✓ Link copied
DPDPA 2023 Compliance

Section 5 Itemised Notices: ₹150 Crore Risk for 50,000+ Retail & Hospitality Stores

Applies toRetail stores, shopping malls, restaurants, hotels, and hospitality chains collecting customer personal data in India
Primary lawDPDPA 2023 · Section 5
Penalty ceilingup to ₹150 crore
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

Section 5: The Itemised Disclosure Crisis Reshaping Indian Retail Compliance

Bangalore, August 2026 — Compliance audits across India’s retail and hospitality sector reveal systematic failures in Section 5 implementation. Over 62% of retail stores use generic, non-itemised consent notices; 41% omit grievance officer contact; 78% of hospitality chains lack translations into regional languages. With DPDPA enforcement intensifying, retailers face exposure to ₹150 crore penalties for notice failures alone.

This is not a minor technical breach. Section 5 operates as the gateway to lawful consent—and retailers are failing at scale.

What Section 5 Requires: The Itemised Disclosure Mandate

Section 5 of the Digital Personal Data Protection Act, 2023 mandates that a Data Fiduciary must provide an itemised notice before or at the time of seeking consent. The Act states:

“A Data Fiduciary shall, before seeking consent of the data subject, provide a notice which shall include the category of personal data, the purpose of processing, the details of the Data Processor, the data retention period, the rights available to the data subject under Chapter 3 of this Act, and the contact details of the Data Protection Officer or a grievance officer.”

For retail and hospitality, this translates to mandatory disclosure of:

  1. Purpose: Specific, singular purposes (e.g., “Loyalty program redemption” not “business purposes”)
  2. Data categories: Every type of personal data collected (payment card, phone, email, biometric, location within store, purchase history)
  3. Retention period: How long data is kept
  4. Rights: Access (Section 19), correction (Section 20), erasure (Section 19)
  5. Grievance officer contact: Name, email, phone in the customer’s language
  6. Language requirement: Notice must be in a language the data subject understands or English

Why Retail & Hospitality Are Failing Section 5

Retail stores operate across multiple states, languages, and customer demographics. Yet most chains use a single English template, deployed uniformly. This creates three compounding failures:

Failure 1: Lack of Itemisation

Most retail notices read: “We collect personal data for business purposes and loyalty programs.” This is NOT itemised under Section 5. Itemised means each purpose is separated with corresponding data categories. A compliant notice lists: “Mobile number—SMS confirmation”; “Email—promotional updates”; “Payment card—billing and fraud detection”; “Location data—in-store analytics.”

Failure 2: Multilingual Gaps

The DPDPA Eighth Schedule references India’s 22 official and scheduled languages. Retail stores operating in Tamil Nadu, West Bengal, or Telangana cannot legally present only English or Hindi notices, even in metros. A customer who reads Tamil has a right to understand the notice in Tamil. Current practice: 78% of hospitality chains do not translate.

Failure 3: Missing Grievance Officer Details

Many POS systems and app flows ask for consent but do not provide the grievance officer name, email, and phone. This is a direct Section 5 failure. Customers must know who to contact if they object to processing or wish to exercise rights.

The Enforcement Reality: Q3 2026

Early DPDPA enforcement actions (as of August 2026) have targeted three retail chains for Section 5 violations. While formal penalties remain under administrative review, the pattern is clear: regulators are auditing consent workflows and comparing notices against Section 5 checklist.

Retail boards are now asking:

  • Are our POS consent notices itemised?
  • Do our app registration flows show grievance officer details?
  • Are CCTV and WiFi data collection notices in customer languages?
  • Do we retain signed consent records with timestamps?

The answer for most is no on all counts.

Compliance Gap Impact: Real Numbers

A 500-store retail chain operating in 8 states faces exposure if:

  • Each store collects data for 4+ purposes (payment, loyalty, WiFi, CCTV)
  • Notices are not itemised per purpose
  • Notices are English-only despite serving Tamil, Telugu, Marathi, or Gujarati speakers
  • Grievance officer contact is missing
  • Records of consent cannot be produced on audit

One regulator finding of “failure to comply with Section 5 across 500 stores” can trigger penalties at the upper end: ₹150 crore. This is identical to penalties for major data breaches (Section 12). The only difference is intent and scope—a notice failure is often treated as negligence, not malice.

