Compliances of E-commerce operator

Compliances of E-commerce Operator

E-commerce operators who also act as sellers — whether as D2C brands on their own websites or as inventory-model players on third-party marketplaces — face a compliance stack that spans at least six distinct regulators. For FY 2026-27, that stack covers GST (including TCS reconciliation under Section 52), income-tax TDS under Section 194-O, MCA annual filings, Consumer Protection (E-Commerce) Rules 2020, the Digital Personal Data Protection (DPDP) Act 2023, and FEMA. This article maps every layer in the sequence a real operator should work through.

Step 1 — Map Your Operating Model Before Building the Compliance Stack

The single biggest mistake e-commerce founders make is treating compliance as a one-size-fits-all checklist. The rules that apply to you depend entirely on how your business operates. Identify your model first; the obligations follow automatically.

The four principal operating models:

1. Marketplace only — You provide a digital platform for third-party sellers. You facilitate transactions but own no inventory. Regulatory focus: TCS collection and GSTR-8 filing as an ECO under Section 52 of the CGST Act 2017, plus Consumer Protection (E-Commerce) Rules obligations.

1. Inventory model (direct seller) — You own the goods and sell them directly to consumers, either through your own website or through another marketplace. This is the dominant model for D2C brands. Full GST, income-tax, MCA, DPDP, and consumer protection obligations apply to you as the seller.

1. Hybrid model — You run a marketplace and simultaneously sell your own products through it or through another platform. This is structurally the most complex: you may be simultaneously an ECO required to collect TCS under Section 52 and an e-commerce participant whose proceeds are subject to TDS under Section 194-O. Separate legal entities for each role are common and often advisable.

1. Cross-border seller — You export to consumers abroad or import inventory to sell in India via an international platform. FEMA, IEC registration, AD bank reporting, and customs obligations layer on top of everything else.

Once the model is clear, build a compliance calendar. Every obligation below should map to a named owner, a software trigger, and a due date in your team's workflow.

Step 2 — GST Compliance for the E-commerce Seller

Registration and the State-Wise Trap

GST registration is mandatory for all e-commerce sellers regardless of turnover — the composition scheme exemption and the basic Rs. 40 lakh threshold exemption do not apply to persons supplying through an ECO. If you store goods in a third-party logistics (3PL) warehouse in Maharashtra and Karnataka, you need a GSTIN in both states. If your 3PL opens a new fulfilment centre in a state where you are not registered, you have an immediate registration obligation. Review warehouse locations against your GSTIN certificates at least once per quarter.

e-Invoicing: From 1 August 2023, e-invoicing is mandatory for taxpayers with aggregate annual turnover exceeding Rs. 5 crore in any preceding financial year. If your turnover crossed Rs. 5 crore in FY 2024-25, you must generate an IRN (Invoice Reference Number) on the Invoice Registration Portal for every B2B invoice raised in FY 2026-27 from the first day of the year. A tax invoice issued without a valid IRN is not a valid document for the recipient's ITC claim — which can poison your B2B relationships immediately.

TCS Under Section 52: Reconciling What Marketplaces Collect From You

When you sell through Amazon, Flipkart, Meesho, or any other ECO, the marketplace deducts TCS (Tax Collected at Source) at 1% of the net value of taxable supplies made through its platform (0.5% CGST + 0.5% SGST/UTGST, or 1% IGST for inter-state supplies). The ECO deposits this and files GSTR-8 by the 10th of the following month. The credit auto-populates into your electronic cash ledger on the GSTN portal and can be used to offset your output GST liability.

Your job: verify every month that the TCS credited to your cash ledger matches what each marketplace reports in GSTR-8. Discrepancies are extremely common — returns, cancellations, split deliveries and timing differences all create mismatches. Unreconciled credits pile up as a working capital drag and distort your net GST payable calculation.

GST Returns Calendar

Reverse-charge GST applies on import of services — cloud hosting from AWS/Azure (Ireland or US entities), fees to a foreign digital marketing agency, payments to overseas software providers. You pay IGST under reverse charge and claim it back as ITC in the same tax period, making it largely cash-neutral. However, the filing obligation exists regardless, and omitting it attracts interest at 18% per annum plus potential scrutiny.

Step 3 — Income-Tax and TDS Obligations

Section 194-O: TDS the Marketplace Deducts From Your Proceeds

Section 194-O of the Income-tax Act 1961 requires every ECO to deduct TDS at 1% on the gross amount of sales or services facilitated through its platform, at the time of credit to the seller's account or actual payment, whichever is earlier. If the e-commerce participant (you, as the seller) does not furnish a valid PAN, the rate escalates to 5%.

What this means in practice: if you sell Rs. 1,20,00,000 worth of goods through a marketplace in FY 2026-27, that ECO must deduct Rs. 1,20,000 as TDS and deposit it under your PAN. You will see this reflected in your AIS (Annual Information Statement) and TIS (Tax Information Summary) on the income-tax portal (incometax.gov.in). Your obligations are:

1. Pull the AIS/TIS at least once per quarter and compare TDS credits to your own sales register.
2. Raise disputes with the marketplace's seller support for any discrepancies before the return filing window closes.
3. Claim the credit in your ITR — it directly reduces your final tax liability rupee for rupee.

Section 194-O has a threshold exemption: it does not apply if the seller is an individual or HUF with gross sales or services through a single ECO not exceeding Rs. 5 lakh in the financial year, and the seller furnishes their PAN or Aadhaar to the ECO. For any entity type other than individual/HUF, or where the threshold is crossed, the deduction applies without exception.

Your Own TDS Obligations as a Seller-Entity

As a company or LLP selling online, you are simultaneously a deductor for your own vendor payments:

• Section 194C: TDS @ 1% (individual/HUF payee) or 2% (others) on payments to contractors — logistics, packaging, warehousing.
• Section 194J: TDS @ 10% on professional or technical services fees — IT developers, CA/legal fees, consultants.
• Section 194H: TDS @ 5% on commissions paid to sales agents or referral partners.
• Section 194Q: TDS @ 0.1% on purchases from a resident supplier exceeding Rs. 50 lakh in a year — applicable only if your own turnover exceeds Rs. 10 crore.

TDS must be deposited by the 7th of the following month (30 April for deductions made in March). Quarterly TDS returns are filed in Form 26Q (non-salary) by the 31st of the month following the quarter-end — that is, 31 July, 31 October, 31 January, and 31 May for the January-March quarter.

Advance Tax, Tax Audit and ITR Filing

Advance tax is payable in four instalments: 15% by 15 June, 45% by 15 September, 75% by 15 December, and 100% by 15 March. Shortfalls attract interest at 1% per month under Sections 234B and 234C from the instalment date — not from the filing date.

Tax audit under Section 44AB is mandatory if business turnover exceeds Rs. 1 crore in FY 2026-27. For businesses where aggregate cash receipts and cash payments are each below 5% of total receipts/payments — a threshold most digital-first sellers will comfortably meet — the limit rises to Rs. 10 crore. The audit report in Forms 3CA/3CB and 3CD must be filed before the ITR due date.

If you transact with a related party outside India — an overseas parent providing technology or marketing services, a group entity in Singapore or Dubai — transfer pricing documentation applies. The Chartered Accountant's certificate in Form 3CEB covering all international transactions must accompany your ITR.

Step 4 — MCA and ROC Filings for E-commerce Companies

If your e-commerce business is incorporated as a private or public limited company under the Companies Act 2013, a parallel compliance calendar runs alongside your tax deadlines.

Annual filings:

• AOC-4 (financial statements filed with the Registrar): within 30 days of the AGM. For a 31 March year-end, the AGM must be held by 30 September; AOC-4 is due by 29 October on the MCA V3 portal.
• MGT-7 / MGT-7A (annual return): within 60 days of the AGM — by 28 November for the same company.
• ADT-1 (auditor appointment intimation): within 15 days of the AGM.

Related party transactions under Section 188 require board approval and disclosure in AOC-4 and the Directors' Report. For an e-commerce company that buys technology services from a promoter-owned entity, or pays rent to a promoter-owned property, every such transaction needs a board resolution and proper arm's-length pricing documentation.

CSR under Section 135 is triggered when your company, in the immediately preceding financial year, meets any one of: net worth ≥ Rs. 500 crore, turnover ≥ Rs. 1,000 crore, or net profit ≥ Rs. 5 crore. D2C brands that crossed Rs. 1,000 crore in FY 2025-26 must plan their CSR spend for FY 2026-27 from April onwards and constitute a CSR Committee.

LLP-specific: File Form 11 (annual return) by 30 May and Form 8 (statement of accounts and solvency) by 30 October each year. The additional fee for late LLP filings is Rs. 100 per day per form — with no upper cap. A one-year delay across both forms costs Rs. 73,000 in fees before any penalty.

Step 5 — Consumer Protection (E-Commerce) Rules 2020: Your Seller Obligations

The Consumer Protection (E-Commerce) Rules 2020, framed under the Consumer Protection Act 2019, impose mandatory obligations on every e-commerce entity operating in India, whether as a marketplace or a seller.

Mandatory disclosures on the product listing and checkout page:

• Legal name, registered address, customer care number, and business email of the seller
• Country of origin of every product
• Expiry date for perishable goods
• Total price inclusive of all taxes, fees, and charges — broken out clearly, no hidden costs revealed only at checkout
• Return, refund, and cancellation policy in plain, unambiguous language
• Estimated delivery window before the consumer confirms the order

Grievance redressal: Every e-commerce entity must appoint a Grievance Officer and display their name and contact details prominently on the platform. Consumer complaints must be acknowledged within 48 hours and resolved within one month of receipt. Maintain a log of every grievance and its resolution — this is your first line of defence in a Consumer Commission proceeding.

Dark patterns: The Department of Consumer Affairs issued guidelines on dark patterns in November 2023 (available on consumeraffairs.nic.in). Prohibited practices include: basket sneaking (adding items to the cart without user action), forced continuity (auto-renewing subscriptions without explicit consent), hidden subscription opt-ins, bait-and-switch pricing, and disguised advertisements. Audit your checkout flow, email sequences, and notification triggers against this list — these are active enforcement areas.

Step 6 — DPDP Act 2023: Data Protection for E-commerce Operators

The Digital Personal Data Protection (DPDP) Act 2023 received Presidential assent in August 2023. As of May 2026, the implementing Rules have not been fully notified, but the Act itself is in force. E-commerce operators are among the most data-intensive businesses — processing names, addresses, payment credentials, device identifiers, browsing histories, and purchase records at scale.

Core obligations the Act imposes on you as a Data Fiduciary:

• Consent: Obtain consent that is free, specific, informed, unconditional, and unambiguous before processing any personal data. Pre-ticked boxes, bundled consents, and consent embedded in terms-of-service are non-compliant.
• Purpose limitation: Use data only for the purpose stated at collection. Repurposing purchase data for targeted advertising or selling it to third parties requires fresh, explicit consent.
• Data principal rights: Honour requests for access, correction, erasure, and the right to nominate. Build a request-handling workflow before the Rules prescribe mandatory response timelines.
• Breach notification: Report personal data breaches to the Data Protection Board of India (once constituted) and to affected data principals within the period the Rules will specify. Prepare a breach response runbook — detection, containment, assessment, notification — before a breach occurs.
• Significant Data Fiduciary (SDF) designation: Large platforms that the Central Government designates as SDFs will face additional obligations: mandatory appointment of a Data Protection Officer (DPO) resident in India, periodic Data Protection Impact Assessments (DPIAs), and data audits. Watch the gazette for the criteria, and assume you are in scope if you process data for millions of users.

Build your data processing register, document consent records with timestamps, and implement a data retention and deletion policy now. These are not just future obligations — they are audit-ready practices that reduce litigation risk under existing consumer protection and IT Act frameworks.

Step 7 — FEMA and Cross-Border Compliance

If you have received foreign investment, make overseas payments, or sell across borders, the Foreign Exchange Management Act 1999 (FEMA) and RBI Master Directions govern your flows.

FDI in e-commerce: Under the consolidated FDI Policy, 100% FDI under the automatic route is permitted for marketplace model e-commerce entities. The inventory model — where an entity owns inventory and sells directly — does not permit FDI. This is a hard regulatory line. A D2C brand that holds stock and has foreign investors must structure carefully so that the FDI-receiving entity is not the inventory-holding entity. Take legal advice before the first foreign remittance arrives, not after.

Key RBI reporting obligations:

• FC-GPR: Report every FDI receipt to the RBI through your AD (Authorised Dealer) bank within 30 days of allotment of shares.
• FC-TRS: Report transfer of shares between a resident and a non-resident within 60 days of the transfer.
• Form 15CA / CB: Required for remittances to non-residents (royalties, technical fees, marketing fees, SaaS subscriptions to overseas entities) — certify the payment under the applicable DTAA provision before the remittance is made.

Import and export compliance: Register for an Importer Exporter Code (IEC) from DGFT (dgft.gov.in) before making any cross-border movement of goods. For exports, the AD bank must realise export proceeds within the period prescribed by the RBI (verify the current timeline in the applicable Master Direction on Export of Goods and Services, as it is subject to revision by notification). For imports, pay through approved banking channels and ensure the transaction is correctly declared in customs documentation.

Sectoral licences that stack on top for specific product categories:

• FSSAI licence (Central or State, depending on turnover) for food and beverage products
• BIS certification / BIS hallmark for electronics, LED lights, and certain consumer goods
• Central Drug Standard Control Organisation (CDSCO) licence for pharmaceutical and health-care products
• Legal Metrology Act 2009 compliance — every packaged commodity must declare net quantity, MRP, manufacturer name and address, and country of origin, in the prescribed format

Worked Example: The True Cost of a Non-Compliant Year

Consider a D2C electronics brand incorporated as a private limited company with FY 2026-27 revenues of Rs. 12 crore — Rs. 8 crore through Amazon India and Rs. 4 crore through its own website. During the year, three compliance failures occurred.

Failure 1 — GSTR-3B filed 90 days late for three consecutive months: Late fee = Rs. 50 per day × 90 days × 3 returns = Rs. 13,500 Interest on Rs. 60 lakh GST liability paid 90 days late at 18% p.a. = Rs. 60,00,000 × 18% × 90 ÷ 365 = Rs. 2,66,301

Failure 2 — TDS not deducted on logistics vendor payments of Rs. 80 lakh: TDS in default under Section 194C @ 2% = Rs. 1,60,000 Section 40(a)(ia) disallowance = 30% of Rs. 80 lakh = Rs. 24,00,000 added back to taxable income Additional tax at 25.17% (Section 115BAA rate: 22% base + 10% surcharge + 4% cess) = Rs. 6,04,080 Potential penalty under Section 271C (up to the amount of TDS not deducted) = Rs. 1,60,000

Failure 3 — AOC-4 and MGT-7 filed 120 days late: Additional MCA fee = Rs. 100 per day × 120 days × 2 forms = Rs. 24,000

Total identifiable exposure: approximately Rs. 11.3 lakh — entirely avoidable with a compliance calendar, automated reminders, and a named owner for each filing deadline.

Common Mistakes That Lead to Notices

• Not claiming Section 52 TCS credits. The credit from each marketplace's GSTR-8 auto-populates in your cash ledger, but you must actively verify it. Unreconciled credits leave cash on the table and create mismatches that trigger GSTN audit flags.
• Assuming one GST registration covers all states. A warehouse or fulfilment centre in a new state creates an immediate registration obligation. GSTIN mismatch in an e-way bill is one of the most common triggers for a department visit.
• Treating Section 194-O TDS as the marketplace's problem alone. The ECO has the obligation to deduct — but the AIS credit is yours to verify, dispute, and claim in your ITR. Errors in the ECO's GSTR-8 and Form 26AS are your problem to pursue.
• Ignoring DPDP compliance because Rules are not fully notified. The Act is law. Consent mechanisms, data retention policies, and breach response plans built today are dramatically cheaper than retrofitting after a Board complaint.
• FDI into an inventory-model entity. This violates the FDI Policy even if done inadvertently. The consequences — compounding under FEMA, mandatory remittance at a loss — are severe. Restructure before the wire transfer lands.
• Letting LLP late fees compound silently. Unlike companies (where MCA eventually caps additional fees in practice), LLP penalties under Forms 8 and 11 are uncapped at Rs. 100/day per form. A two-year filing backlog on two forms costs Rs. 1,46,000 in fees before any order of regularisation.
• Missing e-invoicing on a single invoice. Failure to generate an IRN does not block the supply, but it disqualifies the buyer's ITC — which can damage a key trade relationship and invite a suo motu SCN from the department.

Key Takeaways

• GST registration is mandatory for all e-commerce sellers regardless of turnover — the composition threshold and the basic exemption do not apply to anyone selling through an ECO. Verify state-wise coverage against every warehouse location.
• Reconcile Section 52 TCS credits every month, not at year-end — mismatches with marketplace GSTR-8 filings must be resolved before you file GSTR-3B to avoid interest on erroneously computed tax liabilities.
• Section 194-O TDS is deducted by the marketplace, not by you — but you bear the obligation to verify the credit in AIS/TIS and claim it in your ITR. Unclaimed credits increase your net tax outflow with no regulatory benefit.
• MCA annual filings have hard deadlines with daily escalating fees — AOC-4 by 29 October, MGT-7 by 28 November (March year-end companies); LLP Form 8 by 30 October, Form 11 by 30 May. LLP penalties are uncapped — treat them as highest priority.
• DPDP Act compliance should begin immediately — build consent capture flows, a data processing register, and a breach response runbook now, before the Rules are notified and the Data Protection Board becomes operational.
• FDI into an inventory-model entity violates FDI Policy — if your company holds stock and has received foreign capital, take legal advice on entity restructuring before any further fund raise or regulatory scrutiny.
• Build a cross-functional compliance calendar at the start of FY 2026-27 — assign a named owner to every recurring obligation across GST, income-tax, MCA, consumer protection, DPDP, and FEMA; automate reminders; and run a quarterly gap analysis whenever your operating model or product range evolves.