Why retail-tech and O2O brands must redesign data flows around consent and accountability
For India’s retail and multi-location businesses, 2026 will quietly mark a turning point. Not because of a sudden technology breakthrough or a dramatic shift in consumer behaviour, but because the rules governing how customer data is collected, stored, and used will finally begin to shape everyday operations. Retail-tech and online-to-offline brands will feel this change most acutely. The Digital Personal Data Protection Act (DPDPA) is moving data privacy out of legal fine print and into the very essence of how stores operate, how platforms are built, and how customer experiences are delivered at scale.
India’s retail sector is sitting on a mountain of customer data, much of it collected quietly over the last decade. This includes phone numbers taken at billing counters, email IDs captured for loyalty programmes, location data logged through mobile apps, purchase histories stored across systems and store interactions recorded in bits and pieces. For years, this data has flowed freely between teams, vendors, and platforms, often without customers fully understanding where it went or how long it stayed there.
The DPDPA has changed that equation. For retail and multi-location businesses, the Act forces a rethink of how data moves inside an organisation and how responsibly it is handled. Because under the DPDPA, the customer, or the Data Principal, holds iron-clad rights.
Retail is fundamentally an online-to-offline business. A customer might discover a product on a search engine, check availability on a brand’s website, walk into a store, make a purchase at a billing counter, and later raise a service request through a call centre or app. Each of these touchpoints generates data. The problem is that, in most organisations, this data lives in silos. Marketing owns one system, stores use another, loyalty runs on a third platform, and finance tracks transactions elsewhere.
Under the DPDPA, this approach becomes risky. The law requires businesses to clearly state why they are collecting personal data, how it will be used, how long it will be retained, and how customers can withdraw consent. If customer data is scattered across disconnected systems, answering these basic questions becomes difficult, sometimes impossible.
For example, when a customer walks into a retail store, they are asked for their phone number at checkout “for the bill” or “for offers”. That number then gets pushed into a loyalty system, shared with a marketing agency, and later used to send promotional messages. Under the DPDPA, this flow is no longer acceptable unless the purpose is clearly explained upfront and consent is taken explicitly for each use. If the customer later asks for their data to be deleted, the brand must ensure that the number is removed not just from one system, but from every place it has travelled.
This is where many retail businesses will feel the real impact of the law. Once a customer gives or withdraws consent, the organisation must be able to honour that decision across stores, apps, call centres, and backend systems.
Many brands worry that tighter rules will limit their ability to understand customers or run targeted campaigns. In reality, the opposite is true if privacy is built into the system by design. Privacy-by-design simply means that data protection is factored into how a platform or process is created, rather than added later as a compliance measure.
For instance, in a retail brand operating across several Indian cities, a customer who opted out of promotional messages at one store would still receive offers from another store or from the brand’s app. The issue here is not intent, but architecture. By restructuring their data flow around a central customer profile, the brand can track consent in real time. When a customer withdraws permission for marketing messages, that instruction should flow automatically across stores, the mobile app, and third-party campaign tools. At the same time, transactional data required for billing, returns and service should be retained lawfully.
Another example would be loyalty programs. Many retailers collect extensive data to offer reward points, birthday offers or early access to sales. Under the DPDPA, customers must be told exactly what data is needed to run the programme and what data is optional. If a customer wants points but does not want to be bombarded by marketing, the system should be able to support that choice. Retail platforms that cannot separate essential data from optional data will struggle to stay compliant.
Operational efficiency is often cited as a concern. In practice, the inefficiency comes from poor system design, not from privacy itself. When data and permissions are centrally managed, different teams do not need to ask for the same information repeatedly. A store associate can see what they are allowed to access and act accordingly. A call centre age /.//.nt does not need to guess whether a customer has opted in or out.
The DPDPA also forces retailers to look closely at their partners. Marketing agencies, analytics vendors, CRM providers and delivery platforms all handle customer data. But brands remain responsible for how this data is used, even when it sits outside their direct systems. A single mistake replicated across hundreds of stores can quickly turn into a regulatory and reputational issue.
Ultimately, the DPDPA is moving the industry away from casual data collection and towards the role of an accountable data fiduciary. For retail and O2O businesses, the question is not just how to comply, but how intelligently to do so. Those who integrate privacy into their platforms and processes will find that trust, personalisation, and efficiency can coexist.
Rakesh Raghuvanshi
Rakesh Raghuvanshi, Founder & CEO, Sekel Tech
Next Article