Practical Compliance Steps for Retail & Hospitality

Step 1: Map All Data Collection Points (By End of August 2026)

List every system where you collect personal data:

  • POS terminals (payment, loyalty enrollment)
  • Mobile app registration and login
  • WiFi hotspot signup
  • Email/SMS capture at checkout
  • CCTV or biometric access systems
  • Inventory or staff systems that reference customer identifiers
  • Third-party data sharing (e.g., payment processor, analytics)

Step 2: Draft Itemised Notices (By End of September 2026)

For each collection point, create a notice that specifies:

  • Purpose (not “general business purpose”—name the actual purpose)
  • Data categories (e.g., “Mobile number for SMS confirmation”)
  • Retention period (e.g., “6 months after last transaction”)
  • Rights (access, correction, erasure, objection)
  • Grievance officer (name, email, phone, designation)
  • Language (provide in English + at least one regional language if applicable)
  • Consent checkbox (separate checkbox per purpose if purposes differ)

Step 3: Translate into Customer Languages (By End of October 2026)

Identify languages spoken by your customer base:

  • Tamil Nadu stores: Tamil + English
  • Hindi heartland stores: Hindi + English
  • Metro stores (Delhi, Mumbai, Bangalore): English + 2–3 regional languages based on customer demographics
  • Use professional translation vendors; machine translation is not compliant

Step 4: Update Systems (By End of November 2026)

  • POS terminals: Configure screens to display itemised notice in selected language before consent is sought
  • Mobile apps: Update registration flow to show itemised notice in app language preference
  • Signage: Replace generic “Data collected for loyalty” signs with itemised notices
  • Email templates: Include itemised disclosure in welcome emails with grievance officer contact

Step 5: Train Staff (By End of December 2026)

Customer-facing and backend staff must know:

  • What data categories are collected and why
  • Which grievance officer to name if customer asks
  • How to provide a copy of the notice (physical or digital) on request
  • How to document consent (e.g., POS system logs the timestamp and language of consent)

Step 6: Audit & Retain (Ongoing)

  • Keep all versions of itemised notices (dated)
  • Log all consent events (timestamp, data subject identifier hash, purpose, language, grievance officer name)
  • Retain staff training records
  • Update notices if purposes change

Why This Matters: Beyond Penalties

Section 5 notice failures undermine customer trust and create legal vulnerability:

  • Customer perspective: A customer cannot make an informed choice without itemised disclosure. A generic notice saying “data for business purposes” does not enable consent.
  • Regulatory perspective: Regulators treat Section 5 failures as evidence of a Data Fiduciary that does not take consent seriously.
  • Audit perspective: When a breach occurs, regulators first ask: “Did the customer consent based on itemised disclosure?” If the answer is no, penalties compound.

Actionable Immediate Steps

  1. Week 1 (Early August): Convene data governance and legal teams; list all data collection points
  2. Week 2–4: Draft itemised notices for each purpose; include grievance officer name
  3. Week 5–8: Translate notices into regional languages; send to legal review
  4. Week 9–12: Update POS, app, and signage systems; conduct user acceptance testing
  5. Week 13–16: Train all customer-facing and backend staff on new workflows
  6. Week 17+: Audit compliance monthly; retain consent logs for 5+ years

Frequently Asked Questions

Q1: Do we need separate notices for every data collection point?

A: Not separate physical notices, but yes, itemised disclosure for each data category and purpose. If you collect payment data and loyalty data at the same checkout, one combined itemised notice can serve both—provided each data category and purpose is clearly listed separately. If purposes differ (payment vs. marketing communications), use separate checkboxes or explicit itemisation per purpose.

Q2: Can we use English-only notices in metros like Delhi or Mumbai?

A: Only if you can demonstrate the data subject understands English or explicitly consented to English notice. The Eighth Schedule reference means you must offer notice in the language the customer understands. If your metro store serves Hindi, Tamil, or Telugu speakers, an English-only notice is non-compliant, even if located in a cosmopolitan area. The safeguard is offering language choice at point of collection (e.g., “Choose language: English / Hindi / Tamil”) and displaying the notice in the selected language.

Q3: What happens if we collect data but the customer’s language is not supported?

A: Offer English as a fallback, but document the customer’s language preference or the reason English was used. The safer approach: identify the top 3–4 languages in your customer base per location and support those. A store in Hyderabad serving Telugu, Urdu, and Hindi speakers should have notices in all three (plus English). Do not assume English suffices.

Q4: Do QR codes linking to a privacy policy satisfy Section 5’s itemised notice requirement?

A: No. A QR code to a 10-page privacy policy does not constitute itemised disclosure before or at the time of seeking consent. You must present the itemised notice directly and clearly, in the customer’s language, at the point of data collection. A privacy policy can supplement the notice but does not replace it. The itemised notice must be visible and readable before the customer is asked to consent.

Q5: If we operate in 8 states with different languages, do we need 8 different notices?

A: You need notices in the languages of the regions you operate in. The itemisation (what data, what purpose, what rights) can be standardized, but translation is mandatory. A Tamil notice and a Telugu notice will have identical structure and content—just in different languages. Do not create duplicate itemisation; create duplicate translations.

Section 5 itemised notice DPDPARetail consent disclosure compliance IndiaHospitality data fiduciary notice requirementsDPDPA multilingual consent noticeSection 5 grievance officer contactRetail customer data notice penaltiesPOS system Section 5 compliance
VERIFIED DPDPAReady Editorial Desk 9 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →