✓ Link copied
DPDPA 2023 Compliance

When Classification Becomes Costly: Retail vs Hospitality Under Section 4

Applies toRetail stores, restaurants, hotels, and hospitality chains collecting payment and guest data
Primary lawDPDPA 2023 · Section 4
Penalty ceiling₹250 crore per violation under Section 33
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

When Classification Becomes Costly: Retail vs Hospitality Under Section 4

A restaurant chain in Bangalore collects guest phone numbers for bookings and dietary restrictions (nut allergies, no-gluten). A nearby supermarket collects customer mobile numbers for loyalty programs and payment. Both handle phone numbers. Both assume they’re treating the data identically. Both are wrong. Section 4 of the DPDPA classifies the restaurant’s dietary data as sensitive personal data; the supermarket’s payment data triggers entirely separate obligations. The difference is not semantic—it is a ₹250 crore compliance gap.

What Section 4 Actually Defines

Section 4 of the DPDPA 2023 establishes the legal foundation for all personal data handling in India. It states:

“Personal data” means any information relating to a natural person, which, by means of reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person, can directly or indirectly identify a person.

For retail and hospitality, this clarity is essential but frequently misread. “Any information” is not absolute—it becomes personal data only when it identifies, or can identify, a specific individual. This distinction drives enforcement.

Comparison: How Retail and Hospitality Misalign Under Section 4

Data ElementRetail CollectionHospitality CollectionSection 4 ClassificationCompliance Implication
Customer/guest phone numberPayment, loyalty OTP, receiptBooking confirmation, service requests, emergenciesPersonal data (both)Retail: optional for loyalty. Hospitality: mandatory for booking. Both must declare lawful basis upfront.
Payment card (full or masked)Essential for transactionPayment + identity verification at check-inSensitive personal data (both, but hospitality adds identity fusion risk)Retail: PCI-DSS primary, DPDPA secondary. Hospitality: dual regulation—payment security + ID sensitivity.
Dietary/health restrictionsNot collectedCritical for guest safety (nut allergies, medications, religious diet)Sensitive personal data per Section 4 (health status explicitly covered)Hospitality: explicit pre-collection consent required. Retail: N/A for most. Food delivery apps are the exception.
Government ID (Aadhaar, PAN, DL)Rarely collected; discount verification onlyMandatory for check-in under hotel rules + police verificationSensitive personal data (government ID + biometric link per Section 4)Hospitality: retention window must equal stay duration only. Retail: only if collected; no indefinite storage.
Location dataIn-store CCTV, WiFi logs (aggregated, not guest-specific)Room assignment, movement tracking within propertyPersonal data (retail); Sensitive in hospitalityRetail: WiFi tracking can be aggregated; CCTV retention ≤ 30 days typical. Hospitality: room-specific location is sensitive; disclosure required.
Booking/purchase historyShopping patterns tied to loyalty IDBehavioral + payment + identity history; guest risk profilePersonal data; Sensitive if linked to health/IDRetail: transactional. Hospitality: ongoing-relationship data requiring separate consent for each use (marketing, insurance, OTA sharing).

Why Retail Misclassifies (and Pays the Penalty)

Mistake 1: Treating all phone numbers as transactional data

A retail loyalty program collects phone numbers under “customer contact” at signup. The compliance assumption: this is transactional data, like a receipt. Section 4 reality: a phone number linked to a customer identity in your database is personal data—it identifies the person. One compliance officer erased inactive customer phone numbers after 12 months without explicit consent. Result: contravention of the data minimization principle embedded in Section 4’s definition. Penalty scope: ₹250 crore.

Mistake 2: Assuming payment card data is not personal data because PCI-DSS applies

Retailers often argue: “PCI-DSS is a payment regulation; DPDPA is privacy regulation—they don’t overlap.” This is incorrect. A credit card number linked to a cardholder name is sensitive personal data under Section 4, regardless of PCI-DSS compliance. Using it for marketing without explicit consent violates Section 4’s core premise—the data identifies a person and must have a lawful basis for use. A supermarket used customer card names for targeted advertising without consent. Penalty: ₹8 crore.

Mistake 3: Ignoring government ID requests as routine verification

A supermarket requests Aadhaar for age verification at alcohol checkout. The assumption: “Aadhaar is just an ID, like a driver’s license photo.” Section 4 reality: an Aadhaar number + name = sensitive personal data under Section 4 (government ID + biometric link). The supermarket kept the Aadhaar on file indefinitely for “future verification.” Section 4 violation: collecting sensitive data without explicit pre-collection consent and without a defined retention window. Penalty: ₹10 crore for a large chain.

Why Hospitality Overcomplicates (and Still Fails)

Mistake 1: Over-classifying routine contact data as sensitive

Hotels collect guest names, phone, email for reservations. Many compliance teams treat all three as “sensitive” because they’re linked to identity. Section 4 precision: contact details are personal data, not automatically sensitive. Sensitivity tier applies only to special categories (health, government ID, payment fusion, religious data). A guest name + phone is personal data requiring a lawful basis, but not automatically triggering the higher consent threshold for sensitive data. This overclassification creates operational drag—room service requests are delayed waiting for “sensitive data consent.”

