DPDPA Section 4 Notices for Retail & Hospitality: 6 Mandatory Compliance Steps
| Applies to | Retail stores, supermarkets, restaurants, hotels, and hospitality businesses collecting customer data through POS systems, loyalty programs, and guest registration. |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | Up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
Why Your Retail Checkout Just Became a Data Compliance Flashpoint
A customer taps their card at your hotel front desk or retail checkout. In those few seconds, you’ve collected their name, card details, stay dates or purchase history. Under DPDPA Section 4, you must have informed them before collecting any of that—and your notice must meet specific legal thresholds. Failure to document and deliver that notice correctly exposes you to penalties up to ₹150 crore.
Section 4 of the DPDPA mandates that a data processor must provide notice to individuals before or at the point of collecting their personal data. This is not optional. It applies to every loyalty program signup, CCTV recording, POS transaction capture, and guest registration form. For retail and hospitality businesses, this creates a non-negotiable compliance obligation at every single customer touchpoint.
Understanding What DPDPA Section 4 Requires
Section 4 of the Digital Personal Data Protection Act, 2023, states that notice must be provided containing:
The name and contact details of the data processor, the purposes for which personal data is being processed, the categories of personal data being collected, the retention period, the rights of the data subject including access, correction, and erasure, and the process for exercising those rights.
This is the core legal requirement. Notice must be:
- Provided before or at the point of collection (not after checkout, not via email the next day)
- Written in clear, simple language (not legalese or buried in 20-page terms)
- In the language the individual understands (Hindi, English, or the regional language of your customer base)
- Specific to each collection scenario (not a blanket website privacy policy)
The most common compliance failure occurs when businesses assume a generic privacy policy posted on their website satisfies Section 4. It does not. Section 4 requires notice at the moment of collection—visible and accessible before the customer’s data enters your system.
The 6-Step Process to Implement Section 4 Notices
Step 1: Audit All Data Collection Points
Map every place your business collects personal data from customers:
- POS terminals and card readers (capture cardholder name, amount, transaction timestamp)
- Loyalty card enrollment (name, email, phone, address, purchase history)
- Hotel guest registration forms (name, ID, payment card, stay dates, room preferences)
- Email and SMS marketing signups (email, phone, purchase interests)
- CCTV systems in store/lobby/corridors (video recording of individuals)
- Online checkout forms (billing address, email, phone if applicable)
- Payment gateways (transaction data, billing information)
- Staff verification requests (ID documents, contact details)
Document this list. You’ll use it in Step 2 to determine legal grounds for each collection.
Step 2: Define and Document the Legal Ground for Each Collection Point
For each data point you identified, write down why you’re collecting it and what legal ground justifies collection:
- POS transaction data: Legal ground = contract performance (you’re fulfilling the customer’s purchase)
- Loyalty card enrollment: Legal ground = consent (customer chooses to enroll) + legitimate business interest (analyzing purchase patterns to improve inventory and marketing)
- Hotel guest registration: Legal ground = contract performance (fulfilling the booking) + legal obligation (KYC/AML compliance required by RBI)
- CCTV footage: Legal ground = legitimate business interest (theft prevention and store security)
- Marketing emails/SMS: Legal ground = consent (customer explicitly opts in)
Write this down internally. The customer-facing Section 4 notice does not need to cite complex legal grounds—it simply needs to state the purpose (e.g., “to process payment” or “to send you promotional offers”). But internally, you must document the legal ground to defend your compliance position if audited.
Step 3: Draft Section 4 Notices for Each Collection Scenario
Create a distinct, brief notice for each data collection point. Use this template as your baseline:
[RETAIL/HOTEL NAME] – Data Collection Notice (Section 4, DPDPA 2023)
Who is collecting your data: [Your business name and registered address]
What personal data we collect: [Be specific: “Your name, phone number, email address, payment card name, or ID proof”]
Why we collect it: [State the purpose clearly: “To process your purchase,” “To manage your loyalty rewards account,” “For store security monitoring,” or “To send you promotional offers”]
How we will use your data: [Describe specific uses: “To complete your transaction,” “To prevent fraud,” “To understand your shopping preferences and improve our inventory”]
How long we keep your data: [State a specific retention period: “For 1 year after purchase,” “Until you delete your loyalty account,” “For 5 years as required by tax law”]
Your rights under DPDPA: You have the right to access your data, correct it if inaccurate, and request erasure (except where we are legally required to keep it). To exercise these rights, please contact [email address] or call [phone number].
