Back to all posts
Compliance 20 min read 24 May 2026 Portcart Editorial

DPDP Act Compliance Checklist for Indian Mall Operators in 2026

DPDP Rules notified in November 2025. Phase 3 enforcement begins May 2027. A practical, mall-specific checklist for operators handling shopper data, loyalty enrollments, voucher redemptions, footfall sensors, and CCTV.

DPDP Act Compliance Checklist for Indian Mall Operators in 2026

# DPDP Act Compliance Checklist for Indian Mall Operators in 2026

DPDP Rules were notified in November 2025. The major compliance window moves toward mid-May 2027. This practical checklist helps Indian mall operators review consent, loyalty, vouchers, CCTV, footfall sensors, marketing, data requests, and vendor contracts.


The Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025 in November 2025. Several important obligations under the DPDP framework come into force in phases, with the major compliance window pointing toward mid-May 2027.

For Indian mall operators, this is no longer just a legal department issue.

A mall may become a Data Fiduciary when it determines the purpose and means of processing shopper personal data. That can happen through Wi-Fi sign-ins, loyalty enrolment, parking records, number plate capture, CCTV-linked systems, voucher campaigns, event registrations, marketing databases, lead forms, tenant campaigns, and third-party integrations.

The old model of a single tickbox covering loyalty, marketing, analytics, partner sharing, profiling, WhatsApp communication, and campaign participation is no longer a safe operating model.

This checklist covers 27 practical compliance items across seven areas:

  1. Consent capture
  2. Loyalty programmes
  3. Vouchers and gift cards
  4. CCTV and footfall sensors
  5. Marketing and communication
  6. Data principal requests and grievances
  7. Vendor and partner contracts

A four-week sprint may not make a mall fully compliant. But it can create a defensible starting posture: data map, consent map, vendor register, retention logic, request process, audit trail, and internal accountability.

> Important disclaimer: This article is for general operational awareness and does not constitute legal advice. Mall operators should consult qualified legal counsel for DPDP applicability, contract drafting, and compliance decisions.


What changed after the DPDP Rules were notified?

The DPDP Act was passed in 2023. The Rules notified in November 2025 made the operating roadmap clearer.

For mall operators, three changes matter most.


1. Consent notices need to become specific

Consent notices should be clear, standalone, and easy to understand.

A shopper should know:

  • What personal data is being collected
  • Why it is being collected
  • What purpose it will be used for
  • Whether it will be shared with partners
  • How consent can be withdrawn
  • How the shopper can raise a request or grievance

A vague paragraph hidden inside a long terms-and-conditions page is not enough.


2. Withdrawal must be practical

If a shopper gives consent through a simple screen, withdrawal should not require a complicated offline process.

If loyalty enrolment happens through a kiosk, app, WhatsApp, website, or customer service desk, the withdrawal route should be equally practical.

For example:

  • App consent settings
  • WhatsApp opt-out
  • Unsubscribe link
  • Customer service desk form
  • Website request page
  • Email request route

Withdrawal should update the central consent record, not just one campaign tool.


3. Shopper requests need an operating process

Mall operators need a process for data principal requests and grievances.

The Rules refer to grievance redressal within a reasonable period, not exceeding 90 days. A mall can choose a stricter internal benchmark, such as 30 days, but 30 days should be described as an internal operating target, not as the legal rule.

The key point is simple:

DPDP compliance is not a privacy-policy PDF. It is an operating programme across marketing, security, parking, loyalty, vouchers, IT, agencies, tenants, and mall management.


Why DPDP matters specifically to shopping malls

A shopping mall is no longer just a physical retail location.

A modern mall collects and processes data through many touchpoints:

  • Parking entry
  • Vehicle number plate capture
  • Wi-Fi login
  • Loyalty enrolment
  • Voucher redemption
  • Gift-card campaigns
  • Event registration
  • Complaint records
  • WhatsApp campaigns
  • SMS campaigns
  • Email campaigns
  • Push notifications
  • CCTV
  • Footfall sensors
  • Tenant campaigns
  • Brand promotions
  • Agency-managed databases

Each touchpoint may collect personal data or become personal data when linked with another identifier.

For example:

  • A footfall counter that only counts anonymous visitors may be low risk.
  • A footfall sensor joined with Wi-Fi login, mobile number, loyalty ID, or app ID becomes a shopper-linked dataset.
  • A voucher code by itself may be operational data.
  • A voucher code linked to mobile number, redemption store, purchase value, and campaign behaviour becomes personal data.
  • CCTV used only for security has one purpose.
  • Face recognition linked to loyalty, VIP identification, blacklist management, or personalised targeting creates a higher-risk use case.

This is why mall operators need a practical checklist, not just legal theory.


# The 27-Item DPDP Checklist for Indian Mall Operators


1. Consent Capture

1.1 Rewrite every consent notice in plain language

Every major data collection point should have a clear notice.

This includes:

  • Wi-Fi login
  • Loyalty enrolment
  • Parking registration
  • Voucher registration
  • Event registration
  • Contest forms
  • App sign-up
  • Website lead forms
  • WhatsApp opt-ins
  • Tenant or partner campaigns run through the mall

The notice should explain:

  • What data is collected
  • Why it is collected
  • How it will be used
  • Whether it will be shared
  • How long it may be retained
  • How consent can be withdrawn
  • How the shopper can raise a request or grievance

Avoid one large privacy paragraph that nobody reads.

A better approach is to create purpose-wise notices:

  • Loyalty participation
  • Marketing communication
  • Voucher fulfilment
  • Parking operation
  • Security and CCTV
  • Event participation
  • Partner sharing

1.2 Split bundled consent into separate choices

Many older loyalty programmes used one tickbox for everything.

That model is risky.

A shopper joining a loyalty programme should not automatically be forced into every future marketing, analytics, profiling, and partner-sharing activity.

Separate the choices.

For example:

  • “I agree to join the mall loyalty programme.”
  • “I agree to receive offers and marketing communication.”
  • “I agree to receive partner brand offers.”
  • “I agree to receive personalised offers based on my visits or transactions.”

The first may be needed for loyalty participation. The others should usually be optional, purpose-specific, and recorded separately.


1.3 Make withdrawal as easy as enrolment

If a shopper gives consent through WhatsApp, app, website, kiosk, or customer service desk, withdrawal should be available through a comparable route.

Do not make withdrawal harder than sign-up.

Good mall-level withdrawal options include:

  • Unsubscribe link
  • WhatsApp opt-out keyword
  • App consent settings
  • Customer service desk form
  • Website data request page
  • Email request route

Every withdrawal should update the central consent record.


1.4 Maintain a consent ledger

Every consent event should leave an evidence trail.

At minimum, store:

  • Shopper identifier
  • Consent purpose
  • Consent status
  • Date and time
  • Channel
  • Notice version
  • Source campaign
  • Withdrawal date, if applicable
  • Staff ID or system ID, where relevant

This is important because in a dispute, the mall should be able to prove what the shopper agreed to and when.


1.5 Send updated notices to legacy loyalty users

Do not assume old consent is valid forever.

For shoppers enrolled before DPDP-ready flows, send an updated notice explaining current data uses.

Run a re-consent campaign where the old consent is:

  • Too broad
  • Unclear
  • Bundled
  • Missing partner-sharing permission
  • Missing WhatsApp or SMS marketing permission
  • Missing profiling or personalised-offer permission
  • Not linked to the current purpose

This is safer than continuing with old forms created before the new compliance expectations became clear.


1.6 Create a children’s data policy

The DPDP Act has specific obligations around children’s personal data, including verifiable parental consent in applicable cases.

For malls, the safer default is:

  • Do not enrol under-18 shoppers into marketing flows without legal review.
  • Do not run child-targeted profiling campaigns casually.
  • For kids’ events, collect minimum required data.
  • Use parent or guardian contact details where appropriate.
  • Set stricter retention rules for children’s event data.

2. Loyalty Programmes

2.1 Separate loyalty participation from marketing consent

Loyalty participation and marketing consent are not the same thing.

A shopper may want points, parking benefits, or voucher benefits without receiving promotional messages every week.

Keep loyalty consent separate from:

  • SMS marketing
  • WhatsApp marketing
  • Email marketing
  • Push notifications
  • Partner offers
  • Personalised profiling

This protects both the shopper and the mall.


2.2 Create a loyalty data retention schedule

Most loyalty systems keep shopper data indefinitely.