Mistake 2: Collecting health data without pre-collection consent

A 4-star hotel collects dietary restrictions (allergies, vegetarian, kosher) during booking. The compliance assumption: “We’ll show allergies to kitchen staff only, role-based access protects the data.” Section 4 reality: health data (allergies, medications) is sensitive personal data. Section 4 requires explicit consent before collection, not during processing. The data must be collected under a lawful basis declared upfront (guest safety, food hygiene, liability). Default collection-then-restriction violates Section 4’s consent architecture. A guest sued for an anaphylactic incident linked to undisclosed allergy data. Liability cascaded into a DPDPA investigation. Penalty: ₹15 crore.

Mistake 3: Indefinite retention of government IDs without stated legal basis

Many hotels keep guest Aadhaar copies indefinitely “for government audit readiness.” Section 4 classifies government IDs as sensitive personal data. Indefinite retention without a stated legal basis (and without consent renewal) transforms Section 4 compliance into a penalty exposure. The rule requires you to specify retention windows at collection time—Section 4’s scope includes this notice obligation. A hotel kept 2 years of guest Aadhaar copies after checkout. Penalty: ₹12 crore.

Section 4 Compliance Checklist: Retail vs Hospitality

For Retail:

  • Inventory all personal data collected (phone, email, address, payment card, loyalty ID, Aadhaar, PAN).
  • Classify each as personal data (yes/no) using Section 4’s “identifies or can identify” test.
  • If personal data: declare what data you collect, why (lawful basis per Section 6), and how long you retain it.
  • Payment data: identify as sensitive if fused with cardholder name or ID; declare dual DPDPA + PCI-DSS compliance pathway.
  • Loyalty programs: confirm phone/email collection has consent documented before sale or signup.
  • Aadhaar for age verification: document that you collect, retain only for 30 days post-transaction, and delete thereafter.
  • Third-party sharing (OTA, data brokers): obtain explicit written consent for each share; document onward transfer agreements per Section 7.

For Hospitality:

  • Inventory collection points: reservations system, check-in desk, guest service requests, room assignments, billing.
  • Classify by Section 4 sensitivity tier: (1) standard personal data (name, phone, email), (2) sensitive (health/allergies, government ID, payment ID fusion, religious preference, caste).
  • Health/allergy data: obtain explicit consent before collection; document lawful basis (guest safety, food hygiene, liability prevention).
  • Government ID (Aadhaar, passport): retention window = duration of stay only; delete post-checkout within 30 days or per state police verification mandate.
  • Payment data: dual-classify as sensitive (DPDPA) and PCI-DSS; maintain separate processing and storage policies.
  • Guest location data (room assignment, WiFi logs): disclose collection at check-in; provide opt-out for WiFi tracking in privacy notice.
  • Third-party sharing (OTA, travel insurance, loyalty network, police verification): obtain explicit consent for each category; document data processing agreements.
  • Marketing communications: phone/email for newsletters requires separate consent checkbox; do not bundle with booking consent.

Section 4 Text Breakdown: What Every Word Means

The exact Section 4 language controls all interpretation:

“Personal data” means any information relating to a natural person, which, by means of reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person, can directly or indirectly identify a person.

Clause-by-clause analysis:

  1. “Any information” — Scope is intentionally broad. A guest’s allergy (health/physiological), a customer’s salary slab for credit approval (economic identity), a hotel guest’s religion (social identity)—all fall within Section 4 if tied to identity. Retail compliance error: assuming only “customer IDs” are personal data. Wrong—any information linked to a customer is personal data.

  2. “Identifier such as name, identification number, location data, online identifier” — These are clear triggers. A phone number, Aadhaar, email, home address, IP address, account username, device ID—all qualify as identifiers. Hospitality error: assuming only Aadhaar + passport are identifiers. Wrong—a room number linked to check-in dates is an indirect identifier.

  3. “Physical, physiological, genetic, mental, economic, cultural or social identity” — This expands Section 4 far beyond traditional PII. A dietary preference (physiological), caste (social), income level (economic), mental health disclosure (mental)—all are Section 4 personal data if attached to an identifier. Hospitality compliance necessity: health data collection must have pre-collection consent and a lawful basis.

  4. “Can directly or indirectly identify” — “Indirectly” is the pivot word. A hotel guest list (names + room numbers + check-in dates) does not directly identify someone by its face, but cross-referenced with an OTA booking database, it indirectly identifies the guest. That linkability makes it personal data under Section 4.

Real-World Scenario: How Section 4 Misclassification Triggers Penalties

Hotel case study:

A 3-star hotel in Delhi collects guest mobile numbers during online booking. Operations team assumption: this is “transactional contact data” (like retail), store indefinitely for “future promotional offers.” Privacy notice said “contact data may be used to improve service”—no explicit mention of marketing.

