Checkout counters and privacy: What the data law means for shoppers

Arjun walked into an electronics store, picked up a pair of headphones, and headed to the billing counter. The cashier immediately asked, “Can I have your mobile number? Needed for the invoice.”

A few months ago, Arjun would have shared it without a second thought. But now, with whispers of a transformative shift in data protection lingered in his mind, that routine request felt different.

And this is the new reality for retailers.

Across India, retailers may soon have to rethink the common practice of asking for mobile numbers at checkout. Under the Digital Personal Data Protection Act, 2023 (DPDPA) and the draft rules released this year, collecting personal details like phone numbers without a clear purpose and consent could amount to a violation of the law.

This follows an earlier advisory by the Ministry of Consumer Affairs in 2023, which warned retailers not to force customers to share contact details for services such as billing or product purchases.

WHAT NEW LAW SAYS ABOUT DATA COLLECTION

The DPDPA and draft rules lay down strict conditions:

• Personal data can only be collected for a specific purpose, after informing the individual, and only with their consent.
• Requests for consent must be accompanied—or preceded—by a clear notice that specifies what data is being collected and why.
• The notice must be in plain, understandable language, and must also provide a link or mechanism for customers to withdraw consent, exercise their rights, or lodge a complaint with the Data Protection Board of India.

The Act further clarifies that consent must be “free, specific, informed, unconditional and unambiguous”, and must involve a clear affirmative action. Importantly, service cannot be denied if consent is withheld—consent must be voluntary.

For example, if someone shares their phone number at a pharmacy to receive a payment receipt via SMS, that number can only be used for that specific purpose. It cannot be reused for marketing or stored without justification.

The draft rules strengthen these principles by requiring security safeguards such as encryption, access controls, and proper record-keeping. They also make it clear that spoken phone numbers at billing counters may violate the law by exposing data publicly.

In case of a data breach, retailers must immediately inform both the Data Protection Board and affected customers.

WHAT EXPERTS SAY

India Today TV also spoke to legal experts in the field to understand the impact of the act and the rules once enforced.

Legal experts point out that the new framework doesn’t ban retailers from asking for details like phone numbers, but it fundamentally changes the how and why behind the practice.

According to Advocate Lagna Panda, Partner at AP & Partners, the Act enforces two key principles—data minimisation and purpose limitation. In simple terms, this means shops can only ask for the bare minimum information they need, and only for a clearly defined reason.

“Once implemented, the DPDPA and the rules will ensure that retail outlets ask for information necessary for making a sale, Panda explained. “That said, where customers opt for any loyalty or rewards program, want e-invoices or sign up for future offers, their phone numbers will be collected and stored.”

Advocate Prashant Phillips, Executive Partner at Lakshmikumaran & Sridharan Attorneys, said the law does not outright ban retailers from seeking phone numbers, but how they collect and process them matters.

Phillips said, “Where a retailer requests such details, consent-based processing applies. Processing of personal data would only be permitted if the data principal has provided consent... Shoppers must also be allowed to withdraw consent easily, and the data fiduciary must delete such data once consent is withdrawn.”

He added, “The DPDP Act also recognises situations where individuals voluntarily submit their personal data... the act of voluntary submission itself may legitimise processing. However, the absence of consent requirements in such cases does not waive other obligations—the notice requirement, purpose limitation, security safeguards, erasure obligations, and rights of data principals remain fully applicable.”

According to Phillips, while compliance may initially seem “complex and burdensome,” the framework aims to build “discipline and transparency in data handling, which will ultimately enhance consumer trust and reduce long-term risks for businesses.”

Advocate Ruby Singh Ahuja, Senior Partner at Karanjawala & Co, called the shift more than just regulatory. “What we are seeing is not just a regulatory shift but a cultural transformation in how businesses must approach customer data,” Ahuja said.

She argued that the practice of asking for phone numbers verbally at checkout has long violated basic privacy principles by relying on implicit coercion and denying customers a real choice.

Ahuja said, “The Draft Rules 2025 make these current practices completely untenable, Rule 3 mandates that consent notices must be presented in clear and plain language with itemized descriptions of personal data being collected. Further Rule 6 requires businesses to implement appropriate security safeguards to protect customer information, and Rule 8 establishes strict data retention and deletion obligations that force retailers to justify why they're keeping customer phone numbers beyond the original purpose.”

She warned that the new regime will hold businesses directly accountable for how they collect, store, and use customer data. “With penalties reaching up to 250 crores as per the DPDP Act, 2023, retailers can no longer treat customer phone numbers as routine checkout requirements, they must now justify necessity and obtain genuine, informed consent before collecting any personal information,” Ahuja said.

- Ends