Why businesses won’t be able to force shoppers to give mobile numbers

Shoppers may soon not have to worry about providing their mobile numbers at checkout counters. India’s new data privacy law mandates companies to obtain the consent of customers before collecting their personal details, such as phone numbers.

The Ministry of Electronics and Information Technology recently kick-started a new framework to operationalise the Digital Personal Data Protection Act, 2023 (DPDP), a comprehensive data privacy law. The government has released the draft DPDP Rules, 2025, to facilitate the implementation of the law.

Let’s take a closer look.

What DPDP Act entails

The DPDP Act states that an individual’s personal data, for which they have given their consent, can be collected and for “certain legitimate uses.”

The legislation states that ‘Data Fiduciary’ should give a prior notice to the ‘Data Principal’ informing the “personal data and the purpose for which the same is proposed to be processed”.

‘Data Principal’ is the individual whose personal data is being collected, as per the Act.

‘Data Fiduciary’ is any entity (individual, company, firm, state, etc) that decides the “purpose and means of processing of an individual’s personal data”.

The law mandates that the request for consent should be in “clear and plain language”, giving the option to the customer to opt for English or any language specified in the Eighth Schedule to the Constitution.

Customers can also withdraw their consent at any time or lodge a complaint with the Data Protection Board of India.

In case of a data breach, businesses must immediately inform the board and affected customers.

No consent, no sharing phone number

While shopping, we are often asked to provide our mobile phone numbers at billing counters. They are often used for loyalty schemes or to send digital receipts by retailers.

However, reciting our phone numbers in public can violate privacy.

The new rules under the DPDP Act will require businesses to explain to consumers the reason their personal data is being collected and how long it will be stored.

“Small process tweaks, such as replacing oral disclosure of mobile numbers with keypad entry, can significantly improve privacy safeguards. The law mandates that customers must be told why their data is collected, how long it will be stored, and when it will be deleted. Implied consent will no longer be valid - every consent must be explicit,” S Chandrasekhar, head of digital and cyber practice at K&S Partners, an intellectual property law firm, told Times of India (TOI).

Businesses cannot deny service to customers if they refuse to provide their mobile number, unless it is necessary for the service, such as for mobile top-ups.

Retailers will be required to offer alternatives like email receipts or physical copies to the customers.

At visitor entry systems, people will need to be informed about the reason for collecting phone numbers and assured that their data will not be reused or sold. Housing societies that routinely collect numbers of visitors will also come under the purview of the law.

“The broader intent is not to disrupt business but to enforce accountability, ensuring data is used only for the stated purpose and then deleted,” Chandrasekhar told the newspaper.

Under the Digital Personal Data Protection Act, 2023, collecting personal details like phone numbers without a clear purpose and consent could violate the data privacy law.

Personal data may only be stored by companies for the period needed to serve the original purpose, for up to three years from the last user interaction, or as stated in the rules.

Once the purpose is complete or the customer withdraws their consent, the data must be deleted. Organisations will also be obligated to maintain safeguards to prevent unauthorised collection, use, or leakage of the customer’s personal information.

What do experts say?

Legal experts say the new rules do not ban retailers from collecting personal details such as phone numbers of customers, but rather how businesses treat that data.

Advocate Ruby Singh Ahuja, Senior Partner at Karanjawala & Co, told India Today TV, “What we are seeing is not just a regulatory shift but a cultural transformation in how businesses must approach customer data.”

She said that asking for phone numbers of customers verbally at billing counters has long violated privacy laws through implicit coercion and taking away their choice.

Ahuja said, “The Draft Rules 2025 make these current practices completely untenable, Rule 3 mandates that consent notices must be presented in clear and plain language with itemised descriptions of personal data being collected. Further Rule 6 requires businesses to implement appropriate security safeguards to protect customer information, and Rule 8 establishes strict data retention and deletion obligations that force retailers to justify why they’re keeping customer phone numbers beyond the original purpose.”

She said the new rules will put the onus on the businesses for how they collect, keep, and use customer data. “With penalties reaching up to Rs 250 crores as per the DPDP Act, 2023, retailers can no longer treat customer phone numbers as routine checkout requirements, they must now justify necessity and obtain genuine, informed consent before collecting any personal information,” Ahuja said.

Speaking to Forbes India, Ashok Hariharan, CEO and co-founder, IDfy, said that consent experience across most Indian digital services is fragmented and compliance-led. “Users rarely have clarity on what they’ve consented to, across which services, and how to revoke it. What we need is not just consent capture, but consent governance—a structured, user-centric approach that makes consent granular, auditable, purpose-bound, and revocable."

With inputs from agencies