ABSTRACT
In India today, visiting a mall and making a purchase usually ends in being asked to provide your mobile number so that an invoice can be issued at the checkout counter. Initially used as part of a loyalty programme, this tactic for collecting data about customers has now become a coercive means of data collection. This article examines the legal authority for retail establishments to require or demand the provision of a consumer’s personal contact information with every transaction in India. This article will achieve this by examining the guidelines of the Ministry of Consumer Affairs regarding the Consumer Protection Act of 2019, as well as the data privacy framework established by India’s Digital Personal Data Protection Act of 2023. The intersectionality of consumer rights and data privacy will be evaluated as a result of this analysis. The conclusion drawn from this analysis is that any method of collecting data through force is considered an unfair trade practice and is an actionable violation of one’s privacy.
KEYWORDS: Digital Personal Data Protection Act 2023, Consumer Protection Act 2019, Mandatory Data Collection, Unfair Trade Practice, Retail Privacy, Data Fiduciary, Consumer Rights.
INTRODUCTION
India’s current retail experience is morphing into a hybrid of digitisation. As the line between online and offline shopping continues to deteriorate, the majority of urban consumers will recognise the scenario described above. After making selections from a retail store, the customer proceeds to the checkout terminal only to be asked (persuasively) for their cell number. When the customer appears to hesitate in providing this private information, the cashier will almost always inform them that they cannot complete the transaction (print the receipt) without acquiring this information first.
As a result of this process, consumers have been put in an uncomfortable dilemma: either forgo their digital privacy rights or give up their intended purchase. For many years, data collection was sold to consumers as a voluntary option to sign up for loyalty programs or receive electronic receipts. However, as data became increasingly valuable and secondary currencies, data requests changed from being a consumer option to a mandate.
Personal data is now linked to virtually all banking, Aadhaar cards, and social media activity. Uncontrolled sharing has created a serious threat to the security of citizens. Does the store have a legal right to deny a citizen the right to purchase because the citizen is exercising their right to remain anonymous with regard to their cell number? The answer lies in the robust interplay between India’s consumer protection laws and its recently enacted, comprehensive data protection regime.
THE CURRENT RETAIL LANDSCAPE: DATA AS THE NEW CURRENCY
Retailers are keen to obtain customer mobile numbers because they provide vital information for understanding how shoppers behave and their demographic identities. The retail industry is highly competitive, and mobile numbers provide the most comprehensive access to this information once they are collected at the cash register. Therefore, these numbers are often more than simply used to send e-receipts after the transaction is completed.
Typically, mobile numbers are incorporated into a retailer’s database for use in customer relationship management (CRM) databases, where the retailer can track the frequency of shopping and average transacted amount per visit, and are also used for targeted SMS marketing and cross-selling efforts. It is not unusual for a retailer to collect a mobile number and combine it with similar data for sale, or to compile these mobile numbers and sell them to data brokers.
The aggressive collection of mobile phone numbers has created a serious imbalance of power between consumers and retailers. Consumers are unable to make an informed decision regarding whether or not to provide their mobile number when making a purchase, nor do they understand the manner in which their data will be collected, compiled or used by the businesses they patronise. Retailers have adopted a business model that treats consumer data as a highly sought-after asset, and this has created an opportunity for consumer data to become the most vulnerable asset in the digital age (Saurabh, 2024). This vulnerability has prompted Indian regulatory agencies to respond to the aggressive development of systems for obtaining customer contact information through legal means.
THE CONSUMER PROTECTION ACT, 2019: ADDRESSING UNFAIR TRADE PRACTICES
The CPA, 2019 (Consumer Protection Act, 2019) is the main law protecting consumers against the mandatory collection of their data from the consumer’s perspective. This act was written to protect the consumer’s interests, to create authorities to deal with the expeditious administration of consumer disputes, and to protect the consumer from unfair trade practices by merchants or other parties engaged in commerce.
Section 2 (c) of the CPA 2019 defines an “unfair trade practice” as including, but not limited to, any of the following methods of promoting the sale or supply of goods: (1) deceitful methods such as false advertising; (2) coercive methods of marketing or using threats; or (3) unreasonable methods of marketing, such as charging excessive fees or asking for unnecessary information.
