**Title:** New Data Protection Law Changes Retailers’ Approach to Customer Information
**Meta Description:** India’s new data protection law reshapes how retailers collect customer information, emphasizing consent and purpose.
**URL Slug:** data-protection-law-retailers-india
—
**New Data Protection Law Changes Retailers’ Approach to Customer Information**
In a significant shift for retailers across India, the recently enacted Digital Personal Data Protection Act, 2023 (DPDPA) is prompting a reevaluation of how customer information, particularly mobile numbers, is collected at checkout. This change comes in the wake of growing concerns about data privacy and the need for explicit consent from consumers.
Traditionally, it was common for cashiers to request mobile numbers for billing purposes without much thought. However, with the DPDPA now in effect, such requests must be grounded in clear purpose and consent, fundamentally altering the retail landscape. The law stipulates that personal data can only be collected for specific reasons, and customers must be informed about what data is being collected and why.
The Ministry of Consumer Affairs previously advised retailers against mandating the sharing of contact details for services like billing or product purchases. This advisory aligns with the DPDPA’s requirements, which emphasize that consent must be “free, specific, informed, unconditional, and unambiguous.” Retailers are now required to provide clear notices that explain the data collection process and offer customers the option to withdraw consent or lodge complaints.
For instance, if a customer provides their phone number at a pharmacy to receive a payment receipt via SMS, that number can only be used for that specific transaction and cannot be repurposed for marketing without further consent. The draft rules accompanying the DPDPA also introduce stringent security measures, including encryption and access controls, to protect customer data.
Legal experts highlight that while the new framework does not prohibit retailers from requesting personal information, it necessitates a cultural shift in how businesses handle customer data. Advocate Ruby Singh Ahuja emphasizes that this transformation is not merely regulatory but represents a broader change in business practices regarding data privacy.
In the event of a data breach, retailers are obligated to promptly notify both the Data Protection Board and affected customers, reinforcing the importance of accountability in data management.
As retailers adapt to these new regulations, the focus on customer consent and data protection is likely to reshape the shopping experience in India, fostering a more secure environment for consumer information.
**FAQ**
**Q: What does the Digital Personal Data Protection Act require from retailers?**
A: The DPDPA mandates that retailers collect personal data only for specific purposes with clear consent from customers, ensuring transparency and security in data handling.
