Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.
Last Updated: 2025-08-27 ~ DPDP Consultants
That familiar moment at Indian billing counters, when cashiers ask “Mobile number, please?”, is now under scrutiny. There is NO VALID CONSENT mechanism as per Indian DPDP ACT and personal data collection like this poses lot of threat including lack of “reasonable safeguards” when shoppers recite phone numbers aloud in public, even with consent, could violate the Digital Personal Data Protection (DPDP) Act. In crowded stores, a customer’s number can be overheard, copied, or misused, which is precisely the kind of exposure India’s data law aims to curb.
This development is not entirely unexpected. The government has previously cautioned retailers against insisting on phone numbers for the purpose of generating invoices or processing sales, terming such insistence an unfair practice unless customers provide free consent. In 2023, the Consumer Affairs Ministry directed industry bodies to advise retailers not to capture numbers without explicit permission. The message was clear: a phone number should NOT be a mandatory condition for issuing a bill.
Courts and consumer panels have reinforced this principle. Earlier this year, the Chandigarh State Consumer Disputes Redressal Commission ruled that a retail store cannot compel customers to share their mobile numbers, affirming that basic purchases must not be contingent upon surrendering personal details.
Meanwhile, India’s long-awaited data protection regime is approaching enforcement. The DPDP Act received assent on August 11, 2023, and draft implementation rules were released in January 2025. Ministry of Electronics and Information Technology (MeitY) having concluded public consultations and moving toward finalization, businesses that treat compliance as a distant concern risk being caught off guard.
What this means at the checkout counter
Avoid verbal disclosures. Publicly announcing mobile numbers exposes sensitive data and undermines “reasonable safeguards,” a key principle of the DPDP Act. Retailers are expected to shift to Digital,secure and discreet collection methods such as customer-side entry on POS systems, privacy-protected screens, or QR code-based forms.
Ensure genuine and granular consent. Each purpose of data use—such as billing, e-receipts, or loyalty programs—must have a clear notice and a separate opt-in. The Act emphasizes purpose limitation and grants individuals the right to withdraw consent at any time.
Do not condition service on data. Customers who prefer printed bills without sharing a phone number must be allowed that option without any denial of service or pressure.
The risk: penalties that can sting
Once enforced, the DPDP Act empowers the Data Protection Board of India to impose severe penalties for violations. Non-compliance with reasonable security safeguards may attract fines of up to ₹250 crore. Other breaches, including failure to notify data leaks or mishandling children’s data, carry similarly steep caps. Even a single negligent practice could prove extremely costly.
What smart retailers are doing now
The bigger picture
Retail is only the beginning. Payments networks have already urged the government to relax stringent consent requirements, underscoring the transformative impact the DPDP Act will have on everyday business practices. The trajectory is clear: less indiscriminate data collection, more explicit choice, enhanced safeguards, and stronger accountability.
The signal is clear: The DPDP Law has been enacted and approaching full enforcement. Companies across sectors are moving toward compliance. Start your compliance journey today.
Stay with us for updates on: DPDP
Consultants Newsletter
Similar Read
