✓ Link copied
DPDPA 2023 Compliance

Retail & Hospitality: Section 4 Notice Requirements & ₹150 Crore Penalty Risk

Applies toRetail stores, supermarkets, QSRs, e-commerce retailers, hotels, restaurants, and hospitality chains collecting personal data directly from customers.
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

The Real Cost of Skipping Section 4 Notice

A Delhi-based hotel chain collects guest passport numbers and payment card details during check-in—but provides no written notice of processing purposes, data rights, or complaint procedures. When a data principal discovers their information was shared with a loyalty analytics platform without disclosure at collection, they file a formal complaint. The hotel faces ₹150 crore in notices under Section 4 of DPDPA 2023.

This scenario repeats across retail and hospitality daily. A grocery chain captures 8,000 customer phone numbers per day via loyalty sign-ups without mentioning secondary use for behavioral analytics. A restaurant collects email addresses for order confirmations but processes them for targeted advertising without notice. A boutique hotel installs CCTV in corridors without signage disclosing surveillance. Each silence is a Section 4 violation.

Section 4 is the most-breached provision in retail and hospitality because notice—by law—must occur at collection time, not buried in a privacy policy customers read months later.

What Section 4 Actually Requires: The Statutory Language

Section 4 of DPDPA 2023 mandates that any data fiduciary (your business) must provide specified information whenever collecting personal data directly from the individual. The Act states:

“The data fiduciary shall provide the data principal with the following information at the time of collection of personal data: (a) its name and contact details, (b) the purposes for which personal data is being collected and the intended period for processing, (c) whether processing is based on consent or any other ground under this Act, (d) the categories of personal data to be collected, (e) information about the rights of the data principal, and (f) details of the mechanism for raising grievances.”

For retail and hospitality, this is binding. It is not a “best practice”—it is law. Let’s unpack each element:

Element (a): Business name and contact details. State who you are. “We” is insufficient. Example: “Stellar Hotels Private Limited, contact: dpo@stellarhotels.com, +91-11-XXXX-1234.”

Element (b): Purposes and retention period. Specify why you collect data and how long you keep it. Generic language like “for business purposes” does not satisfy this. Be explicit: “Guest name and email: for reservation confirmation and check-in (collected at booking, retained for 5 years for billing and tax compliance).” “Loyalty card phone number: for promotional offers and purchase history analysis (retained until customer deletes account, minimum 6 months).”

Element (c): Legal ground for processing. Section 4(c) requires you to state whether you are collecting under (i) consent, (ii) legal obligation, (iii) contract, (iv) vital interest, or (v) legitimate use. Most retail and hospitality businesses conflate consent with collection—they are not the same. If you are collecting email “for marketing,” the ground is consent. If you collect passport “for hotel registration compliance,” the ground is legal obligation. Name it explicitly in your notice.

Element (d): Categories of personal data. Specify what you collect. Do not say “all necessary information.” Instead: “name, email, phone, payment card last 4 digits, and loyalty ID.” The more precise, the better your defense in a complaint.

Element (e): Information about data rights. Data principals have rights to access, correct, and erase their personal data under Section 10. Your notice must inform them of these rights and how to exercise them. Example: “You have the right to request access to your data, correct inaccuracies, and request deletion. Submit requests to dpo@stellarhotels.com.”

Element (f): Grievance mechanism. Provide a clear, accessible way for customers to lodge complaints. Not just an email buried on a website—make it visible. Example: “If you have concerns about your data, contact our Data Protection Officer: dpo@stellarhotels.com, +91-11-XXXX-1234, response within 10 days guaranteed.”

How Retail & Hospitality Must Operationalize Section 4 Compliance

Step 1: Audit Every Data Touchpoint

Map where your business collects personal data. For retail:

  • POS systems (payment cards, loyalty IDs, phone numbers)
  • Website (name, email, shipping address for online orders)
  • Mobile app (device ID, location data, purchase history)
  • Email newsletters and surveys
  • In-store kiosks and raffle draws
  • Phone calls to customers

For hospitality:

  • Online booking systems (name, email, phone, payment method)
  • Check-in desk (passport, visa, payment card, address)
  • Mobile app (room preferences, contact info)
  • Phone reservations
  • In-property services (spa, restaurant, concierge)
  • Guest Wi-Fi registration
  • CCTV systems (capturing footage containing personal data)

Document the purpose for each collection point. Example: POS phone number = “promotional offers and order updates”; Hotel passport = “regulatory guest verification and booking confirmation.”

Step 2: Craft a Specific Section 4 Notice for Each Touchpoint

Do not write one generic privacy policy and call it compliance. Section 4 requires notice at the time of collection—that means at the point-of-sale, on the booking form, in the app sign-up screen, or at hotel check-in desk.