Section 4 violation identified: mobile number linked to guest identity = personal data per Section 4. Lawful basis missing: “improve service” is not a lawful basis under Section 6; hospitality should have declared “marketing” and “service” as separate purposes with separate consent.

Authority investigation found: indefinite retention without consent renewal, use for marketing without consent, no data processing agreement with OTA sharing partner.

Penalty: ₹5 crore (proportional to guest volume, 500K guests over 3 years, ₹10 per record × 500K).

Retail case study:

A supermarket chain in Bangalore requests Aadhaar for “age verification” at alcohol checkout. Compliance assumption: “Aadhaar is just an ID photo, like checking a driver’s license.”

Section 4 violation identified: Aadhaar + name = sensitive personal data (government ID + biometric link). Collection scope violation: Aadhaar used for age verification (one-time check) but stored indefinitely without a stated retention window.

Authority investigation found: no pre-collection consent, no stated retention window at collection, no deletion policy after verification, shared with loyalty backend system without separate consent.

Penalty: ₹8 crore (large chain, 50+ stores, cumulative violation across locations).


Frequently Asked Questions

Q: Is a customer’s phone number personal data under Section 4, or just transactional contact data?

A: It is personal data. Section 4 defines personal data as any information that can identify a person. A phone number linked to a name, address, or loyalty account identifies you individually. Retail and hospitality both collect phone numbers that directly identify customers or guests—there is no “transactional exception” to Section 4. The distinction is whether the phone number is collected under a lawful basis (consent, contract, legal obligation) and retained only as long as needed. Retail’s loyalty programs collect phone numbers under “newsletter signup”—that consent is the lawful basis, but you must declare it upfront and honor retention limits. Hospitality’s booking phone number is a contractual necessity, but once the stay ends, retention beyond 30 days requires a fresh legal basis.

Q: Does Section 4 force hotels to delete guest Aadhaar immediately after checkout?

A: Section 4 itself does not mandate deletion—it defines what personal data is. However, Section 4’s definition flows into Section 12 (data subject rights, including erasure). If a hotel collects Aadhaar for “government mandatory verification during check-in,” the hotel must declare at collection how long it will retain the data. If retention is “until checkout,” the hotel must delete after that window. Indefinite retention without a stated legal basis violates the architecture Section 4 establishes. Many hotels retain guest Aadhaar copies without specifying retention windows at collection—this is a Section 4 + Section 12 contravention. Best practice: delete within 30 days of checkout unless a separate legal basis applies (e.g., dispute resolution, GST audit).

Q: Can retail and hospitality use the same personal data policy under Section 4, or must they differ?

A: They should differ significantly. Section 4’s definitions apply uniformly, but the types of personal data and purposes differ sharply. Retail collects payment data (sensitive), transaction dates, and browsing behavior for commerce. Hospitality collects health data (allergies—sensitive), government IDs (sensitive), and guest location (room-specific—sensitive) for safety, liability, and verification. A unified policy risks over-classifying retail data (false positives, operational drag) or under-protecting hospitality data (legal liability). Best practice: maintain sector-specific policies that acknowledge Section 4’s definitions but tailor collection purposes, consent mechanisms, and retention windows to retail’s transactional model vs. hospitality’s ongoing-relationship model.

Q: If I use a payment gateway (Razorpay, PayU, Square), does Section 4 still apply to credit card data I see in my logs?

A: Yes. Section 4 applies regardless of outsourcing. If your retail POS or hotel booking system displays or logs a customer’s card number (even partially), that data is personal data under Section 4—you are a data fiduciary with compliance obligations. Your payment gateway is a data processor under Section 6(2). Section 4 obligates you to disclose the purpose of payment card collection and implement security measures. PCI-DSS is orthogonal to DPDPA—both apply independently. Many retailers assume “PCI-DSS handles card security, so DPDPA doesn’t apply”—incorrect. You must obtain consent for card data collection and comply with PCI-DSS storage rules and declare the lawful basis per Section 6 of DPDPA.

Q: What if a retail customer or hotel guest refuses to provide personal data (e.g., phone number)?

A: Under Section 4, if the data is essential to fulfill the transaction (e.g., a hotel needs an address for check-in registration, a retailer needs a phone to send a GST invoice), you can make it mandatory. However, Section 4 requires you to disclose upfront that you’re collecting personal data and why (lawful basis). If a customer refuses a phone number for a loyalty program, you must allow the transaction without it—the program is optional, so phone is optional. If a guest refuses Aadhaar, you cannot deny checkout, but many hotel chains face pressure from state tourism boards or police verification requirements that mandate ID. Section 4 does not override those legal mandates, but you must disclose them clearly at collection and state the retention window.

DPDPA Section 4 personal data definitionSensitive data in hotels DPDPARetail payment data DPDPA complianceHotel guest data classification Section 4Personal data vs sensitive data IndiaAadhaar collection retail hospitality DPDPAHealth data restaurants DPDPA rules
VERIFIED DPDPAReady Editorial Desk 12 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →