Under the new rule, companies will need to rethink how they collect and manage customer information, including mobile numbers, which are often used as unique identifiers.
New Delhi: Shoppers may no longer have to give their mobile numbers aloud at store billing counters, as the new Digital Personal Data Protection Act introduces strict safeguards for personal data collection.
Currently, many retailers ask customers to share their mobile numbers verbally to issue digital receipts or enroll them in loyalty programs. While shoppers may consent, disclosing personal information in a public space risks exposure and may violate the law’s requirement for companies to implement reasonable safeguards during data collection, as reported by The Times of India.
According to the report, the rules under the new Digital Personal Data Protection Act will require companies to rethink how they collect and handle customer information such as mobile numbers, which they use as identifiers.
“Small process changes, such as replacing verbal disclosure with keypad entry, can greatly enhance privacy. The law mandates that customers must be informed why their data is collected, how long it will be stored, and when it will be deleted. Implied consent will no longer be valid—every consent must be explicit,” said S Chandrasekhar, head of digital and cyber practice at K&S Partners.
Businesses also cannot deny services if a customer refuses to share a mobile number unless it is essential for the service, such as mobile top-ups or Digi Yatra bookings. Retailers must provide alternatives, including email receipts or physical copies. These rules will also extend to visitor management systems and housing societies.
The Act specifies that personal data, like phone numbers, can only be stored as long as needed to fulfill the original purpose—up to three years from the last user interaction or as otherwise specified. Once the purpose is complete or consent is withdrawn, the data must be deleted. Companies are also required to implement safeguards to prevent unauthorized access, misuse, or leakage of customer information.
