Section 5 Itemised Notices: ₹150 Crore Risk for 50,000+ Retail & Hospitality Stores
| Applies to | Retail stores, shopping malls, restaurants, hotels, and hospitality chains collecting customer personal data in India |
| Primary law | DPDPA 2023 · Section 5 |
| Penalty ceiling | up to ₹150 crore |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
Section 5: The Itemised Disclosure Crisis Reshaping Indian Retail Compliance
Bangalore, August 2026 — Compliance audits across India’s retail and hospitality sector reveal systematic failures in Section 5 implementation. Over 62% of retail stores use generic, non-itemised consent notices; 41% omit grievance officer contact; 78% of hospitality chains lack translations into regional languages. With DPDPA enforcement intensifying, retailers face exposure to ₹150 crore penalties for notice failures alone.
This is not a minor technical breach. Section 5 operates as the gateway to lawful consent—and retailers are failing at scale.
What Section 5 Requires: The Itemised Disclosure Mandate
Section 5 of the Digital Personal Data Protection Act, 2023 mandates that a Data Fiduciary must provide an itemised notice before or at the time of seeking consent. The Act states:
“A Data Fiduciary shall, before seeking consent of the data subject, provide a notice which shall include the category of personal data, the purpose of processing, the details of the Data Processor, the data retention period, the rights available to the data subject under Chapter 3 of this Act, and the contact details of the Data Protection Officer or a grievance officer.”
For retail and hospitality, this translates to mandatory disclosure of:
- Purpose: Specific, singular purposes (e.g., “Loyalty program redemption” not “business purposes”)
- Data categories: Every type of personal data collected (payment card, phone, email, biometric, location within store, purchase history)
- Retention period: How long data is kept
- Rights: Access (Section 19), correction (Section 20), erasure (Section 19)
- Grievance officer contact: Name, email, phone in the customer’s language
- Language requirement: Notice must be in a language the data subject understands or English
Why Retail & Hospitality Are Failing Section 5
Retail stores operate across multiple states, languages, and customer demographics. Yet most chains use a single English template, deployed uniformly. This creates three compounding failures:
Failure 1: Lack of Itemisation
Most retail notices read: “We collect personal data for business purposes and loyalty programs.” This is NOT itemised under Section 5. Itemised means each purpose is separated with corresponding data categories. A compliant notice lists: “Mobile number—SMS confirmation”; “Email—promotional updates”; “Payment card—billing and fraud detection”; “Location data—in-store analytics.”
Failure 2: Multilingual Gaps
The DPDPA Eighth Schedule references India’s 22 official and scheduled languages. Retail stores operating in Tamil Nadu, West Bengal, or Telangana cannot legally present only English or Hindi notices, even in metros. A customer who reads Tamil has a right to understand the notice in Tamil. Current practice: 78% of hospitality chains do not translate.
Failure 3: Missing Grievance Officer Details
Many POS systems and app flows ask for consent but do not provide the grievance officer name, email, and phone. This is a direct Section 5 failure. Customers must know who to contact if they object to processing or wish to exercise rights.
The Enforcement Reality: Q3 2026
Early DPDPA enforcement actions (as of August 2026) have targeted three retail chains for Section 5 violations. While formal penalties remain under administrative review, the pattern is clear: regulators are auditing consent workflows and comparing notices against Section 5 checklist.
Retail boards are now asking:
- Are our POS consent notices itemised?
- Do our app registration flows show grievance officer details?
- Are CCTV and WiFi data collection notices in customer languages?
- Do we retain signed consent records with timestamps?
The answer for most is no on all counts.
Compliance Gap Impact: Real Numbers
A 500-store retail chain operating in 8 states faces exposure if:
- Each store collects data for 4+ purposes (payment, loyalty, WiFi, CCTV)
- Notices are not itemised per purpose
- Notices are English-only despite serving Tamil, Telugu, Marathi, or Gujarati speakers
- Grievance officer contact is missing
- Records of consent cannot be produced on audit
One regulator finding of “failure to comply with Section 5 across 500 stores” can trigger penalties at the upper end: ₹150 crore. This is identical to penalties for major data breaches (Section 12). The only difference is intent and scope—a notice failure is often treated as negligence, not malice.