That is risky.

Define how long different data categories are retained.

For example:

  • Basic loyalty account data
  • Points ledger
  • Redemption history
  • Campaign participation
  • Inactive account records
  • Complaint and dispute records
  • Accounting or tax-linked records

Some records may need longer retention for tax, audit, fraud prevention, or dispute purposes.

But indefinite retention without reason should be avoided.


2.3 Make tier rules transparent

If a loyalty programme has Silver, Gold, Platinum, VIP, or other tiers, the rules should be clearly disclosed.

The shopper should know:

  • How points are earned
  • How points expire
  • How tiers are upgraded
  • How tiers are downgraded
  • What happens after inactivity
  • What happens when a transaction is reversed
  • What benefits are conditional

Hidden loyalty logic creates both customer anger and compliance risk.


2.4 Allow shoppers to access their loyalty ledger

A shopper should be able to see their points history, redemptions, and major loyalty activity.

At minimum, the mall should be able to provide this in response to a data request.

A clean export should include:

  • Date
  • Activity type
  • Points earned
  • Points redeemed
  • Store or campaign reference
  • Expiry, if applicable
  • Adjustment reason

This does not need to be overcomplicated. A simple downloadable ledger is enough to start.


2.5 Define partner-brand data sharing clearly

If the mall shares loyalty or shopper data with brands, restaurants, parking partners, voucher partners, or campaign agencies, the role of each party must be clear.

Some partners may act only as Data Processors.

Some may act as independent Data Fiduciaries.

Some arrangements may involve both roles depending on the use case.

The contract should define:

  • Who collects the data
  • Who decides the purpose
  • Who can use the data
  • Whether the partner can reuse it
  • How long the partner can keep it
  • What happens after campaign closure
  • Who handles breach notification
  • Who handles shopper requests

Do not treat partner sharing as a casual Excel export.


3. Voucher and Gift-Card Programmes

3.1 Separate issuance metadata from redemption metadata

Voucher programmes generate two different kinds of data.

Issuance data may include:

  • Recipient name
  • Mobile number
  • Email
  • Campaign source
  • Voucher value
  • Issue date
  • Expiry date

Redemption data may include:

  • Store
  • Transaction time
  • Invoice value
  • Redemption status
  • Partial redemption
  • Failure reason
  • Cashier or system reference

Both are useful, but they do not always need to be stored together forever.

Keep the data model clean.


3.2 Maintain maker-checker audit logs

Voucher misuse is a real operational risk.

Every voucher issue, approval, cancellation, extension, reversal, or manual adjustment should leave an audit row.

The audit trail should record:

  • Who created it
  • Who approved it
  • When it was approved
  • What changed
  • Why it changed
  • Which campaign it belonged to
  • Whether the customer was notified

This is useful for fraud control, finance reconciliation, and DPDP evidence management.


3.3 Review voucher partner agreements

Gift-card and voucher partners may be Data Processors or independent Data Fiduciaries depending on how the arrangement is structured.

Do not assume the role automatically.

The agreement should cover:

  • Purpose of processing
  • Categories of personal data
  • Security obligations
  • Sub-processor use
  • Breach reporting
  • Data deletion or return
  • Retention period
  • Audit support
  • Customer request handling
  • Restrictions on reuse

This is especially important when the mall uses external voucher platforms, gift-card providers, campaign tools, or redemption engines.


3.4 Time-box voucher records

Voucher campaigns should not create permanent personal-data archives.

Define a retention rule.

For example:

  • Active campaign period
  • Redemption and refund window
  • Dispute window
  • Accounting or tax retention period
  • Pseudonymisation or deletion stage

After the business purpose is complete and legal retention is no longer needed, personal identifiers should be deleted or pseudonymised where practical.


4. CCTV and Footfall Sensors

4.1 Publish a CCTV retention policy

Malls usually need CCTV for security, safety, incident review, and law-enforcement support.

But the retention period should be documented.

The policy should explain:

  • Why CCTV is used
  • Which areas are monitored
  • How long footage is retained
  • Who can access footage
  • When footage may be shared
  • How incident footage is preserved
  • Whom to contact for privacy questions

Do not leave CCTV retention as an informal security-team habit.


