✓ Link copied
DPDPA 2023 Compliance

DPDPA Section 7 Enforcement Begins for Retail & Hospitality — ₹150 Crore Penalty Cap

Applies toRetail & Hospitality businesses collecting and processing customer payment, loyalty, and order data in India
Primary lawDPDPA 2023 · Section 7
Penalty ceilingup to ₹150 crore
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

Regulatory Development: Section 7 Enforcement Wave Hits Retail & Hospitality

August 2026 marks a critical turning point for India’s retail and hospitality sectors. After two years of loose enforcement, data protection regulators are now actively investigating businesses that misapply Section 7’s “legitimate use” exemptions — the six narrowly defined grounds where personal data processing requires no customer consent. The stakes are high: misapplication can trigger penalties up to ₹150 crore, and the first high-profile enforcement actions are already landing.

For retail chains and hospitality brands, the implications are immediate. A customer’s phone number collected at checkout, a loyalty program signup, a hotel’s guest list — each presents a Section 7 calculation. Get it right, and you process data legally without consent. Get it wrong, and you’re exposed.

Section 7 of the DPDPA 2023 defines an exhaustive, closed list of situations where data processors can handle personal data WITHOUT seeking consent from the data principal. This is fundamentally different from GDPR’s “legitimate interest” — there is no balancing test, no case-by-case reasonableness judgment. Either your use case falls within Section 7’s six grounds, or you must obtain consent.

Section 7, Digital Personal Data Protection Act, 2023: “Where personal data is processed by a data fiduciary on the basis of any one of the following grounds, the data principal need not provide consent or agreement: (1) where the data has been voluntarily provided by the data principal; (2) where processing is necessary for State functions; (3) where processing is necessary for compliance with law or a court order; (4) where processing is necessary in a medical emergency; (5) where processing is necessary for employment purposes; or (6) where personal data of a data principal is being transferred in the context of a merger, acquisition or insolvency proceeding.”

For Retail & Hospitality businesses, this distinction is critical. A hotel chain that collects a guest’s phone number “for booking confirmation” cannot later use that number to send promotional messages without fresh consent — unless they can prove the secondary use falls under one of the six grounds. Misapplying Section 7 exposes the business to penalties up to ₹150 crore.

How Retail & Hospitality Chains Misapply Section 7 — And What Actually Qualifies

Ground 1: Voluntarily Provided Data

This is the most frequently misunderstood exemption. “Voluntarily provided” does not mean the data principal was forced to share it to complete a transaction. If a customer must provide their phone number to complete a checkout, that’s compulsory, not voluntary — even if the data principal “agreed” by clicking a checkbox.

  • A quick-service restaurant asks for phone number at the POS. The guest assumes it is required to ring up the order. This is not voluntary under Section 7 — consent is still required to use that number for SMS marketing.
  • A hotel asks for an emergency contact during check-in. This is genuinely voluntary only if the guest can opt out and still complete the stay.

The courts and regulators are increasingly scrutinizing “dark patterns” — UI designs that make opting out harder than opting in. If your loyalty program signup is buried, or the default is “opted in,” Section 7(1) does not apply.

Ground 2: State Functions

Hospitality and retail chains are not state entities. This ground applies to government health records, tax data, or police investigations — not to businesses.

Ground 3: Compliance with Law or Court Order

This is narrow. A retail chain can process transaction data to comply with GST filing or anti-money laundering rules. A hotel can hand over guest records to law enforcement under a court order. But “general legal compliance” does not extend to collecting phone numbers “in case we get audited.”

Real scenario: A QR-code payment system collecting GSTIN and PAN for tax filing — this is Section 7(3). Collecting the same data to cross-sell insurance products — this is NOT Section 7(3), and consent is required.

Ground 4: Medical Emergencies

Not applicable to standard retail or hospitality. (Exception: a luxury hotel with in-house medical facility handling emergency guest health data.)

