Hospitality has always traded on anticipation, i.e. on knowing what its guests want, when they want it, sometimes before they ask. India’s Digital Personal Data Protection Act, 2023 (DPDPA), finally given working teeth through the DPDP Rules notified on November 13, 2025, will not change that instinct. But it will change, often radically, how hotels, restaurants, resorts and the platforms that feed them collect, store, share and monetise the personal information that makes such anticipation possible. With the core operational provisions scheduled to take effect from May 2027, the time hospitality businesses have to retool their data plumbing is shrinking fast. 

The data they hold 

Most general managers, if asked, would list reservations, payments and a CCTV feed as the personal information their property handles. The reality is considerably bigger. A guest who walks through the lobby of even a mid-sized hotel leaves behind a digital trail that includes name, address, phone number, email, passport and national identity numbers, date of birth, vehicle registration, payment card details, frequent flyer affiliations, loyalty programme history, room preferences, dietary requirements (which can shade into health information when they concern allergies, diabetes, or religious restrictions) and special requests linked to accessibility or medical conditions. Restaurants gather not just reservation details and table preferences but also customer photographs through tagged social-media posts, dietary disclosures and, increasingly, biometric or facial-recognition data through smart entry and payment systems. 

Layered on top of this are the operational data streams like CCTV footage from corridors, parking lots and dining areas, Wi-Fi logs that capture device identifiers and browsing behaviour during a stay, cookie and pixel data from booking websites, call recordings from reservation desks, staff records covering everything from ID proofs to performance reviews, and behavioural data harvested from loyalty apps. Larger chains feed all of this into customer-data platforms and AI-powered personalisation engines that build composite profiles linking a guest’s lunch order in Delhi with her massage preferences in Goa six months later. 

The processing behind the smile 

The processing activities are equally varied. Reservation systems share data across the property management system, the channel manager, online travel agents such as MakeMyTrip or Booking.com, payment gateways and global distribution systems. Loyalty programmes profile guests for tier benefits and targeted offers. Marketing teams run email and WhatsApp campaigns, revenue managers run dynamic pricing experiments off behavioural signals, security teams put CCTV through analytics. International chains routinely transfer guest data to overseas servers for centralised processing, sometimes through subsidiaries and sometimes through cloud vendors. Restaurants share customer numbers and dining preferences with online review platforms, marketing automation tools and delivery aggregators. 

Almost every one of these activities will need re-examination under the DPDPA. 

Practices that will have to change 

The first casualty is the silent collection model. A great deal of hospitality data is currently gathered through pre-ticked boxes, opaque privacy policies, or by reading out a long script at the time of booking. The DPDPA requires consent that is free, specific, informed, unconditional and unambiguous, accompanied by a clear notice available in English or any of the languages listed in the Eighth Schedule of the Constitution. A box ticked by default for marketing emails will not pass muster; nor will a single bundled consent that lumps reservation processing with promotional emails, third-party sharing and analytics. Each purpose will need its own seat at the table, and the withdrawal of consent must be as easy as the giving of it. 

Retention is the second pressure point. Properties often keep guest records indefinitely, partly out of habit and partly because customer-relationship platforms make storage cheap. DPDPA requires that personal data be erased once the purpose is met, unless there is a legal mandate to retain it. Reservation records, passport scans, payment instruments and CCTV footage will all need defined retention windows, automated deletion workflows and audit trails to demonstrate compliance. 

Vendor relationships are the third pressure point and will need a hard rewrite. A hotel that hands guest data to a channel manager, a payment gateway, a Wi-Fi provider or a marketing agency is the “Data Fiduciary” and the vendor is (mostly) its “Data Processor”. The Data Fiduciary remains liable for the Data Processor’s lapses. Existing service contracts rarely contain the data-processing terms like confidentiality, security obligations, breach notification, deletion on termination, audit rights, all of which the DPDPA effectively makes mandatory. Every such contract will need to be reopened. 

Security and breach response are the fourth pressure point. The DPDP Rules require Data Fiduciaries to implement reasonable security safeguards and to notify the Data Protection Board, and affected individuals, of any personal data breach without undue delay. Hospitality has been a favourite target of attackers because of the volume of payment and identity data it holds; properties using outdated property-management systems, shared staff logins and unencrypted email attachments will be exposed both to attackers and to enforcement action. Children’s data adds yet another wrinkle. Family hotels, theme parks, kids’ clubs, summer camps and school-trip caterers routinely collect data on minors - photographs in clubs, medical disclosures from parents, identity details for travel. The DPDPA requires verifiable parental consent for processing children’s data and prohibits behavioural tracking or targeted advertising directed at children. Existing kids’-club enrolment forms and loyalty programmes that allow under-18-year-olds to join will need redesigning, as will the social-media handles that cheerfully repost children’s photographs from birthday parties at the property. 

Finally, the customer-facing experience itself will change. Guests will have the right to access, correct and erase their data, and to nominate someone to exercise these rights on their behalf. A grievance officer’s contact information, a published response timeline and a documented escalation pathway to the Data Protection Board.  

Lessons from Europe 

Hospitality companies that operated under in EU have already paid an instructive price for getting things wrong. Marriott International was fined £18.4 million by the UK Information Commissioner’s Office in 2020 over a 4-year-long breach inherited from its acquisition of Starwood Hotels, which had exposed records of around 339 million guests, including roughly 5 million unencrypted passport numbers and payment-card information. The same underlying lapses cost the chain a further $52 million in 2024 in a settlement with US state attorneys general and the Federal Trade Commission. Accor SA, the parent of Sofitel, Novotel and Ibis, was fined €600,000 by France’s CNIL in 2022 for, among other things, automatically signing customers up to its newsletter through pre-ticked consent boxes and failing to honour access requests promptly. Booking.com was fined €475,000 by the Dutch Data Protection Authority for reporting a breach involving guests of about forty hotels in the UAE 22 days later than the 72-hour deadline. Smaller restaurants and hotels across Spain, Italy and Germany have collected tens of thousands of euros in fines for poorly justified CCTV, missing privacy notices and unauthorised marketing. 

The Indian regulator is unlikely to be more indulgent. With penalties of up to ₹250 crore per instance, a phased timeline that nonetheless leaves less than 12 months for serious preparation, and an enforcement body designed to function digitally and quickly, hospitality businesses in India have a narrow window to translate the spirit of the DPDPA into the everyday rhythms of the front desk, the call centre, the reservations team and the marketing department. 

The welcome, in short, may still be warm. But it will need to be a great deal more transparent about what it remembers.