Laws dictate the regulation of unfair trade practices in India pertaining to the collection of personal information from consumers before the finalisation of a transaction, as well as providing clarity to retail establishments on this issue. Many consumers have contacted or registered a complaint on the National Consumer Helpline regarding their inability to receive a tax invoice because they are not willing to give their mobile number, which is a requirement to produce a tax invoice. The Ministry of Consumer Affairs has therefore clarified the above issue, citing the Consumer Protection Act of 2019 (CPA 2019), specifically stating that every consumer has the absolute right to receive a tax invoice for the purchase of goods, and that by tying the production of the tax invoice with the requirement that the consumer provides the retailer with their mobile number, the retailer is engaging in coercive behavior that creates both a “deficiency of service” and is an “unfair trade practice.”
Whenever a consumer is denied a tax invoice from a retailer when they refuse to provide their mobile number to the retailer, they have the right to file a complaint with the retailer via the National Consumer Helpline or file a complaint against the retailer with the District Consumer Dispute Redressal Commission.
THE DIGITAL PERSONAL DATA PROTECTION (DPDP) ACT, 2023
The Consumer Protection Act is focused on protecting consumers from the unfair transactional aspects associated with this issue, whereas the “Digital Personal Data Protection” (DPDP) Act aims to protect fundamental rights regarding privacy. The enactment of the DPDP Act in August 2023 will be an important piece of legislation for the protection of individual rights related to privacy and provides a national framework for the lawful processing of digital personal data in India (Saurabh, 2024).
The DPDP Act adopts two new terms: Data Principal- the owner of the data (in consumer transactions cases) and Data Fiduciary – the company/entity that decides how and why to use or process the digital personal data it collects on the Data Principal, or consumer.
The DPDP Act establishes that individuals have a right to privacy with respect to their data and that Data Fiduciaries can only use the individual’s data if the data is processed for an appropriate and lawful purpose (Saurabh, 2024).
In the framework of retail billing, the DPDP Act imposes several critical constraints:
- Explicit and Informed Consent– Data processing can only take place if the Data Principal has provided explicit consent for the data collection. A retailer cannot hide their consent to use a mobile phone number within the billing process.
- Purpose Limitation and Data Minimisation– A Data Fiduciary may only collect personal data that is necessary for its listed purpose. In a retail environment, the purpose is to complete an exchange of goods for payment. Customer mobile phone numbers are not necessary to complete the retail purchase transaction, and therefore, to require a customer to provide their mobile phone number violates data minimisation principles.
- No Denial of Service– The DPDP Act has set forth that providing goods and services cannot be conditional on a consumer’s consent to process non-essential personal data for the service being provided to them.
By mandating a grievance redressal mechanism by statutorily establishing it to empower consumers, the Act requires Data Fiduciaries to appoint a Data Protection Officer to assist consumers with complaints of misuse of their personal data (Saurabh, 2024).
COERCION AND THE ILLUSION OF CHOICE
The implementation of regulatory frameworks poses difficulties even with clearly defined requirements. For example, many retail point of sale systems are misconfigured to “lock up” unless a ten-digit number is entered into the system (the telephone number field). Store employees who have Key Performance Indicators (KPIs) that focus on the percentage of data entered into the point of sale system (data capture rates) have been known to mislead customers by telling them that they are unable to bypass the phone number field because the systems do not have that capability.
This type of physical and architectural coercion places the burden of legally proving the validity of the Consumer Protection Act and the Data Protection Act at a busy point of sale counter on the customer themselves. To be in compliance with the law, as well as provide customers with an opportunity to opt out, corporations should redesign their point of sale and billing software to allow for an opt-out mechanism on both the Customer Protection and Data Protection Acts.
CONCLUSION
The intersection of the Consumer Protection Act, 2019, and the Digital Personal Data Protection Act, 2023, has developed strong legal protections for consumers against predatory data collection from retailers. For example, the practice of requiring mobile numbers from customers for grocery purchases is both an unfair trade practice and violates laws about privacy rights.
As India transitions towards a digital-first approach to customer service, retail businesses need to revisit their internal processes and point-of-sale technology to support this new way of serving customers. Retailers cannot use coercion to establish trust and brand loyalty at the cash register; rather, they must do so by building customer relationships based on transparent, consent-driven interactions with their customers. For consumers shopping daily, privacy law provides clear direction on this issue: any personal data you share is still controlled by you, meaning that retailers cannot withhold any receipts due to your not providing them with a phone number.
“PRIME LEGAL is a National Award-winning law firm with over two decades of experience across diverse legal sectors. We are dedicated to setting the standard for legal excellence in civil, criminal, and family law.”
WRITTEN BY: VINEET SEERVI