Example: Retail POS Notice (on receipt or terminal display)

Stellar Supermarket collects your phone number for promotional offers, order confirmations, and loyalty rewards. Your data is processed based on your consent. We retain this number for 2 years or until you opt out. You may request access or deletion by emailing dpo@stellargroup.com. Complaints: dpo@stellargroup.com, +91-XX-XXXX-XXXX.

Example: Hotel Check-in Notice (on registration form and email)

Stellar Hotels collects your name, passport number, and payment card details for: (1) Guest verification and compliance with local regulations (legal obligation, retained 5 years for tax records), (2) Booking confirmation and room service (contract, retained 7 days post-checkout), (3) Guest feedback and service improvement (consent, retained 90 days). We process your data based on contract and legal obligation. You have the right to access, correct, or delete your data. Contact our Data Protection Officer: dpo@stellarhotels.com.

Example: Mobile App Notice (displayed before data entry)

Stellar Stores app collects your email, location, and purchase history to personalize product recommendations, send targeted offers, and improve our service. Basis: Your consent. Retention: Until you delete your account or opt out (minimum 6 months). Rights: Access, correct, or delete your data at any time in Settings. Grievance: [email].

The notice must be in a language the customer understands and must be accessible—not hidden in fine print or a collapsible menu.

This is where most retail and hospitality businesses fail. They assume all collection is consent-based. It is not. Under Section 4(c), you must disclose the actual legal ground:

  • Consent: Customer voluntarily agrees (loyalty rewards sign-up, marketing email list, behavioral analytics)
  • Legal obligation: Law requires you to collect (guest passport for hotel regulatory compliance, PAN for tax invoicing, payment card verification for fraud prevention)
  • Contract: Essential to fulfill a service agreement (name and email for e-commerce order, hotel booking confirmation)
  • Legitimate use: Business interest that does not override data principal’s rights (analyzing retail foot-traffic patterns to optimize store layout, using guest feedback to improve amenities)

Each ground has different compliance and consent implications. If your ground is consent, and the customer does not consent, you cannot collect (with rare exceptions for contract or legal obligation). If the ground is legal obligation, you collect regardless of consent—but you must still provide notice.

Map your data:

  • Hotel guest passport → Legal obligation (government guest record rules)
  • Retail email for offers → Consent (non-essential, purely for marketing)
  • POS payment card → Contract (required to complete purchase) + Fraud prevention (legitimate use)
  • Loyalty card phone → Consent (optional, for rewards)

Disclose each ground in your notice. Example: “We collect your phone number with your consent for promotional offers, and your payment card by contract to complete your purchase.”

Step 4: Document and Log Notice Provision

The DPDPA Adjudicating Officer will ask: “Did you provide Section 4 notice to this data principal?” Your evidence determines your defense. Log:

For physical retail/hospitality:

  • Date, time, and location of collection
  • Copy of notice displayed (receipt, form, signage)
  • Customer signature or acknowledgment (if available)
  • Staff member who handled the collection

For digital (app/website):

  • Screenshot of notice displayed
  • Timestamp of user interaction (when they saw/accepted the notice)
  • Log of consent/checkbox status
  • Email sent to customer confirming notice

For call centers:

  • Recording of call with verbal notice (if applicable)
  • Follow-up email sent confirming notice within hours
  • Proof of email delivery

Without these records, you cannot defend a complaint, even if notice was technically provided.

Step 5: Translate Notices Into Regional Languages

The DPDPA does not mandate multilingual notices, but enforceability assumes notice is “clear and intelligible.” In India’s regional markets, display notices in the local language:

  • Hindi regions: English + Hindi
  • Tamil Nadu: English + Tamil
  • Karnataka/Telangana: English + Kannada/Telugu
  • Maharashtra: English + Marathi

For digital systems, auto-detect device language or offer a language selector. For physical stores, print notices in both languages.

Section 4(f) requires you to provide details of your complaint channel. Do not skip this:

  • Email: dpo@[company].com (should exist; do not list a generic “info@” inbox)
  • Phone: Dedicated grievance line with trained staff (or voicemail system)
  • In-person: For hospitality, front desk; for retail, customer service counter
  • Response timeframe: Commit to a specific SLA (e.g., “We respond to all complaints within 10 business days”)
  • Escalation: Provide escalation path (e.g., “If unresolved, complaints may be escalated to [Data Protection Officer Name] or the authorities”)

Include this mechanism in your Section 4 notice itself. A notice without a grievance channel is incomplete.

Step 7: Audit Quarterly and Update When Purposes Change

Section 4 compliance is not one-time. As your business evolves, update notices:

  • New data category? New notice.
  • New processing ground? New notice.
  • New third-party processor? New notice.
  • Extended retention period? New notice.

