Enterprise retailers across India may soon be forced to overhaul how they collect and handle customer data as the Digital Personal Data Protection (DPDP) Act, 2023, comes into effect. A common practice of asking shoppers to verbally disclose their mobile numbers at billing counters for loyalty schemes or digital receipts is now under scrutiny, as experts warn it may breach the Act’s privacy safeguards.
The Ministry of Electronics and Information Technology (MeitY) has issued draft DPDP Rules, 2025, setting clear obligations for businesses. Under the law, organisations must ensure that personal data, such as phone numbers, is collected only with explicit consent and with safeguards that prevent exposure in public settings. The practice of “implied consent” will no longer be valid, and businesses will be required to inform customers of the purpose of data collection, retention timelines, and deletion policies.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Retail Systems Under Pressure
For India’s retail sector, the implications could be far-reaching. Loyalty programs that use phone numbers as identifiers may no longer operate in their current form. Experts suggest that small process changes, such as keypad entry of numbers instead of oral disclosure, can mitigate risks while ensuring compliance. Retailers will also need to offer alternatives, including email receipts or printed copies, to customers who do not wish to share their mobile numbers. Importantly, businesses cannot deny services unless the data requested is integral to the service itself, such as mobile recharges or airport travel verification systems like Digi Yatra.
Visitor management systems and even residential housing societies, which routinely collect phone numbers for entry logs, will also fall under the ambit of the new rules. These entities must provide clear disclosures about the purpose of data collection and guarantee that numbers will not be reused or sold.
Data Deletion and Accountability
The draft rules specify that personal data can be retained only for the duration necessary to fulfil the original purpose, capped at three years from the last user interaction unless otherwise required by law. Once the purpose is met or consent is withdrawn, businesses must delete the data. Organisations are also mandated to implement system-driven safeguards to prevent unauthorised collection, misuse, or leakage of consumer numbers.
Legal experts note that these provisions align India’s framework with global standards such as the GDPR, ensuring that businesses are held accountable for protecting consumer privacy. The broader intent, they argue, is not to disrupt commerce but to create an ecosystem where personal data is respected as a valuable and sensitive resource.
