Shopper Consent Management for Indian Malls Under DPDP

The DPDP Rules notified in November 2025 made consent specificity a hard legal requirement, not a best practice. A single tickbox at loyalty enrollment that covers "marketing, analytics, partner sharing, personalisation, and CCTV linkage" does not meet the bar. Each of those purposes is now a separate consent that has to be captured, recorded, and individually withdrawable. When DPDP enforcement kicks in at Phase 3 in May 2027, bundled-consent loyalty programmes become legal liabilities, not assets.

This piece is the practical pattern for shopper consent management at Indian malls, written for the people who actually configure the enrollment kiosks and loyalty WhatsApp flows.

Why the old pattern fails

Most malls today capture consent like this:

> "I agree to receive marketing communications and allow Mall X to process my data for loyalty, promotional, and analytical purposes. [Yes / No]"

This fails DPDP on multiple grounds:

• Not specific. The shopper can't say yes to loyalty but no to marketing.
• Not granular. No way to consent to in-mall analytics but withhold partner sharing.
• Not easily withdrawable. The shopper has no equivalent withdrawal path matching the ease of enrollment.
• Not documented. No timestamped record tied to the exact notice version the shopper saw.

When DPDP enforcement kicks in (Phase 3, May 2027), bundled-consent loyalty programmes become legal liabilities, not assets.

The five-consent pattern

A DPDP-compliant mall loyalty enrollment captures five distinct consents:

1. Loyalty operation consent

The minimum required to operate loyalty. Without this, the shopper isn't enrolled. Covers: storing identity (name, phone, email), recording transactions for points calculation, sending transactional messages (points earned, points expiring soon).

2. Marketing communication consent

Separate optional consent. Covers: promotional offers, brand campaign messages, festival-season campaigns.

3. Personalisation consent

Separate optional consent. Covers: using the shopper's transaction history to personalise offers (e.g. "shoppers who bought from Westside often shop at Vero Moda").

4. Partner brand sharing consent

Separate optional consent. Covers: sharing visit / spend data with specific tenant brands so the brands can provide better service or run brand-specific offers.

5. Footfall analytics linkage consent

Separate optional consent. Covers: linking the shopper's loyalty profile to anonymous footfall sensor data so the mall can compute true conversion (visits → loyalty members → purchasers).

Each is a separate tickbox. Each has its own short notice (under 30 words, plain language). Each can be turned on or off independently after enrollment.

The consent ledger

DPDP doesn't use the phrase "consent ledger" but in spirit it requires one. A consent ledger is an immutable, append-only record of:

• Every consent grant (shopper id, purpose, notice version, timestamp)
• Every consent withdrawal (same fields)
• Every data-use event that relied on a specific consent

When a shopper exercises their data principal request rights ("show me everything you have about me, and how you've used it"), the consent ledger is the answer.

For mall scale (50,000 to 500,000 enrolled shoppers per mall), the ledger is a meaningful data engineering task: append-only writes, indexed reads by shopper id, retention policy aligned to legal requirements (typically 7+ years).

The withdrawal mechanism

DPDP requires withdrawal to be "as easy as" enrollment. Translation: if you enroll via WhatsApp in three taps, you must be able to withdraw via WhatsApp in three taps.

The right mechanism: a dedicated WhatsApp command (e.g. "STOP MARKETING") plus an equally accessible web page (e.g. mall website /privacy/manage-consents) plus a customer service desk path. All three lead to the same consent ledger update.

What doesn't meet the bar: requiring the shopper to send an email to a generic address and wait for human processing. That's not equivalent to a one-tap opt-in.

Per-channel suppression

Once a shopper withdraws marketing consent, the suppression has to be global across channels. WhatsApp, SMS, email, push, in-app banner, and any in-store kiosk personalisation. A unified suppression list, not per-channel toggles.

This sounds obvious until you realise most mall marketing stacks have separate WhatsApp, SMS, and email vendors with separate suppression lists that have to be kept in sync. Without a unified suppression list, the shopper unsubscribes from WhatsApp and continues to receive emails, which violates the spirit of DPDP and generates immediate complaints.

Re-consent for legacy enrollments

Most malls have shoppers who enrolled before 2025 under broad consent that doesn't meet DPDP. These need re-consent.

Practical approach: within the first 12 months of DPDP enforcement, run a re-consent campaign. WhatsApp message to all enrolled shoppers: "We're updating our privacy practices. Please tap to review and confirm your preferences." Link goes to a simple consent management page. Track conversion. Shoppers who don't re-consent within 90 days move to a "marketing-suspended" state where loyalty operations continue (transaction recording, points calculation) but marketing communications stop.

What this enables operationally

Beyond compliance, granular consent unlocks better marketing:

• Marketing campaigns can target only shoppers with the right consent for the campaign type, reducing wastage
• Partner brand sharing can be done with confidence in audit defence
• Personalisation features can be enabled only for the shoppers who opted in, improving relevance
• Customer service can quickly answer "why am I getting these messages" with a precise audit trail

Frequently asked questions

Does this make the enrollment flow too long?

Done right, no. Default to the five consents in a single screen with clear labels, all unchecked except "Loyalty operation" which is required. Shopper ticks what they want. Single tap to proceed. Three to five seconds added vs the old bundled consent.

What about implicit consent from in-mall actions?

DPDP requires explicit consent for any data processing beyond what's strictly necessary for the requested service. Walking past a CCTV camera is implicit consent to surveillance for security purposes, not to face-recognition linkage with loyalty profiles.

How does this affect international visitors?

International visitors enrolled in Indian mall loyalty are covered by DPDP for data processed in India. Same five consents apply. NRI passenger flows at airports particularly need clear DPDP-aligned consent capture.

What if a shopper grants partner sharing consent, then a partner brand later violates trust?

DPDP holds both you and the partner accountable as independent data fiduciaries. Document the partner sharing arrangement in writing. When a partner violates trust, you should be able to revoke the data sharing immediately and notify affected shoppers.

How Portcart handles this

The five-consent pattern and consent ledger are first-class in Portcart's shopper wallet and communication engine.

• [Shopper Wallet (Consent Ledger)](/platform/shopper-wallet) — granular per-purpose consent capture, immutable consent ledger with timestamped grants and withdrawals, one-click data principal request export.
• [Communication Engine](/platform/communication) — unified suppression list across WhatsApp, SMS, email, push. Every outgoing message tagged with the source consent that authorised it.
• [Loyalty Layer](/platform/loyalty) — loyalty operation consent treated as required-to-operate; other consents independently toggleable per shopper.

If your mall's loyalty programme still runs on a single-tickbox consent model, request a demo and we'll walk through migration to the DPDP-compliant pattern.