Example: You initially collected retail email “for order confirmations.” One year later, you partner with a behavioral analytics firm to segment customers. Send a fresh notice to all email subscribers explaining this new ground and processor. Retain proof of sending.

Five Critical Section 4 Violations in Retail & Hospitality (And How to Fix Them)

Violation 1: Silent POS Upgrades Without Notice

The scenario: A supermarket chain upgrades its POS system to capture customer geolocation (via phone geofencing) to analyze foot-traffic patterns. The feature activates by default—no new customer notice, no opt-in screen. A data principal discovers her location is being tracked and files a complaint.

Why it violates Section 4: New data categories and processing grounds require new, specific notice at collection time. Relying on a two-year-old privacy policy does not suffice.

The fix: Before deploying geolocation tracking, generate a fresh notice displayed at every checkout terminal: “We now capture your location to optimize store layout and inventory. You may opt out by [method]. Contact [grievance email] for more information.” Display this for 30 days before making it permanent. Log that customers were informed.


Violation 2: “Business Purposes” Without Specificity

The scenario: A hotel’s online booking form states: “We collect your information for business purposes.” No breakdown of what “business purposes” means. Later, the hotel shares guest data with a third-party loyalty partner, a travel analytics firm, and an email marketing company—all falling under the umbrella of “business purposes.”

Why it violates Section 4: Section 4(b) requires you to specify the purposes (not just “business”) and the intended period for processing (not left open-ended). Vague language fails both prongs.

The fix: Revise your booking notice:

“We collect your name, email, phone, and passport number for:

  1. Reservation and check-in: Processed until 30 days post-checkout (contract basis).
  2. Tax and billing: Retained for 5 years per regulations (legal obligation).
  3. Guest feedback surveys: Retained for 90 days post-stay (consent basis).
  4. Loyalty program emails: Retained until you unsubscribe (consent basis). We share your data with [Loyalty Partner Name] and [Email Platform Name] only for the purposes listed above. Contact [grievance email] if you have questions.”

The scenario: A retail loyalty program collected customer email addresses three years ago with notice: “We collect your email for promotional offers and order status updates.” In 2026, the retailer partners with a data broker to sell anonymized customer profiles to third-party advertisers. No new notice is sent to existing members; the original notice makes no mention of this secondary use.

Why it violates Section 4: The original notice did not disclose third-party sales or new processing grounds (data brokerage). Unilaterally adding new uses without updating the notice is a violation.

The fix: Email all existing loyalty members: “We have partnered with [Data Broker] to analyze purchasing trends and insights. Your anonymized profile (not linked to your name or email) will be shared for this purpose. This is optional—click [link] to opt out. Our full notice is [link].” Retain email delivery logs and bounces.


Violation 4: CCTV Without Signage or Notice

The scenario: A boutique hotel installs CCTV cameras in all corridors, elevators, and common areas—including the entrance (which captures guest faces and arrival times). No signage informs guests of monitoring. A data principal requests information about camera coverage and retention and receives no response.

Why it violates Section 4: CCTV footage is personal data (under DPDPA). Indirect collection via video requires notice about the presence, purposes, retention period, and access mechanisms.

The fix: Install prominent signage in every monitored area, worded in local languages:

This area is monitored by CCTV for security and guest safety. Footage is retained for 30 days and then deleted. If you wish to review footage or have concerns, contact [grievance email].

Include this notice in your check-in email and on hotel stationery. Train staff to mention it verbally during check-in.


Violation 5: Loyalty Sign-Up Without Explicit Grounds Disclosure

The scenario: A QSR asks customers at checkout: “May we have your email for updates?” No mention that the email will be used for behavioral profiling, location-based targeting, and dynamic pricing. A customer later realizes they received different promotional offers based on their purchase history and location—a form of processing the original notice never disclosed.

Why it violates Section 4: The grounds (profiling, location-based targeting) and secondary purposes (dynamic pricing, behavioral segmentation) must be disclosed before collection, not discovered later.

The fix: Revise the in-store prompt (on terminal or receipt):

Sign up for [QSR Name] offers? We send you personalized promotions based on your purchase history and location. We analyze your data to improve our service and tailor deals. You consent to this profiling? [Yes/No]. Unsubscribe anytime at [link]. Questions? [email].

