DPDPA for Indian restaurants — what guest data triggers in 2026

About this piece. The Digital Personal Data Protection Act, 2023 (DPDPA) came into force in stages and applies to every Indian restaurant that collects guest data for any purpose. Most operators encountered it for the first time in 2025 when WhatsApp marketing campaigns started getting flagged. The Act is not aimed at restaurants specifically — but restaurants do collect a surprising amount of personal data: phone numbers for reservations, email for digital receipts, loyalty IDs, CCTV footage, aggregator hand-offs. This piece is the operator's working interpretation.

What DPDPA actually says, in two paragraphs

The Digital Personal Data Protection Act, 2023 is India's first standalone comprehensive data-protection statute. It applies to the processing of digital personal data (data that identifies or can identify a natural person) by any person in India, and to processing outside India if it relates to offering goods or services to people in India.

The Act establishes a framework where any person processing personal data is a Data Fiduciary, the person whose data is being processed is a Data Principal, and processing must be supported by either consent (specific, informed, free, unambiguous, capable of being withdrawn) or one of a small set of legitimate uses (employment, medical emergency, government function, etc.). It also establishes the Data Protection Board of India to handle complaints and impose penalties up to ₹250 crore for serious breaches.

If you collect any guest data digitally, you are a Data Fiduciary under DPDPA. There is no small-business exemption.

The 6 places restaurants collect personal data

Most operators underestimate how much personal data their daily ops actually collect. The audit list:

Item 6 is the easy one — aggregator-routed orders deliver masked customer phone numbers, so the aggregator carries most of the DPDPA burden for that channel. Items 1–5 are the operator's responsibility.

What DPDPA requires you to do, mapped to restaurant ops

The Act's obligations translate to restaurant practice as follows:

1. Notice at collection (Section 5)

Every time you collect personal data, the Data Principal (the guest) must receive a notice covering: what data you're collecting, the purpose, how to withdraw consent, how to file a grievance.

For a restaurant, the practical implementations:

• Reservation form — a one-line notice + link to a privacy policy.
• Loyalty enrollment — a checkbox + privacy policy on the joining form.
• WhatsApp opt-in — a clear opt-in message, not "we added you to our list".
• CCTV — display board at entry "CCTV monitoring in operation. Footage retained X days. Privacy policy: [URL or QR code]".

2. Consent (Section 6)

Consent must be free, specific, informed, unconditional, and unambiguous. It must be possible to withdraw at any time, and withdrawing must be as easy as giving.

The operational test: if your loyalty programme requires marketing consent as a condition of joining, that's not free consent under DPDPA. Marketing consent has to be optional, with the loyalty benefit available either way.

3. Purpose limitation (Section 7)

Data collected for purpose X cannot be used for purpose Y without fresh consent. If you collected a phone number for reservation confirmation, using it later for promotional WhatsApp without separate marketing consent is a breach.

This is the single biggest gap in current restaurant practice. Reservation phone numbers feed marketing lists routinely; under DPDPA that's a Section 7 violation unless marketing consent was captured separately at collection.

4. Data minimisation (Section 8)

Collect only what you need for the purpose. A reservation needs a phone and a name. It does not need date of birth, anniversary, or address. Loyalty programmes can ask for DOB but only if the operational purpose (birthday offer) actually exists and was disclosed.

5. Storage limitation (Section 8(7))

Personal data must be erased once the purpose is fulfilled and no other legitimate retention reason applies. For restaurants:

A POS that retains every customer's phone number indefinitely with no purge cycle is non-compliant under Section 8(7), regardless of how convenient the historical data is.

6. Breach notification (Section 8(6))

If a breach occurs (unauthorised access, leak, theft of data), the Data Fiduciary must notify both the Data Protection Board of India and the affected Data Principals "without delay". The Act doesn't define a specific deadline but global precedent (GDPR's 72-hour rule) is the working benchmark.

For restaurants, the most common breach scenarios are: a leaked WhatsApp marketing list shared by an ex-staffer, a stolen tablet with the loyalty database, or a hacked POS. Have a written response plan before this happens, not after.

The DPDPA framing for restaurants is not "comply or face ₹250 cr penalty". The Board is realistically going to start with the largest data fiduciaries and work down. The framing is "build the discipline now while the cost is low so that when enforcement scales up, your house is already in order". Two days of work in 2026 is cheaper than a remediation programme in 2028.