Questions or concerns: Email [compliance email] or visit [website]
Do not combine multiple purposes into one generic notice. If you collect data for payment processing and loyalty rewards, create two separate notices. Transparency requires clarity.
Step 4: Implement Notice Delivery at the Point of Collection
For each collection point, decide how to deliver the notice and implement it:
-
POS checkout (card payments): Print the notice on the receipt, or display a QR code on the checkout screen linking to the notice. Alternatively, place a laminated card at the payment terminal stating: “Your payment data is protected under DPDPA. [QR code linking to privacy notice]”
-
Loyalty card signup (in-store or online): Include the notice on the enrollment form itself, not hidden in terms & conditions. If signup is via app or website, display the notice prominently on the signup page—the customer must read and acknowledge it before confirming enrollment.
-
Hotel check-in: Include the notice on the registration form, or provide a separate printed card at check-in that states what data you collect and why. Do not assume guests will read a privacy policy linked from your website; they need to see it at the desk.
-
CCTV areas: Place visible signage at entry points stating: “CCTV in operation – [Hotel/Store Name]. Security monitoring for theft prevention. Your DPDPA Section 4 rights: [website link or QR code]”
-
Email/SMS marketing: When a customer signs up for marketing communications, include the notice in the signup confirmation email. Repeat it once more in the first promotional email, e.g., “We are sending this because you subscribed on [date]. You can unsubscribe anytime by replying ‘STOP’ or clicking the unsubscribe link. [Link to data policy]”
Keep records of when and how you delivered each notice. Photographs of CCTV signage, printed receipts, email confirmations, and signed forms are all proof of delivery. These records are your defense in a regulatory audit.
Step 5: Train Your Team on Section 4 Compliance
Your staff are the frontline of data protection. Brief them on what Section 4 means for their role:
-
Front-desk staff (hotels): Explain that guest registration forms collect data under DPDPA Section 4. Direct guests to the notice on the form. Be ready to answer: “Why do you need my ID?” (Answer: “To comply with law and security verification”)
-
Retail checkout staff: Inform them that card readers collect data and that Section 4 notices are printed on receipts or displayed at the terminal.
-
Loyalty program staff: Brief them on the loyalty enrollment notice and ensure they have printed copies available.
-
Marketing team: Confirm that email/SMS signup flows display the notice before collection and that unsubscribe links work.
-
Store/hotel managers: Review notices quarterly for accuracy and completeness. Ensure they are prominently displayed.
Create a simple one-page compliance checklist and post it at each data collection point:
Section 4 Notice Checklist:
☐ Does this notice state what data we collect?
☐ Does it explain why we collect it?
☐ Does it state how long we keep the data?
☐ Does it explain how customers can access or delete their data?
☐ Is it in simple language, not legal jargon?
☐ Is it visible and accessible at the point of collection?
Step 6: Document, Monitor, and Review Quarterly
Create a compliance register for your business. Record:
- Date the notice was created
- Collection point it applies to (e.g., “POS checkout,” “Hotel registration”)
- Legal ground for collection
- Method of delivery (printed, digital, QR code, etc.)
- Any customer requests to access, correct, or delete their data
- Date any notice was updated
Review this register every three months. Ask:
- Has our data collection practice changed? (New payment gateway, new app, new loyalty tier?)
- If yes, has the notice been updated and re-deployed?
- Are notices still prominently displayed at collection points?
- Have we received any customer complaints about missing or unclear notices?
- Are staff still following the checklist?
If you add a new collection point or change a purpose, update the relevant notice within 30 days and document the change.
Common Pitfalls in Retail and Hospitality Compliance
Pitfall 1: Relying on a Generic Website Privacy Policy
Many retail and hospitality businesses post a lengthy privacy policy on their website and assume it covers Section 4. It does not. Section 4 requires notice at the point of collection—visible to the customer before they provide their data. A link to a website buried in terms & conditions does not satisfy this requirement. The regulator will ask: “Show me proof that the customer saw this notice before providing their data at checkout/check-in.” A website privacy policy cannot be proven to have been read at that moment.
Pitfall 2: Notice Hidden in Fine Print or Terms & Conditions
Burying data-collection language in a 20-page document or placing it in tiny font on the back of a form is legally risky. Section 4 requires the notice to be in a “clear and intelligible form.” If a regulator audits your compliance, they will look for evidence that the notice was prominent and understandable. A 2-4 paragraph standalone notice in plain language is far safer than a paragraph in page 15 of your terms.
Pitfall 3: No Proof of Delivery
Compliance is only defensible if you can prove the notice was delivered. If a regulator comes calling and asks, “Did this customer see your Section 4 notice before providing their data?”—what is your answer?
- Printed receipts showing the notice
- Photographs of signage or terminal displays
- Email confirmation records showing the notice in the signup email
- Signed registration forms with the notice printed on them
- Website cookies or analytics showing when the notice page was loaded
Without proof, you cannot defend a non-compliance claim. Your business could face penalties and be ordered to delete data that was collected without demonstrated notice.
Pitfall 4: Vague or Missing Retention Periods
Many notices state, “We keep your data to provide our services” without specifying how long. Section 4 explicitly requires stating the retention period. Vague language like “as long as necessary” is not sufficient. Use specific terms:
- “For 1 year after purchase” (for transaction records)
- “For 5 years as required by tax law” (for financial records)
- “Until you delete your account” (for loyalty card members)
- “For 2 years after your last visit” (for hotel guests)
If you store data for multiple purposes with different retention periods, state each separately.
Pitfall 5: No Information About How to Exercise Rights
Section 4 requires explaining how customers can access, correct, or delete their data. Simply writing “You have rights under DPDPA” is insufficient. The notice must include:
- A specific email address: “Email complaints@yourbusiness.com to request access to your data”
- A phone number: “Call [number] to request data deletion”
- A process: “Reply ‘STOP’ to any marketing SMS to unsubscribe and remove your number from our list”
Without a clear, working contact mechanism, customers cannot exercise their rights, and you are in violation of Section 4.
Pitfall 6: One-Size-Fits-All Notice for Multiple Collection Purposes
If your retail store collects data for payment processing, loyalty rewards, and targeted advertising—do not create a single notice covering all three. Create three separate, clear notices:
- A notice for payment data collection
- A notice for loyalty program enrollment
- A notice for marketing email/SMS signup
This separation makes it clear to the customer what data is being collected and for what purpose. Combining them into one generic notice muddles the message and increases regulatory risk.
Retail & Hospitality Example: Compliance in Action
Scenario: A mid-range hotel with 80 rooms and a restaurant
The hotel collects guest data via registration, processes payments via card readers, runs a loyalty program, operates CCTV in common areas, and sends promotional emails.
Guest Check-in (Registration): A printed Section 4 notice is provided with the registration form, stating:
“We collect your name, ID proof, phone, email, and payment details to process your booking, comply with Know Your Customer rules, and provide services. We retain guest data for 5 years as required by law, after which it is securely deleted. You may request access to your data at any time by emailing compliance@hotel.com.”
Payment at Front Desk and Restaurant: A QR code at the checkout counter links to a brief notice:
“Your card details are processed by [payment provider]. We do not store full card numbers. We keep transaction records for 2 years for accounting and fraud prevention.”
Loyalty Program Signup: The hotel operates a “Rewards Club” loyalty program. The signup form includes this notice:
“We collect your email and phone number to enroll you in our Rewards Club, which earns you points on each stay and offers exclusive discounts. We use this data to send you promotional offers and analyze booking patterns. You can unsubscribe anytime by replying ‘STOP’ to any email or calling 1800-HOTEL-1.”
CCTV Signage: Signs near the lobby entrance state:
“CCTV in operation for security and theft prevention. [Hotel Name] Data Protection Officer. Privacy inquiries: compliance@hotel.com”
Promotional Emails: When a guest opts into the Rewards Club via email, the confirmation email includes:
“Welcome! You have been enrolled in our Rewards Club. We will send you promotional emails and room offers based on your previous stays. Your email, phone, and stay history are protected under DPDPA. You can unsubscribe anytime by clicking ‘Unsubscribe’ at the bottom of any email, or by replying to this email with ‘STOP’.”