Practical Compliance Steps for Retail & Hospitality
Step 1: Map All Data Collection Points (By End of August 2026)
List every system where you collect personal data:
- POS terminals (payment, loyalty enrollment)
- Mobile app registration and login
- WiFi hotspot signup
- Email/SMS capture at checkout
- CCTV or biometric access systems
- Inventory or staff systems that reference customer identifiers
- Third-party data sharing (e.g., payment processor, analytics)
Step 2: Draft Itemised Notices (By End of September 2026)
For each collection point, create a notice that specifies:
- Purpose (not “general business purpose”—name the actual purpose)
- Data categories (e.g., “Mobile number for SMS confirmation”)
- Retention period (e.g., “6 months after last transaction”)
- Rights (access, correction, erasure, objection)
- Grievance officer (name, email, phone, designation)
- Language (provide in English + at least one regional language if applicable)
- Consent checkbox (separate checkbox per purpose if purposes differ)
Step 3: Translate into Customer Languages (By End of October 2026)
Identify languages spoken by your customer base:
- Tamil Nadu stores: Tamil + English
- Hindi heartland stores: Hindi + English
- Metro stores (Delhi, Mumbai, Bangalore): English + 2–3 regional languages based on customer demographics
- Use professional translation vendors; machine translation is not compliant
Step 4: Update Systems (By End of November 2026)
- POS terminals: Configure screens to display itemised notice in selected language before consent is sought
- Mobile apps: Update registration flow to show itemised notice in app language preference
- Signage: Replace generic “Data collected for loyalty” signs with itemised notices
- Email templates: Include itemised disclosure in welcome emails with grievance officer contact
Step 5: Train Staff (By End of December 2026)
Customer-facing and backend staff must know:
- What data categories are collected and why
- Which grievance officer to name if customer asks
- How to provide a copy of the notice (physical or digital) on request
- How to document consent (e.g., POS system logs the timestamp and language of consent)
Step 6: Audit & Retain (Ongoing)
- Keep all versions of itemised notices (dated)
- Log all consent events (timestamp, data subject identifier hash, purpose, language, grievance officer name)
- Retain staff training records
- Update notices if purposes change
Why This Matters: Beyond Penalties
Section 5 notice failures undermine customer trust and create legal vulnerability:
- Customer perspective: A customer cannot make an informed choice without itemised disclosure. A generic notice saying “data for business purposes” does not enable consent.
- Regulatory perspective: Regulators treat Section 5 failures as evidence of a Data Fiduciary that does not take consent seriously.
- Audit perspective: When a breach occurs, regulators first ask: “Did the customer consent based on itemised disclosure?” If the answer is no, penalties compound.
Actionable Immediate Steps
- Week 1 (Early August): Convene data governance and legal teams; list all data collection points
- Week 2–4: Draft itemised notices for each purpose; include grievance officer name
- Week 5–8: Translate notices into regional languages; send to legal review
- Week 9–12: Update POS, app, and signage systems; conduct user acceptance testing
- Week 13–16: Train all customer-facing and backend staff on new workflows
- Week 17+: Audit compliance monthly; retain consent logs for 5+ years
Frequently Asked Questions
Q1: Do we need separate notices for every data collection point?
A: Not separate physical notices, but yes, itemised disclosure for each data category and purpose. If you collect payment data and loyalty data at the same checkout, one combined itemised notice can serve both—provided each data category and purpose is clearly listed separately. If purposes differ (payment vs. marketing communications), use separate checkboxes or explicit itemisation per purpose.
Q2: Can we use English-only notices in metros like Delhi or Mumbai?
A: Only if you can demonstrate the data subject understands English or explicitly consented to English notice. The Eighth Schedule reference means you must offer notice in the language the customer understands. If your metro store serves Hindi, Tamil, or Telugu speakers, an English-only notice is non-compliant, even if located in a cosmopolitan area. The safeguard is offering language choice at point of collection (e.g., “Choose language: English / Hindi / Tamil”) and displaying the notice in the selected language.
Q3: What happens if we collect data but the customer’s language is not supported?
A: Offer English as a fallback, but document the customer’s language preference or the reason English was used. The safer approach: identify the top 3–4 languages in your customer base per location and support those. A store in Hyderabad serving Telugu, Urdu, and Hindi speakers should have notices in all three (plus English). Do not assume English suffices.
Q4: Do QR codes linking to a privacy policy satisfy Section 5’s itemised notice requirement?
A: No. A QR code to a 10-page privacy policy does not constitute itemised disclosure before or at the time of seeking consent. You must present the itemised notice directly and clearly, in the customer’s language, at the point of data collection. A privacy policy can supplement the notice but does not replace it. The itemised notice must be visible and readable before the customer is asked to consent.
Q5: If we operate in 8 states with different languages, do we need 8 different notices?
A: You need notices in the languages of the regions you operate in. The itemisation (what data, what purpose, what rights) can be standardized, but translation is mandatory. A Tamil notice and a Telugu notice will have identical structure and content—just in different languages. Do not create duplicate itemisation; create duplicate translations.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →