New data protection act to bar shops from refusing service without mobile number

New Delhi: The government is rolling out a new data protection law that will make it illegal for shops and retail outlets to demand customers’ mobile numbers at billing counters.
For years, retailers have collected millions of phone numbers under the guise of loyalty programmes, digital receipts, or marketing promotions. In some cases, these details were resold for significant profits. The new Digital Personal Data Protection (DPDP) Act, 2023 — set to be operational by August 2025 through the DPDP Rules, 2025 — aims to put an end to this practice, enhancing data security and ensuring consumer privacy.
Under the law, retailers cannot deny service if a customer refuses to provide their mobile number. Instead, alternatives like printed receipts or email invoices must be offered. The resale or unauthorised retention of customer data will also be banned.
The rules require explicit consent for data collection, with businesses obligated to explain why the data is needed, how long it will be stored (up to three years from the last interaction), and when it will be deleted. Implied consent will no longer be valid.
Industry experts suggest that simple measures, such as keypad entry systems to prevent verbal disclosure of phone numbers, could help retailers comply with the law while safeguarding privacy.
The law will apply not just to retailers but also to visitor entry systems at offices, malls, and housing societies, which will now have to clearly state their purpose and data retention policies.
Officials say the framework aligns India’s privacy standards with global norms such as the GDPR, reinforcing accountability and preventing misuse of personal data.