Ground 5: Employment Purposes

A chain’s HR department can process employee phone numbers, payroll data, and attendance records without consent. But once that data is shared with the store’s marketing team, Section 7(5) no longer applies — the marketing use is not an employment purpose.

Trap: Retail managers processing staff phone numbers to send “staff alerts” about scheduling or promotions — this is employment-related. Sending the same list to the chain’s finance partner for credit processing — this is NOT employment-related, and consent is required.

Ground 6: Merger, Acquisition, or Insolvency

If a regional hospitality chain is acquired by a multinational, the buyer inherits the seller’s data without requiring fresh consent from guests — but only for the same processing purposes the seller was pursuing. If the buyer wants to use guest data for new marketing campaigns, fresh consent is required.

Actionable Audit Checklist for Retail & Hospitality

Before your next customer data collection or reuse initiative, verify:

  1. Voluntary Provision Test: Is the customer genuinely free to refuse without losing access to your core service? (If the answer requires legalistic reasoning, it’s probably not voluntary.)
  2. Legal Basis Documentation: For every use of personal data, write down which Section 7 ground you’re relying on. If you cannot write a clear, one-sentence justification, you need consent.
  3. Purpose Limitation Check: When you reuse data for a new purpose (e.g., customer name from checkout → SMS campaign), ask: does this new purpose fall within the original legitimate-use ground? If not, consent is required.
  4. Consent Fallback: Even if you think Section 7 applies, always have a consent-capture mechanism available. A customer who wants to opt in should not be friction-blocked.
  5. Audit Trail: Log which Section 7 ground you applied for each data use. Regulators will ask, and “we assumed it was voluntary” is not a defense.

Frequently Asked Questions

Q1: Our quick-service restaurant asks for phone number at checkout. If the customer provides it, does Section 7(1) apply?

A: Only if providing the number is genuinely optional and the customer can complete the transaction without it. If your POS prompts “Phone number (optional)” and doesn’t penalize skipping it, Section 7(1) likely applies to that data for fulfillment (e.g., SMS confirmation of pickup order). But if you later use that number for weekly promotional texts, you need separate consent — that new purpose is not covered by Section 7(1).

Q2: Can we claim Section 7(3) compliance-with-law to collect GST/PAN from customers?

A: Only if you’re contractually obligated to collect and report it (e.g., e-commerce businesses reporting under GST rules, or payment aggregators under AML rules). A stand-alone retail store collecting GST from walk-in customers is not a standard requirement; Section 7(3) does not apply. You would need consent for data processing beyond what tax law mandates.

Q3: Our hospitality chain is storing guest phone numbers for “emergencies.” Does Section 7(4) cover marketing reuse of that data?

A: No. Section 7(4) applies only to processing in the emergency itself — calling the emergency contact, notifying the guest of urgent hotel closures, etc. Once the emergency passes, that ground expires. Reusing emergency contact data for loyalty marketing requires fresh consent.

Q4: A staff member of our retail outlet gets assigned a new shift. Can we send them a shift alert via SMS without consent under Section 7(5)?

A: Yes, if the SMS is strictly for employment purposes (roster, payroll, mandatory training). But if your SMS also includes “check out our new summer menu” or vendor promotions, that secondary purpose is not employment-related. You would need separate consent for the marketing portion, or send two SMS messages (one employment-only, one opt-in marketing).

Q5: We were acquired by a larger hospitality brand. Can they immediately email our guests with their loyalty program offer?

A: Section 7(6) allows the acquirer to inherit the guest list and process it for the same purposes the predecessor was pursuing. If the predecessor was sending guest newsletters under consent, the acquirer can continue. But if the acquirer wants to pursue a new marketing strategy (e.g., dynamic pricing emails), fresh consent is required — the new purpose is outside the scope of Section 7(6).

DPDPA Section 7 retail hospitalityconsent exemption DPDPA retaillegitimate uses hospitality businessDPDPA penalty retail chainSection 7 enforcement retailvoluntary consent DPDPA retail
VERIFIED DPDPAReady Editorial Desk 17 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →