Back to blog

Compliance · India

The DPDP Act 2023 and what it means for review platforms

Consent, retention, erasure, grievance. The four things every Indian business needs in place before they ask a customer for a review in 2026.

TapReview team·13 May 2026·8 min read

India's Digital Personal Data Protection Act came into force in August 2023, and the implementing rules began rolling out through 2025. If your business collects customer phone numbers, names, or feedback in any form, the law applies to you. Including when you ask for a Google review.

This post is a practical summary written for a business owner who needs to know what changed and what to do about it. It is not legal advice. For anything contested or material, talk to a lawyer who works in Indian data-protection law.

The short version

DPDP treats almost any information that can identify a person as "personal data." A customer's name, phone number, email, and the contents of a review they wrote are all in scope. As the business collecting that data, you are a "data fiduciary" and have four core obligations:

  • Consent at the point of capture, in plain language
  • Purpose limitation: use the data only for what you said you would
  • Retention discipline: don't keep it longer than you need it
  • Grievance + erasure: a way for customers to ask for their data back or out

Penalties for serious breaches run up to ₹250 crore. The point of the law is not to trap small businesses, but the obligations apply regardless of size. The good news is that for review collection specifically, getting it right is fairly mechanical.

Where review collection touches personal data

The moment you put a QR code on a table or counter, you have created a data-collection path. Three things typically get captured:

  1. The customer's name (often, to personalise the review)
  2. A way to reach them (phone or WhatsApp, especially for follow-up)
  3. The content of their feedback or rating

Each of those is personal data under DPDP. None of it is sensitive in the way medical or financial records are, but all of it falls inside the perimeter the law draws.

What good consent looks like

Consent under DPDP must be free, specific, informed, unconditional, and unambiguous. In practice, that means the lead form a customer sees on their phone should:

  • Tell them in plain English (and ideally the local language) what you'll do with their name and phone
  • Link to a privacy notice they can actually read on a phone, not a 40-page PDF
  • Not bury the consent in a pre-ticked checkbox
  • Make it easy to opt out of follow-up messages later

The TapReview lead form does this: name and phone are optional, the privacy notice is one tap away, and customers can ask to be removed via the same channel they came in on.

Three things to set up before going live

Retention rule

Decide how long you keep customer data after a review is collected. Common defaults: 12-24 months. Write it down.

Erasure path

If a customer asks for their data to be deleted, you need to be able to do it. Inside TapReview, the owner dashboard supports this from the leads list.

Grievance contact

Publish an email address customers can reach for complaints. It can be the same one you use for support.

What TapReview does on your behalf

A review-collection product can't make a business compliant on its own — your in-store signage, staff training, and any follow-up marketing you do all sit outside our perimeter. But the parts inside our perimeter we take seriously:

  • Consent disclosure on every lead-capture form, with a link to the privacy notice
  • Customer data is isolated per business at the database level (row-level security), not just at the application layer
  • Authentication cookies are scoped host-only — they never leak to the customer-facing scan domain
  • Every administrative action on a customer record is audited
  • Erasure is a one-click action for the business owner from inside the dashboard

None of this is theatre. The way we built the database from day one assumes a future where a customer or regulator asks "what did you know about this person and when did you forget it?" and we can answer cleanly.

The 10-minute owner checklist

  1. Update your in-store signage near the QR to mention what data you collect
  2. Confirm your privacy page actually loads on a phone, in plain language
  3. Write down your retention policy (12 months is a reasonable default)
  4. Pick a grievance email and put it on the privacy page
  5. Brief your front-line staff that customers can ask to be removed

Not legal advice. DPDP rules continue to evolve. For anything material to your business, get a lawyer.

The Act asks you to be deliberate about a thing every business already does informally — collect customer information and use it to grow. Done right, that's good practice anyway. The compliance is a side-effect of caring about how you treat the people who walk into your shop.

Read next

AI · Industry · Coming soon

How AI is changing customer review collection in India

Most Indian customers will say "amazing service" out loud and never type it. AI changes that math.

SEO · Local · Coming soon

Why Google reviews drive local-business revenue in 2026

The 4.6-star, 200-review salon down the road is taking your bookings. Here is the math on why.

See all posts