Soon, Shops and Retailers Cannot Ask for Your Mobile Number Under New Data Protection Law
Soon, Shops and Retailers Cannot Ask for Your Mobile Number Under New Data Protection Law
Draft DPDP Rules, 2025 set to redefine how businesses collect, store and use customer data, with penalties for misuse.
Starting soon, it may become illegal for shops and retailers to demand your mobile number at billing counters or for loyalty schemes. The government, under the Digital Personal Data Protection (DPDP) Act, 2023, has released the draft DPDP Rules, 2025, which strictly regulate how personal data like mobile numbers can be collected, stored, and used.
What the Rules Say
Under the new framework, retailers can only store phone numbers till they are needed, or for a maximum of three years from the last interaction, unless specific rules allow otherwise. If a customer withdraws consent, the data must be deleted immediately.
Importantly, businesses will no longer be allowed to deny services if a customer refuses to share their number, unless the number is essential to the service (such as for mobile recharges or Digi Yatra). Retailers will instead have to offer alternatives like physical receipts or email copies.
Impact on Retailers and Housing Societies
This regulation is expected to disrupt conventional loyalty programs, which rely heavily on mobile numbers as identifiers. Housing societies and visitor entry systems that routinely collect phone numbers will also need to shift to transparent, system-driven processes, with clear disclosures about how the numbers are used and strict assurances that data will not be resold or misused.
Why This Matters
The government has stressed that the intent is not to disrupt business but to enforce accountability in data usage. Retailers must now explicitly state why data is being collected, how long it will be retained, and when it will be deleted. Consent must be clear and informed, eliminating indirect or blanket approvals.
Bringing India in Line with Global Standards
With these rules, India joins global data privacy frameworks such as the EU’s GDPR, signalling the growing importance of protecting personal data in a digital economy. The law also seeks to curb the widespread practice of retailers collecting and allegedly selling millions of mobile numbers for profit.
Large retailers are already preparing for compliance, while smaller businesses, housing societies, and visitor management systems will need to adopt structured data management practices. Any violation including unauthorised collection, misuse, or leakage of numbers, could attract significant penalties.