Compliance Documentation: The hotel maintains a register:
| Collection Point | Data | Purpose | Retention | Notice Method | Proof of Delivery |
|---|---|---|---|---|---|
| Guest registration | Name, ID, phone, card | Booking + KYC | 5 years | Printed form | Signed forms (scanned) |
| Payment (card) | Cardholder name, amount, time | Transaction processing | 2 years | QR code at terminal | Terminal receipts, screenshots |
| Loyalty signup | Email, phone | Rewards + marketing | Until unsubscribe | Email confirmation | Email logs |
| CCTV | Video footage | Security | 30 days | Physical signage | Signage photos dated |
| Promotional email | Marketing offers | Until unsubscribe | Email header + footer | Email templates, send logs |
This documentation satisfies Section 4 and provides a defensible compliance posture. If audited, the hotel can show:
- What data is being collected
- When and where it is collected
- Why (legal ground)
- How long it’s retained
- Proof that customers were notified before or at collection
- How customers can exercise their rights
Monitoring and Quarterly Review Checklist
After you implement Section 4 notices, establish a review cycle. Every 90 days, review:
- Have we added new data collection points? If yes, draft and deploy a new notice within 30 days.
- Have we changed retention periods? If yes, update the notice immediately.
- Are notices still prominently displayed? Walk through your store/hotel and check. Replace faded signage. Verify QR codes still work.
- Have we received customer complaints about missing notices or unclear language? If yes, address the concern and update the notice.
- Has our team received any data access or deletion requests? Log them. Respond within 30 days.
- Do we have proof of notice delivery for all collection points? Review your documentation. Tighten gaps.
Update your Section 4 notice immediately if:
- You change a payment provider or loyalty platform
- Your data retention periods change (e.g., tax law changes, you decide to retain data longer)
- You begin using data for a new purpose (e.g., you add targeted advertising to emails)
- Your contact information for handling rights requests changes
Frequently Asked Questions
Q: Does Section 4 apply to my small retail store with only card payments?
A: Yes. Even a small retail store that accepts card payments is collecting personal data (cardholder name, transaction amount, timestamp). Section 4 requires you to provide notice before or at collection. At minimum, print a notice on the receipt or display a QR code at the payment terminal stating: “Your payment details are protected under DPDPA Section 4. For privacy inquiries, email [your email].” This notice must be visible to the customer before they tap or swipe their card.
Q: Can I use a single privacy policy for all my data collection points?
A: A website privacy policy is helpful for overall transparency, but Section 4 specifically requires notice at the point of collection. A single policy posted on your website is not sufficient. You need distinct, brief notices at each collection point—one for POS, one for loyalty signup, one for guest registration, one for CCTV. The policy can support these notices by providing deeper detail, but cannot replace them. Think of it this way: the policy is the “learn more” reference; the Section 4 notices are the “here’s what’s happening right now” disclosure.
Q: What happens if I fail to provide a Section 4 notice or provide an incomplete one?
A: Non-compliance with Section 4 can result in penalties up to ₹150 crore per violation. The Data Protection Authority may issue orders to (1) cease the non-compliant processing immediately, (2) provide the notice to all affected customers retroactively, (3) delete data that was collected without proper notice, and (4) pay compensation to affected individuals. Customers can also file complaints with the Data Protection Board, triggering regulatory investigations. A single audit that finds widespread notice non-compliance (e.g., no notices at your checkout terminals, loyalty signup form, or CCTV areas) could result in multiple violation notices, each carrying its own penalty.
Q: Do I need to translate Section 4 notices into every language my customers might speak?
A: Section 4 requires notice “in a clear and intelligible form,” which means the language should be understandable to the individual providing the data. For a retail store or hotel in India, providing notices in English and one regional language (Hindi, Marathi, Tamil, Telugu, Kannada, etc., depending on your location) typically covers most customers. There is no regulatory mandate to provide notices in every possible language, but the notice must be accessible to the person providing data. If a significant portion of your customer base speaks a language other than English and Hindi, translate the notice into that language as well.
Q: How long must I keep proof that I delivered a Section 4 notice?
A: Keep proof of notice delivery for as long as you retain the associated personal data, plus 1 year. For example, if you retain a customer’s loyalty card data for 2 years after their last purchase, keep evidence of the Section 4 notice delivery for 3 years (2 years + 1 year buffer). This ensures you can demonstrate compliance if audited by the regulator. Proof includes printed forms with the notice, email confirmation records, receipts, photographs of signage, and dated QR code access logs.
Q: Can I collect personal data first and then provide the Section 4 notice?
A: No. Section 4 explicitly requires notice before or at the point of collection. Providing notice after you have already collected data does not satisfy the requirement and is a violation. If a customer provides their email at checkout and you send them a privacy notice email after the transaction, that does not excuse the lack of notice at the checkout itself. Always ensure the notice is visible and accessible before the individual provides their data.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →