AFAIK, there’s no law to mandate that an ecommerce company must keep a proper record of customer’s information or what customer information it can maintain, etc. The law only stipulates what the company can and cannot do with the information that it does record.
I say this on the basis of my firsthand experience with vastly different data storage practices followed by two companies that sell online.
I’ve shopped at Amazon for +20 years in Germany, UK, USA and, finally, India, during which period I must’ve bought at least 100 items from it. Amazon remembers all my addresses across the four countries since circa 2000.
I give positive marks on CX to Amazon for this practice and it’s one of the reasons why it’s on my rather short list of cult loyalty brands. (That said, there could be privacy brigades who might diss Amazon for the same practice.)
All this must be needing a lot of investment in technology and commitment to customer-centricity on the part of Amazon. I realized how much only when I interacted with a leading IT company that manufactures computers, printers, storage systems and software. I’ve been this company’s customer for over a decade and registered on its website ages ago. However, every time I call its customer care telephone number, I’m asked to repeat my contact info. Its CSR told me that the company purges customer information once in three months apparently because it won’t allocate more storage space to store customer information for longer periods!
Ironically, the same company supplies the humungous storage space that Amazon uses to store its customer information for decades!