India’s retail landscape is on the cusp of a significant shift as new data protection laws prepare to redefine how businesses interact with customer data. Soon, the common practice of requesting mobile numbers at billing counters may become a thing of the past, potentially placing retailers in violation of the Digital Personal Data Protection Act (DPDP). This legislation aims to fortify consumer data rights, compelling businesses to overhaul their data collection and handling procedures.
Currently, retailers frequently ask shoppers for their mobile numbers to enroll them in loyalty programs or to provide digital receipts. However, this practice exposes personal information in public settings, contravening the law’s mandate for robust data protection measures. The DPDP Act necessitates that companies rethink their approach to collecting and managing customer data, especially mobile numbers used as unique identifiers. S Chandrasekhar of K&S Partners emphasizes that minor adjustments, such as substituting verbal disclosure with keypad entry, can greatly improve privacy. The law requires explicit consent for data collection, specifying the purpose, storage duration, and deletion timeline. Implicit consent will no longer suffice.
Moreover, businesses are barred from denying services to customers who decline to share their mobile numbers, unless it is essential for the service, like mobile top-ups or Digi Yatra. Retailers must offer alternative options, such as email receipts or printed copies. Even visitor entry systems must transparently disclose the reason for collecting numbers, assuring users that the data will not be resold or misused. Chandrasekhar clarifies that the intent is not to disrupt business but to enforce accountability, ensuring data is used solely for its stated purpose and then deleted. This move aligns India with global standards like GDPR, recognizing personal data as a critical asset for businesses. While large retail chains are proactively adapting to the new law, it will also impact visitor management systems and housing societies that routinely collect phone numbers, compelling them to adopt more structured, system-driven methods.
The DPDP Act of 2023 serves as a cornerstone for data privacy, promoting lawful data processing by organizations and the state. As of August 2025, the Ministry of Electronics and IT has issued draft DPDP Rules to facilitate the Act’s operationalization. Personal data, like phone numbers, can be retained only as long as necessary, up to three years from the last user interaction, or as provided in the rules. Once the purpose is fulfilled or consent withdrawn, the data must be deleted. Organizations must also implement safeguards against unauthorized collection, use, or leakage of consumer data. Alternative systems, like keypad entry, are expected to become more prevalent to ensure privacy and security. Retailers must inform customers about the purpose of data collection, its duration, and deletion procedures. The upcoming data protection law will prohibit retailers from refusing service to customers who do not provide their mobile numbers and will ban the resale of collected data.
These changes are poised to significantly impact retail practices, enhancing consumer data protection and promoting responsible data handling across industries.
Also Read: What Makes CleverTap a Global SaaS Success? The Journey from India to the World
