Retailers’ Phone Number Collection Practices Face Scrutiny Under New Data Privacy Laws
Mumbai, India – August 27, 2025 – A growing number of enterprise retailers in India may soon find themselves in violation of the country’s new Digital Personal Data Protection (DPDP) Act, 2023, due to their widespread practice of collecting shoppers’ phone numbers at billing counters. This practice, commonly used to enroll customers in loyalty programs or to send digital receipts, is raising significant privacy concerns as it often involves customers reciting personal information aloud in public settings, potentially exposing sensitive data. As India’s data protection regime tightens, retailers are being urged to overhaul their data collection methods to comply with the law and protect consumer privacy.
The Issue: Public Disclosure of Phone Numbers
For years, it has been standard practice for retailers across India to ask shoppers to provide their mobile numbers at checkout. This information is typically used to enroll customers in loyalty schemes, track purchase histories, or send digital receipts. However, the act of verbally sharing phone numbers in busy retail environments—often within earshot of other customers or staff—has come under scrutiny for violating the principles of data privacy. The DPDP Act, which came into effect in 2023 and is being operationalized through the draft DPDP Rules of 2025, mandates that businesses implement “reasonable safeguards” to protect personal data during collection and processing.
According to legal experts, the public disclosure of phone numbers at billing counters fails to meet these safeguards. “When customers are asked to recite their mobile numbers aloud, it exposes their personal data to anyone nearby, which directly contravenes the law’s requirement for secure data handling,” said S Chandrasekhar, head of digital and cyber practice at K&S Partners, an intellectual property law firm. He emphasized that the DPDP Act requires explicit consent for data collection, and implied consent—such as a customer providing their number without being fully informed of its use—is no longer valid.
The Digital Personal Data Protection Act: A New Era of Accountability
The DPDP Act, described as India’s cornerstone legislation for data privacy, sets strict guidelines for how businesses collect, store, and use personal data, including phone numbers. Under the Act, organizations must:
- Clearly inform customers about the purpose of data collection, the duration of storage, and when the data will be deleted.
- Obtain explicit consent for collecting personal information.
- Delete data once its purpose has been fulfilled or if consent is withdrawn, typically within three years of the last customer interaction.
- Implement safeguards to prevent unauthorized access, use, or leakage of personal data.
The draft DPDP Rules, released by the Ministry of Electronics and Information Technology in August 2025, further clarify these obligations, emphasizing that businesses must adopt system-driven methods to ensure compliance. For instance, replacing oral disclosure of phone numbers with secure keypad entry or digital forms could significantly enhance privacy protections. Failure to comply with these rules could result in penalties, including fines, and potential legal action from affected consumers.
Impact on Retailers: Disruption of Traditional Practices
The new regulations are poised to disrupt conventional retail practices, particularly loyalty programs that rely heavily on phone numbers as customer identifiers. Many retailers use these numbers to track purchasing patterns, offer personalized discounts, or send promotional messages. However, the DPDP Act prohibits denying services to customers who refuse to share their phone numbers unless the data is integral to the service provided, such as for mobile top-ups or digital ticketing systems like Digi Yatra.
Retailers are now exploring alternatives to comply with the law while maintaining customer engagement. Some are shifting to email-based receipts or physical copies, while others are investing in technologies like QR codes or mobile apps that allow customers to input their information privately. “The broader intent of the law is not to disrupt business but to enforce accountability,” Chandrasekhar noted. “Retailers must ensure that data is used only for the stated purpose and then deleted, fostering trust with consumers.”
Consumer Reactions: Mixed Feelings and Growing Awareness
Shoppers have expressed mixed reactions to the practice of phone number collection and the new legal framework. Some appreciate the convenience of digital receipts and loyalty programs, but others are wary of sharing personal information. “I don’t mind giving my number for discounts, but I’ve noticed how crowded stores can be, and it feels risky to say it out loud,” said Priya Sharma, a frequent shopper at a Mumbai department store. Others, like Anil Gupta, are more skeptical: “I’ve stopped giving my number because I don’t trust what they do with it. I’d rather get a paper receipt.”
Consumer awareness of data privacy is on the rise, fueled by high-profile data breaches and increased media coverage of privacy laws. A recent survey by Enzuzo found that 94% of consumers would not purchase from a business that fails to protect their data adequately, highlighting the importance of trust in retailer-customer relationships. The same survey noted that transparency in how data is used is a top priority for 39% of consumers, surpassing mere compliance with laws.
Global Context: A Broader Push for Data Privacy
India’s DPDP Act aligns with global trends toward stronger data protection regulations. In the United States, for example, states like California and Virginia have introduced laws to regulate how businesses handle personal data, including restrictions on collecting sensitive information like reproductive and sexual health data. A notable case in Virginia saw retailers like Walmart and Costco issuing pop-up warnings on their websites, informing shoppers that searching for or purchasing certain health-related products constitutes consent for data collection. These measures reflect a growing recognition of the need to protect consumer privacy in an era where data is often compared to oil—valuable, but vulnerable to exploitation.
Globally, data breaches have underscored the risks of lax data practices. In the U.S., a 2021 T-Mobile breach affected over 40 million people, including those who were not customers, while a 2019 Marriott breach exposed names, phone numbers, and passport details of millions. Such incidents have fueled calls for federal legislation to harmonize data breach notification laws and impose stricter penalties on non-compliant businesses.
Challenges for Retailers: Balancing Compliance and Customer Experience
Retailers face a delicate balancing act: complying with stringent privacy laws while maintaining seamless customer experiences. The shift away from oral phone number collection requires investments in new technologies and staff training, which could strain smaller businesses. Large retailers, however, are already adapting. Some have introduced self-service kiosks or mobile apps that allow customers to input their details privately, while others are exploring anonymized identifiers, such as platform IDs or cookies, to reduce reliance on personally identifiable information (PII).
The INFORM Consumers Act in the U.S., effective since June 2023, offers a parallel example of regulatory efforts to enhance transparency in online marketplaces. The Act requires marketplaces to collect and verify seller information, including working phone numbers and email addresses, to combat counterfeit goods and fraud. While this law focuses on seller accountability, it underscores the broader trend of governments cracking down on unchecked data practices.
Looking Ahead: A Call for Proactive Change
As the DPDP Act’s enforcement ramps up, Indian retailers are being urged to act swiftly to avoid penalties and maintain consumer trust. Experts recommend that businesses conduct data protection audits, update their privacy policies, and invest in secure data collection methods. “This is an opportunity for retailers to differentiate themselves by prioritizing privacy,” said Andrew Tobel, Privacy Counsel for Albertsons, speaking at a recent industry summit. “Consumers are more educated than ever about their data rights, and they reward businesses that respect their privacy.”
The Indian government is also working to support compliance. The Ministry of Electronics and Information Technology has engaged with industry stakeholders to clarify the DPDP Rules and provide guidance on implementation. Meanwhile, consumer advocacy groups are calling for stronger enforcement mechanisms to ensure businesses adhere to the law.
Conclusion: A New Standard for Retail Data Practices
The days of casually collecting phone numbers at checkout counters may soon be over as India’s DPDP Act reshapes how retailers handle personal data. By prioritizing explicit consent, secure collection methods, and transparency, the law aims to protect consumers in an increasingly data-driven world. While the transition may pose challenges for retailers, it also presents an opportunity to build stronger, trust-based relationships with customers. As one shopper put it, “I want to know my data is safe. If a store can’t guarantee that, I’ll take my business elsewhere.”
For more information on the DPDP Act and its implications, visit the Ministry of Electronics and Information Technology’s official website or consult a legal expert specializing in data privacy.
For More News Updates Follow Us On Www.tconews.in