The 7-item DPDPA compliance plan for an Indian restaurant

Most single-outlet and small-chain restaurants can be DPDPA-current with this seven-item plan:

1. Publish a privacy policy on your website + a printed/QR-code version in the outlet. Cover what you collect, why, retention, withdrawal, grievance officer contact.
2. Add a one-line notice to your reservation form, loyalty form, and email receipts pointing to the policy.
3. Restructure WhatsApp opt-in to a separate, free, withdrawable consent — not bundled with reservation or loyalty.
4. Display CCTV signage at entry with policy reference.
5. Set retention periods on every personal-data field in your POS / loyalty / CRM. Implement automated purge.
6. Designate a grievance officer — usually the owner or manager. Publish the contact (email + phone) on the policy and notice board.
7. Write a breach response plan — one page, who calls whom in what order, who notifies the Board, who notifies guests.

Total effort: 12–20 person-hours, plus a privacy policy review by a lawyer (₹15,000–₹40,000 one-time). Tooling cost: typically zero — most CRMs and POS systems already have retention configs; you just need to switch them on.

What the WhatsApp marketing flag actually meant

Through 2025 several restaurant chains saw WhatsApp Business templates rejected with consent-related reasons. The platform's interpretation of DPDPA + WhatsApp's own policy:

• Bulk template messages to a list require explicit opt-in evidence.
• The opt-in evidence must be retainable (date, source, language).
• Promotional templates require stricter opt-in than transactional (order confirmation, reservation reminder).

For restaurants, the practical change since 2025 is that WhatsApp providers (WATI, AiSensy, others) now ask for opt-in proof during template approval. Bulk messages without opt-in evidence are rejected. The consent record must be auditable.

If you currently run WhatsApp marketing, audit your subscriber list:

1. For every number, can you show the opt-in event (date, source, language of consent)?
2. If yes for less than 80 percent of the list — re-confirm with a single broadcast asking for opt-in renewal, then prune the non-responders.
3. Going forward, every new entry to the list must have a captured opt-in event.

Cross-border data — Swiggy, Zomato, Google, AWS

DPDPA Section 16 allows the Central Government to restrict transfer of personal data to specified countries. As of mid-2026 no such restrictions are notified, but the framework exists.

For restaurants this matters because most cloud-based POS, CRM, and reservation systems store data outside India (AWS Mumbai is in India; AWS Singapore is not; many SaaS tools default to US/EU regions). The DPDPA default is permissive — cross-border transfer is allowed unless restricted — but a future notification could change this. Operationally:

• Maintain a list of every vendor that processes your guest data.
• For each vendor, know which country/region the data is stored in.
• Ensure your vendor contracts have a DPDPA addendum (Section 8(5) requires Data Fiduciaries to ensure their Data Processors comply).

The vendor list takes an afternoon to assemble and is a one-time exercise (with annual review). It's the artefact that proves to a future auditor that you took the obligation seriously.

Penalties — what's actually at stake

The Act prescribes financial penalties up to:

The maximums are ceilings, not defaults. Realistic penalties for a small-restaurant breach are in the lakhs, not crores — but the reputational damage from being publicly named in a Board order can dwarf the financial penalty. The Board will consider proportionality and steps taken.

The point is not to be terrified by ₹250 crore. The point is that data-protection compliance is no longer an aspirational programme; it's an enforcement-backed obligation. Build the seven-item plan above and move on.

Where this fits in the compliance stack

DPDPA is the newest layer in the restaurant compliance stack. It joins:

• FSSAI — food safety (the daily compliance load)
• GST + IT — financial compliance
• Labour registers — employee compliance
• DPDPA — guest-data compliance (this piece)

Each layer is independent. None can be skipped. The DPDPA layer is the cheapest to set up if you do it now — it gets more expensive every year as your data grows.

Related on Restaurant Daily

• Restaurant compliance checklist (India 2026) — 38 statutory items + free annual planner
• CCPA service charge rules for Indian restaurants — what 2022 guidelines mean for daily ops
• WATI vs AiSensy for restaurant WhatsApp marketing — pricing, templates, deliverability