Shoppers Asked to Speak Numbers Aloud
Mumbai: Enterprise retailers may soon face trouble under India’s new data protection law. Many stores currently ask shoppers to share their Phone Numbers at billing counters for loyalty schemes or digital receipts. But saying Phone Numbers aloud in public exposes personal details. This practice goes against the rule that businesses must safeguard customer data.
Impact of the Digital Personal Data Protection Act
The new Digital Personal Data Protection Act will make businesses change how they handle customer information such as mobile numbers, which they often use as identifiers. This may affect loyalty programmes that rely on phone numbers as the main link with customers.
Simple Changes Can Improve Privacy
“Small process tweaks, such as replacing oral disclosure of mobile numbers with keypad entry, can significantly improve privacy safeguards. The law mandates that customers must be told why their data is collected, how long it will be stored, and when it will be deleted. Implied consent will no longer be valid every consent must be explicit,” said S Chandrasekhar, head of digital and cyber practice at K and S Partners, an intellectual property law firm.
Alternatives to Mobile Numbers
The law will stop businesses from denying services if customers refuse to share a phone number, unless the service absolutely requires it such as mobile recharges or Digi Yatra. Stores must give other options like email receipts or printed bills. Visitor entry systems must clearly state why they collect phone numbers and assure users that they will not reuse or sell the data.
Bringing India Closer to Global Standards
“The broader intent is not to disrupt business but to enforce accountability, ensuring data is used only for the stated purpose and then deleted,” said Chandrasekhar. He explained that these rules bring India closer to global data protection standards like the GDPR, showing the growing value of personal data in today’s businesses.
Wider Scope Beyond Retail
The rules will not just affect large retailers. They will also cover visitor management systems and housing societies that routinely collect mobile numbers. These groups will need to adopt secure, system based methods for collecting and storing data.
Rules for Storage and Deletion
Under the DPDP Act 2023, organisations can keep personal data like phone numbers only as long as they need it for the original purpose. They may store it for up to three years after the last user interaction or as specified in the rules. Once the purpose ends or the customer withdraws consent, the business must delete the data. Organisations also need to set up safeguards to stop any misuse, unauthorised use, or leakage of customer numbers.
Also read: Canada Updates Rules on Biometric Technology Usage