4.2 Be very careful with face recognition

General CCTV for security and face recognition for identifying or profiling shoppers are not the same risk category.

If a mall uses face recognition, VIP recognition, blacklist recognition, repeat-visitor recognition, or face-linked analytics, it needs strong legal review and clear purpose justification.

Before deploying face recognition, ask:

  • Is it necessary?
  • Is there a less intrusive option?
  • Is explicit consent required for this use case?
  • Is the use limited to security?
  • Is it linked to loyalty or marketing?
  • How long is the face template retained?
  • Who has access?
  • Can the shopper object or withdraw?

Face recognition should not be treated as a casual analytics feature.


4.3 Keep footfall data anonymous by default

Footfall sensors can be useful without identifying individuals.

The safer operating model is:

  • Count people
  • Analyse zones
  • Measure peak hours
  • Track entrance loads
  • Study broad movement patterns

Avoid joining sensor IDs with Wi-Fi login, mobile number, loyalty profile, or campaign behaviour unless there is a specific, consent-backed, documented purpose.

Anonymous analytics is one thing.

Shopper-linked analytics is another.


4.4 Treat vehicle plate data as high-risk identifiable operational data

Do not call number plate data “biometric data”. That is not the right term.

But vehicle plate data can still be sensitive because it can identify or help identify a person when linked with parking records, payment records, CCTV, loyalty accounts, or security incidents.

For ANPR and parking systems, document:

  • Purpose
  • Retention period
  • Access controls
  • Sharing with police or agencies
  • Vendor role
  • Security controls
  • Deletion schedule

Parking data should not silently become marketing data.


5. Marketing and Communication

5.1 Use channel-wise marketing consent

A shopper may agree to SMS but not WhatsApp.

They may agree to loyalty updates but not promotional blasts.

They may agree to mall-level updates but not partner-brand messages.

Capture consent by channel and purpose.

Recommended fields:

  • SMS transactional
  • SMS promotional
  • WhatsApp transactional
  • WhatsApp promotional
  • Email
  • Push notifications
  • Partner brand offers
  • Personalised offers

Double opt-in is a strong internal control, especially for WhatsApp, SMS, and email, but describe it as a best practice rather than a legal requirement.


5.2 Tag campaigns with consent references

Every outgoing campaign should be traceable to the consent that allowed it.

This does not mean every customer-facing message must show a consent ID.

It means the internal campaign engine should be able to answer:

  • Why was this shopper included?
  • Which consent allowed this message?
  • When was that consent given?
  • Was the consent still active when the message was sent?
  • Was the shopper suppressed from any channel?

This creates campaign accountability.


5.3 Maintain one global suppression list

Do not manage opt-outs separately in five tools.

A shopper who opts out from marketing should not keep receiving campaigns because one vendor list was not updated.

Build a global suppression mechanism across:

  • SMS
  • Email
  • WhatsApp
  • Push
  • Agency exports
  • Partner campaigns
  • Manual campaign uploads

Set an internal target such as 24 hours or one business day for suppression updates.


5.4 Define message frequency caps

Even if consent exists, excessive messaging creates complaints.

Define frequency caps.

For example:

  • Not more than two promotional messages per week
  • Urgent operational messages excluded
  • Festival campaign exceptions documented
  • Partner campaigns included in total frequency

The cap should sit in policy and in the campaign tool.

A mall that over-messages shoppers creates both brand damage and regulatory risk.


6. Data Principal Requests and Grievances

6.1 Publish a simple data request page

Every mall should have a public page that explains how shoppers can raise requests related to their personal data.

The page should cover:

  • Access request
  • Correction request
  • Completion request
  • Erasure request
  • Consent withdrawal
  • Grievance filing
  • Contact person
  • Expected response timeline
  • Verification requirements

Keep it simple.

A shopper should not need to understand legal language to use it.


6.2 Build a request queue with SLA tracking

Every incoming request or grievance should become a ticket.

The ticket should capture:

  • Requester identity
  • Request type
  • Date received
  • Verification status
  • Assigned owner
  • Systems to be checked
  • Response deadline
  • Action taken
  • Closure evidence

The Rules refer to grievance redressal within a reasonable period not exceeding 90 days.

A mall can adopt a stricter internal target, such as 30 days, but that should be described as an internal operating benchmark.

