Mumbai: Enterprise retailers may soon find themselves in breach of India's new data-protection regime. At present, many ask shoppers to recite mobile numbers at billing counters to enrol them in loyalty schemes or send digital receipts. Though customers may consent, the act of speaking such details aloud in a public setting exposes personal data, falling foul of the law's requirement that firms put reasonable safeguards in place for data collection.
Rules under the new Digital Personal Data Protection Act will require businesses to rethink how they collect and handle customer information such as mobile numbers, which they use as identifiers. This could disrupt conventional loyalty systems that rely on mobile numbers as identifiers.
"Small process tweaks, such as replacing oral disclosure of mobile numbers with keypad entry, can significantly improve privacy safeguards. The law mandates that customers must be told why their data is collected, how long it will be stored, and when it will be deleted. Implied consent will no longer be valid - every consent must be explicit," said S Chandrasekhar, head of digital and cyber practice at K&S Partners, an intellectual property law firm.
Businesses will also be barred from denying services if a customer refuses to share a mobile number, unless it is integral to the service, such as mobile top-ups or Digi Yatra. Retailers will have to offer alternatives like email receipts or physical copies. Even visitor entry systems will need clear disclosures on the purpose of collecting numbers and assurances that data will not be reused or sold.
"The broader intent is not to disrupt business but to enforce accountability, ensuring data is used only for the stated purpose and then deleted," said Chandrasekhar. He added that this brings India in line with global norms such as the GDPR, reflecting the growing importance of personal data as a resource around which many large businesses are built.
While enterprise retail are the ones that are working on dealing with the new law, the rules will also apply to visitor management systems, and housing societies that routinely collect numbers. This new laws will compel them to adopt system-driven methods.
The Digital Personal Data Protection (DPDP) Act, 2023 is the cornerstone legislation for data privacy while allowing responsible and lawful processing by organisations and the state. As of Aug 2025, the ministry of electronics and IT has released the draft DPDP Rules, 2025 to facilitate operationalisation of the Act.
Personal data such as phone numbers may be retained only for the duration necessary to serve the original purpose, for up to three years from the last user interaction, or as otherwise provided in the rules. Once the purpose is met or consent is withdrawn, the data must be deleted. Organisations are also obliged to implement safeguards to prevent unauthorised collection, use, or leakage of consumer numbers.
Rules under the new Digital Personal Data Protection Act will require businesses to rethink how they collect and handle customer information such as mobile numbers, which they use as identifiers. This could disrupt conventional loyalty systems that rely on mobile numbers as identifiers.
"Small process tweaks, such as replacing oral disclosure of mobile numbers with keypad entry, can significantly improve privacy safeguards. The law mandates that customers must be told why their data is collected, how long it will be stored, and when it will be deleted. Implied consent will no longer be valid - every consent must be explicit," said S Chandrasekhar, head of digital and cyber practice at K&S Partners, an intellectual property law firm.
Businesses will also be barred from denying services if a customer refuses to share a mobile number, unless it is integral to the service, such as mobile top-ups or Digi Yatra. Retailers will have to offer alternatives like email receipts or physical copies. Even visitor entry systems will need clear disclosures on the purpose of collecting numbers and assurances that data will not be reused or sold.
"The broader intent is not to disrupt business but to enforce accountability, ensuring data is used only for the stated purpose and then deleted," said Chandrasekhar. He added that this brings India in line with global norms such as the GDPR, reflecting the growing importance of personal data as a resource around which many large businesses are built.
While enterprise retail are the ones that are working on dealing with the new law, the rules will also apply to visitor management systems, and housing societies that routinely collect numbers. This new laws will compel them to adopt system-driven methods.
The Digital Personal Data Protection (DPDP) Act, 2023 is the cornerstone legislation for data privacy while allowing responsible and lawful processing by organisations and the state. As of Aug 2025, the ministry of electronics and IT has released the draft DPDP Rules, 2025 to facilitate operationalisation of the Act.
Personal data such as phone numbers may be retained only for the duration necessary to serve the original purpose, for up to three years from the last user interaction, or as otherwise provided in the rules. Once the purpose is met or consent is withdrawn, the data must be deleted. Organisations are also obliged to implement safeguards to prevent unauthorised collection, use, or leakage of consumer numbers.
You may also like
'Pursue scriptwriting in Mumbai, don't waste time in politics': Delhi BJP chief to Saurabh Bhardwaj
Screaming mum finds funeral director 'watching cartoons' with two dead babies
'Melt away' energy bills by switching off 1 common 'energy hog'
K'taka tribal welfare board scam: ED attaches immovable properties worth Rs 5 crore
Disaster for Rachel Reeves as borrowing costs near highest level since 1998