For the mobile app, display a detailed consent screen:

”**[QSR Name] uses your purchase history, location, and browsing behavior to:

  • Send personalized offers (consent)
  • Analyze trends to improve our menu (legitimate use)
  • Test dynamic pricing based on demand (consent)

Do you agree? [Accept/Decline]**“


Your Section 4 Compliance Checklist

  • Audit phase: List all data collection touchpoints (POS, website, app, phone, physical location).
  • Documentation: For each touchpoint, document the data type, collection purpose, retention period, and legal ground.
  • Notice drafting: Create a specific Section 4 notice for each touchpoint (not one generic privacy policy).
  • Notice content: Each notice includes (a) business name and contact, (b) specific purposes and retention periods, (c) legal ground for processing, (d) data categories, (e) data subject rights summary, (f) grievance mechanism with email and phone.
  • Language: Translate notices into the regional language(s) of your primary customer base.
  • Display: Ensure notices are displayed at collection time, not hidden. POS: on receipt or terminal. Website: pop-up or prominent text. App: mandatory consent screen. Physical location: signage and forms. Call center: verbal notice and follow-up email.
  • Logging: For digital channels, capture timestamps and user acknowledgment. For physical channels, print receipt copies and retention proof.
  • Staff training: Ensure front-line staff (checkout, hotel desk, call center) can verbally confirm notice when collecting data.
  • Grievance setup: Establish a dedicated grievance email and phone. Monitor and respond to complaints within 10 business days. Retain all complaint records.
  • Record retention: Keep copies of all notices displayed and proof of customer acknowledgment for at least 3-5 years.
  • Quarterly review: Every three months, audit new data initiatives for Section 4 compliance before rollout. Update notices if purposes or processors change.
  • Data processor disclosure: If you use a third-party processor (CRM, analytics platform, email service), disclose this in your notice and ensure a data processing agreement is in place.

Frequently Asked Questions

Q: I have a general privacy policy on my website. Isn’t that enough for Section 4 compliance?

A: No. Section 4 requires notice “at the time of collection of personal data.” A privacy policy, by definition, is consulted after the customer has provided data—typically buried on a website footer. While a privacy policy is valuable for reference, it does not satisfy Section 4’s immediacy and accessibility requirements. You must display a specific, clear notice at every collection point—via receipt, signage, app pop-up, or form—before or simultaneously with requesting the data. A privacy policy alone is not Section 4 notice.

Q: Do I need to offer Section 4 notices in English and regional languages?

A: The DPDPA 2023 does not explicitly mandate multilingual notices, but the statute requires notice be “clear and intelligible.” For retail and hospitality operating in India’s regional markets, providing notices in the local language significantly strengthens compliance. At minimum, if your primary customer base speaks Hindi, Tamil, Marathi, or Telugu, offer notices in those languages alongside English. For digital systems (app, website), implement language detection or a language selector. For physical locations, print signage in both English and the regional language.

Q: A customer provided their phone number verbally over a phone call. Must I send them a written Section 4 notice afterward?

A: Yes. Section 4 requires that you provide the specified information “at the time of collection.” If you collect data verbally (e.g., phone call, in-person at checkout), you must provide notice at that moment. Ideally, record the call (with consent) and include a notice disclaimer in the recording. Alternatively, send a written notice (email, SMS, or postal mail) immediately after collection—within the same business day, if possible. Retain proof of sending (email delivery receipt, SMS log, postal tracking). A call center recording with a disclaimer is strong evidence; an email confirmation sent within two hours is acceptable. Complete silence after verbal collection is indefensible.

Q: A customer refused to accept our Section 4 notice but agreed to provide their data anyway. Can we proceed?

A: It depends on the legal ground for processing. If your sole ground is consent and the customer refuses the notice (and thus cannot provide informed consent), you cannot process the data under that ground. However, if another legal ground applies—such as legal obligation (e.g., hotel must collect passport for regulatory compliance) or contract (payment card required to complete purchase)—you may process even if the customer dislikes the notice. You must still provide notice in these cases, though, even if the customer objects. If your data collection relies only on consent (e.g., optional loyalty sign-up), refusing notice means you cannot legally collect the data. Advise the customer of this clearly and offer alternatives (e.g., non-personalized promotions without email).

Q: We use Shopify/Freshdesk/another platform to manage customer data. Who must provide Section 4 notice—us or the vendor?

A: You (the data fiduciary) must provide the notice. Your vendor is the data processor—they process data on your behalf, but you are legally responsible for compliance. In your Section 4 notice, you must disclose that customer data is processed by [Vendor Name] for [specific purposes]. Example: “We use Shopify to manage your order, Freshdesk to respond to your support requests, and Mailchimp to send promotional emails. These vendors process your data on our behalf.” Include a link to each vendor’s privacy policy (if available) or a brief statement of their role. If your vendor uses data for their own purposes (beyond serving you), you must separately disclose that. Retain a data processing agreement (DPA) with your vendor documenting the scope and terms of processing. Proof of the DPA is key evidence in a Section 4 complaint.

DPDPA section 4 notice requirements retail IndiaHospitality customer data collection compliancePersonal data notice at collection pointHotel guest data DPDPA section 4Retail loyalty program notice requirementsSection 4 grounds for processing dataCustomer information disclosure retail India
VERIFIED DPDPAReady Editorial Desk 4 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →