash sale mechanism to offer goods at prices made artificially possible by back-end funding from the marketplace. Separately, dark patterns β countdown timers that reset, pre-checked add-ons, drip pricing β are explicitly prohibited under CCPA guidelines issued in November 2023 and are an audit risk for every UI/UX team.
The DPDP Act: Your Consent Architecture Needs a Rebuild
The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11, 2023. The Digital Personal Data Protection Rules, 2025 were subsequently notified, and by FY 2026-27 the full framework is operational. For e-commerce platforms β which collect name, phone number, email, address, browsing history, purchase behaviour, payment tokens, and device data as a matter of course β this Act is arguably the most operationally disruptive of all the 2022-2026 amendments.
The Consent Mechanism Must Be Rebuilt
Under the DPDP Act, consent must be:
- Free β not a condition for using the service unless strictly necessary
- Specific β granular, per-purpose, not a single "I accept all" checkbox
- Informed β accompanied by a notice in plain language (the Act mandates that notices be available in scheduled languages of the Constitution)
- Unambiguous β an affirmative action, not pre-ticked boxes
- Withdrawable β as easily as it was given
For a typical e-commerce checkout flow, this means separate consent toggles for: (a) processing data to fulfil the order, (b) processing data for personalised recommendations, (c) sharing data with logistics partners, and (d) sending marketing communications. Lumping all four into one "agree to terms" checkbox is non-compliant.
Data Protection Officer and Significant Data Fiduciaries
If the Central Government notifies your platform as a Significant Data Fiduciary (SDF) β based on volume of personal data processed, sensitivity of data, national security implications, or scale of operations β you must appoint a Data Protection Officer (DPO) resident in India, conduct Data Protection Impact Assessments (DPIAs), and comply with additional audit requirements. Large marketplaces with tens of millions of active users should assume SDF status is coming and prepare accordingly.
Children's Data: The Age-Gate Obligation
Processing personal data of children under 18 requires verifiable parental or guardian consent. You cannot collect a child's data and verify age through a self-declaration checkbox. Platforms must implement age-verification mechanisms β the Rules prescribe approaches that are technically verifiable, not merely declaratory. This directly affects gaming platforms, ed-tech, and any marketplace with a teenage-user demographic.
Breach Notification
A personal data breach must be reported to the Data Protection Board of India as soon as practicable β the Rules specify the timeline and format. The notice must include the nature of the breach, the categories and approximate number of data principals affected, the likely consequences, and the remedial measures taken or proposed. Penalties for failure to notify: up to Rs. 200 crore under the Act's First Schedule.
GST for E-Commerce Operators: TCS, Section 9(5), and GSTR-8
Tax Collection at Source (TCS) Under Section 52
Every E-Commerce Operator (ECO) β a platform that owns, operates, or manages a digital or electronic facility through which sellers supply goods or services β must collect TCS at 1% (0.5% CGST + 0.5% SGST/UTGST for intra-state supplies, or 1% IGST for inter-state supplies) on the net taxable value of supplies made through it.
"Net taxable value" = gross value of taxable supplies made through the ECO during the month, less returns in that month. TCS is not collected on exempt supplies, and not collected on supplies made by the ECO on its own account (only on supplies facilitated for third-party sellers).
The TCS collected must be remitted and GSTR-8 filed by the 10th of the following month. A penalty of Rs. 100 per day (maximum Rs. 5,000) applies for late filing. More critically, the TCS credit flows into the seller's Electronic Cash Ledger only when GSTR-8 is filed. A late GSTR-8 blocks a seller's credit β creating a cash-flow problem for your sellers and a compliance dispute for you.
Section 9(5): Where the ECO Becomes the Taxpayer
Under Section 9(5) of the CGST Act, for certain notified services, the GST liability shifts entirely to the ECO β the actual service provider need not register or pay GST at all. As of FY 2026-27, notified categories include:
- Passenger transport via app-based aggregators (Ola, Uber, rapido-type platforms)
- Restaurant services through food delivery apps (Swiggy, Zomato-type platforms)
- Housekeeping services (plumbers, electricians, carpenters, salon services booked via apps)
- Accommodation services through short-stay rental platforms
For these categories, the ECO files GST as if it is the supplier. The platform cannot offset this liability by collecting GST from service providers who are not registered β the obligation sits squarely on the ECO.
Section 194-O TDS: The Income-Tax Pinch Every Marketplace Feels
Section 194-O of the Income-tax Act 1961 requires an ECO to deduct TDS at 1% on the gross amount of sale of goods or provision of services facilitated by it in respect of a resident seller, when the aggregate amount exceeds Rs. 5 lakh in a financial year for that seller.
Key mechanics for FY 2026-27:
| Scenario | Rate | Form |
|---|---|---|
| Resident seller, PAN furnished | 1% | Form 26Q (quarterly) |
| Resident seller, PAN not furnished | 5% (Section 206AA) | Form 26Q |
| Non-resident seller | Section 195 applies (DTAA-dependent) | Form 27Q |
| Virtual Digital Asset transfer involving ECO | 1% under Section 194S | Form 26Q |
TDS must be deposited by the 7th of the following month (except March: 30th April). The quarterly TDS return is due on the 31st of the month following the quarter end β so Form 26Q for Q4 (JanuaryβMarch 2027) is due by 31 May 2027.
The Equalisation Levy Update
The 2% equalisation levy on non-resident e-commerce operators (under Section 165A of the Finance Act 2016) was abolished with effect from August 1, 2024 by the Finance Act 2024. For FY 2026-27, non-resident ECOs supplying goods or services to Indian customers are no longer subject to this levy. The 6% equalisation levy on online advertising (under Section 165 of the Finance Act 2016) continues to apply to non-resident digital advertising service providers.
FDI and FEMA: The Marketplace vs. Inventory Fault Line
India's FDI Policy draws a hard line between two e-commerce business models:
| Parameter | Marketplace Model | Inventory Model |
|---|---|---|
| FDI permitted | 100% automatic route | Generally prohibited for entities with FDI |
| Who owns inventory | Third-party sellers | The entity itself |
| GST registration | ECO obligations under Section 52 | Regular supplier obligations |
| Key restriction | Cannot influence price; cannot have >25% sales from one seller group | Not permitted with FDI |
The 25% cap means: if a marketplace with FDI has a seller (or group of related sellers) who together account for more than 25% of total sales on the platform in a financial year, the arrangement is non-compliant with the FDI Policy. Enforcement risk is real β DPIIT and the Enforcement Directorate have both scrutinised large marketplace structures.
Annual FEMA Compliance
Entities receiving FDI must file:
- Form FC-GPR (Foreign Currency-Gross Provisional Return) within 30 days of allotment of shares to a foreign investor
- Form FC-TRS for secondary transfers of shares
- Annual Performance Report (APR) by 31 December each year for all foreign investments received
Failure to file FC-GPR or APR attracts compounding under FEMA β late filing fees can accumulate quickly on large inward remittances.
Worked Example: A Marketplace Platform's Compliance Arithmetic for April 2026
Imagine QuickMart, a Delhi-based marketplace with 500 active sellers. In April 2026, net taxable supplies facilitated = Rs. 8,00,00,000 (Rs. 8 crore).
GST TCS Calculation (Section 52):
- TCS = 1% Γ Rs. 8,00,00,000 = Rs. 8,00,000
- CGST TCS = Rs. 4,00,000 | IGST TCS (for inter-state) = Rs. 4,00,000 (illustrative split)
- GSTR-8 due date: 10 May 2026
- If filed on 25 May 2026 β that's 15 days late: late fee = Rs. 100/day = Rs. 1,500 (capped at Rs. 5,000)
- More damaging: 500 sellers' cash ledger credits are blocked for 15 days each
Section 194-O TDS Calculation:
- Assume 20 sellers cross the Rs. 5 lakh threshold in April; aggregate gross sales to them = Rs. 1,20,00,000
- TDS = 1% Γ Rs. 1,20,00,000 = Rs. 1,20,000
- Payment due: 7 May 2026 β interest at 1.5% per month for late payment
DPDP Audit Trigger: QuickMart sends promotional emails to all 5 lakh registered users without a separate marketing consent (relying on the order-fulfilment consent). If a user complaint reaches the Data Protection Board and a penalty is assessed even at the minimum slab, the reputational and financial cost far exceeds the marketing revenue. One compliant consent flow, built once, protects all 5 lakh relationships.
Total one-month compliance workload if managed proactively: four filings, two TDS deposit challans, one consent audit. If managed reactively: interest, late fees, blocked seller credits, and potential show-cause notices.
Common Mistakes and Pitfalls to Avoid
1. Filing GSTR-8 late because "TCS is small." The penalty is not just the late fee β it is the cascading effect on seller cash flow and trust. Automate GSTR-8 filing as a non-negotiable 10th-of-month task.
2. Applying TCS and TDS both to the same transaction incorrectly. TCS under Section 52 is a GST-layer obligation. TDS under Section 194-O is an income-tax layer obligation. Both apply independently to the same supply β one does not offset the other. Many platforms confuse the two.
3. Treating all flash sales as permitted. The rules do not ban flash sales β they ban specific structures involving related-party sellers and marketplace-subsidised pricing. Platforms that permit any related entity (in which they hold equity or which sells exclusively on the platform) to run flash sales at a loss funded by the platform are directly in violation.
4. Single omnibus consent for all data uses. A single "I agree to the Terms & Privacy Policy" is not DPDP-compliant. Every processing purpose needs a separate basis β consent, legitimate use, or legal obligation as defined in the Act.
5. Missing the 25% seller concentration limit for FDI-funded marketplaces. This is the most underestimated FDI risk. Platforms that rely on a few high-volume sellers should track concentration on a rolling 12-month basis, not just at year-end.
6. Ignoring Section 9(5) if you are a food or mobility aggregator. If your platform facilitates restaurant orders or cab bookings, you are the taxpayer for those services β not the restaurant or the driver. Many platforms discovered this liability only at audit.
7. Not reconciling TCS credit for sellers. A seller on your platform will see TCS credit in their AIS/TIS (Annual Information Statement / Tax Information Summary) only if your GSTR-8 is filed correctly and on time. Disputes over missing TCS credit damage seller relationships and lead to income-tax notices for sellers who claim credit the department cannot verify.
Key Takeaways
- Consumer protection compliance is joint and several. A marketplace is liable for seller-listing deficiencies under fall-back liability β audit your sellers' product pages, not just your own policies.
- DPDP compliance requires purpose-specific consent flows β rebuild your privacy architecture before the Data Protection Board becomes operational in your sector.
- GSTR-8 is a 10th-of-month hard deadline. Late filing blocks 500 or 5,000 sellers' GST cash ledger credits β treat it like a payroll run, not an afterthought.
- Section 194-O TDS and Section 52 TCS are parallel obligations on the same transaction β one under income-tax, one under GST. Deduct and deposit both correctly.
- The 2% equalisation levy on non-resident ECOs is abolished from August 1, 2024. Do not apply it for FY 2026-27; do not issue demand notices to non-resident technology vendors under this head.
- FDI-funded marketplaces must track seller concentration β if any seller or seller group crosses 25% of total platform sales, the FDI Policy compliance is at risk.
- Section 9(5) shifts GST taxpayer status to the ECO for notified services β food delivery, cab aggregation, housekeeping, and short-stay accommodation. If you operate in any of these categories, you are the taxpayer, not the service provider on your platform.