Do not say every mall must appoint a Data Protection Officer.

A Data Protection Officer is specifically required for Significant Data Fiduciaries. Other Data Fiduciaries should still publish the business contact details of a person who can answer questions about personal data processing and should define internal accountability clearly.

Use this wording:

“Publish the business contact details of the DPO, where applicable, or a designated person who can answer questions about personal data processing.”


7. Vendor and Partner Contracts

7.1 Create a single external data-flow register

Every external data flow should be listed in one register.

Start with a spreadsheet if needed.

Track:

  • Vendor name
  • Service provided
  • Data shared
  • Purpose
  • System used
  • Retention period
  • Contract reference
  • Processor or fiduciary role
  • Sub-processors
  • Breach reporting obligation
  • Deletion or return obligation
  • Business owner

This register should include:

  • Wi-Fi vendor
  • Parking vendor
  • CCTV vendor
  • ANPR vendor
  • Loyalty platform
  • Voucher platform
  • CRM
  • WhatsApp provider
  • SMS provider
  • Email provider
  • Analytics tools
  • Agencies
  • Event vendors
  • Tenant campaign partners

If the mall cannot list where shopper data goes, it cannot govern it.


7.2 Update contracts with DPDP-ready clauses

Before the final compliance rush, update vendor agreements.

Each relevant agreement should include clauses for:

  • Purpose limitation
  • Data security
  • Confidentiality
  • Sub-processing
  • Breach notification
  • Assistance with data principal requests
  • Deletion and return
  • Retention limits
  • Audit support
  • Data localisation or transfer position, where relevant
  • Restriction on independent reuse

Do not wait until May 2027 to start vendor contract clean-up.

March 2027 is a more realistic internal deadline because legal review, negotiation, and renewals take time.


# Where Portcart Fits Into This Checklist

This checklist is not a claim that software alone can make a mall compliant.

DPDP readiness needs:

  • Legal review
  • Process design
  • Staff training
  • Vendor contracts
  • Data security
  • Audit trails
  • Management ownership

That said, Portcart is being designed to support several DPDP-aligned operating controls for Indian malls and airports.

These include:

  • Shopper Wallet with consent history
  • Purpose-wise consent capture
  • Voucher maker-checker logs
  • Campaign consent references
  • Global suppression logic
  • Loyalty ledger visibility
  • Operator-side audit trails
  • Vendor and partner workflow mapping
  • Data request support flows

These controls can reduce manual dependency and make evidence easier to produce.

But the correct position is this:

Portcart can support a DPDP-aligned mall operating stack. It does not replace legal advice or the mall operator’s own compliance responsibility.


# Four-Week DPDP Readiness Sprint for Mall Operators

Week 1: Map the data

In the first week, the mall should create a one-page map of major data flows.

Map:

  • Wi-Fi
  • Parking
  • CCTV
  • ANPR
  • Loyalty
  • Vouchers
  • Events
  • Website forms
  • App flows
  • Marketing databases
  • Agency exports
  • Tenant campaigns
  • Vendor systems

Also identify who owns each flow internally.

By the end of week one, the mall should know where shopper data is collected, why it is collected, who uses it, and where it goes.


Week 2: Fix consent and notices

In the second week, update the most visible consent points.

Focus on:

  • Wi-Fi notice
  • Loyalty enrolment notice
  • Marketing consent
  • Voucher campaign forms
  • Parking notice
  • CCTV notice
  • Website privacy page
  • App sign-up flow
  • Customer service desk scripts

The goal is not perfection.

The goal is to stop collecting data through vague, bundled, and outdated language.


Week 3: Review legacy data and vendors

In the third week, review old users and external partners.

Actions:

  • Send updated notices to legacy loyalty users
  • Identify where re-consent is needed
  • Build the vendor data-flow register
  • Review voucher and CRM partners
  • Check WhatsApp, SMS, and email opt-out flows
  • Create a global suppression list
  • Mark high-risk vendors for contract updates

This week usually exposes the real problem: data is scattered across teams, agencies, and tools.


Week 4: Build the operating process

In the fourth week, create the request and governance process.

Actions:

  • Publish the data request page
  • Create request ticketing workflow
  • Assign internal owner
  • Define escalation matrix
  • Train customer service desk
  • Run one mock data request
  • Run one mock withdrawal request
  • Run one mock breach escalation
  • Document unresolved gaps

At the end of week four, the mall will not be “fully compliant”.

But it will have a defensible starting posture.

That matters.


# Frequently Asked Questions

Are footfall sensors covered under DPDP?

If the sensor only produces anonymous, non-identifiable counts, DPDP risk is lower.

But if the sensor data is joined with Wi-Fi login, mobile number, loyalty ID, app ID, or any other identifier, the combined data can become personal data.

The safest default is to keep footfall analytics anonymous unless there is a documented and consent-backed purpose for identity-level analytics.


Does DPDP apply to a mall without a loyalty programme?

It can.

A mall may still process personal data through:

  • CCTV
  • Parking systems
  • Wi-Fi login
  • Website forms
  • Event registrations
  • Campaign forms
  • Complaint records
  • Vendor systems
  • Security logs

Loyalty increases the risk, but it is not the only trigger.


Does every mall need a Data Protection Officer?

Not necessarily.

The DPDP Act specifically requires a Data Protection Officer for Significant Data Fiduciaries.

Other mall operators should still publish the contact details of a person who can respond to data-processing questions and should assign internal accountability.

So the safer wording is:

DPO where applicable, otherwise a designated contact person.


Is 30 days the legal deadline for shopper data requests?

Do not state it that way.

The Rules refer to grievance redressal within a reasonable period not exceeding 90 days.

A 30-day response target is a good internal benchmark, but it should not be presented as the legal rule.


Can one mall group use one privacy policy for all properties?

Yes, but it should include property-specific details where needed.

A national mall operator can use one umbrella privacy policy with annexures or sections for each mall, especially where CCTV, parking, Wi-Fi, loyalty, local events, or partner campaigns differ by property.


Are voucher partners automatically Data Processors?

No.

It depends on who decides the purpose and means of processing.

A voucher partner may be a Data Processor, an independent Data Fiduciary, or both in different contexts.

The contract must clearly define the role.


Is face recognition allowed?

Do not treat it casually.

Face recognition needs strong purpose justification, strict access control, retention limits, and legal review.

If it is linked to loyalty, marketing, VIP identification, or behavioural analytics, the risk is much higher than ordinary CCTV.


What should malls finish before May 2027?

At minimum:

  • Data map
  • Consent map
  • Updated notices
  • Withdrawal flow
  • Legacy notice or re-consent plan
  • Vendor register
  • DPDP-ready vendor clauses
  • Retention schedule
  • Request and grievance process
  • Suppression list
  • Security safeguards
  • Audit trail for loyalty, vouchers, and campaigns
  • Internal training

The malls that begin this work in 2026 will be calmer in 2027.

The malls that wait until the last quarter will end up doing rushed legal patchwork.


# Final Word

DPDP compliance is not a checkbox.

For shopping malls, it cuts across:

  • Loyalty
  • Marketing
  • Parking
  • CCTV
  • Wi-Fi
  • Vouchers
  • Events
  • Agencies
  • Tenants
  • Technology partners

The operators who treat DPDP as a mall operations programme will be better prepared than those who treat it as a privacy-policy update.

A practical target for 2026 is simple:

  • Know what data you collect.
  • Know why you collect it.
  • Know who receives it.
  • Know how long you keep it.
  • Know how a shopper can withdraw consent.
  • Know how you will respond when a shopper asks questions.
  • Know what evidence you can show if something goes wrong.

That is the beginning of a defensible DPDP posture.


Suggested SEO Details

Meta title: DPDP Act Compliance Checklist for Indian Mall Operators in 2026

Meta description: A practical DPDP compliance checklist for Indian mall operators covering consent, loyalty, vouchers, CCTV, footfall sensors, marketing, data requests, and vendor contracts.

Hero image alt text: DPDP Act Compliance Checklist for Indian Mall Operators in 2026

Suggested disclaimer: This article is for general operational awareness and does not constitute legal advice. Mall operators should consult qualified legal counsel for DPDP applicability, contract drafting, and compliance decisions.

Tagsdpdpcompliancemall-operationsloyaltyconsentindia

Found this useful? Share it with your team.

Share
DPDP Compliance Checklist for Mall Operators in India (2026) | Portcart