DPDP Act Salon Customer Data: What India's New Privacy Law Means for Your Business
Author
SantoshDate Published
A customer walked into one of our partner salons last month and asked a simple question: "Can you delete everything you have on me?" The front desk froze. The booking software had her records. So did an Excel export from 2022. Her number was in three WhatsApp groups. And somewhere, a Mailchimp list still had her tagged for "Diwali offers."
Nobody knew where to start.
That moment — the deer-in-headlights pause — is exactly why the DPDP Act matters to every salon, spa, and beauty clinic in India right now. Customer names, phone numbers, treatment notes, before-and-after photos... all of it is digital personal data under this law. And the rules have shifted from "collect and keep" to "collect only what you need, tell customers why, and be ready to delete or correct it."
Here's what this guide gives you: a phase-by-phase compliance path you can start executing this week — no legal degree required.
Before You Start: The Readiness Check
You need three things locked down before any of this works:
- A list of every place you store customer data. CRM, spreadsheets, WhatsApp threads, SMS tools, email platforms, paper forms that get digitized. All of it.
- Access to your booking/CRM system's admin settings. You'll need to create fields, adjust consent flows, and set retention rules.
- One person on your team who owns this. Compliance without ownership is just a checklist nobody follows.
Stop/Go test: Can you name, right now, every system where a customer's phone number lives? If you can't, pause here and map that first.
Phase 1: Audit What You Collect (And Why)
What to do:
Pull up your intake form — digital or paper. Write down every data field. Next to each one, write the stated purpose. Appointment booking? Payment? Marketing? If you can't tie a field to a clear purpose, it shouldn't be there.
Most salons collect "nice-to-have" data out of habit. Anniversary dates, spouse names, Instagram handles. Purpose limitation means you only keep what's needed for the service you disclosed to the customer.
Visual checkpoint: Your audit should look like a two-column table — data field on the left, specific purpose on the right. If any row in the "purpose" column is blank or says "just in case," that field needs to go or get a legitimate reason.
Verification: Check 5 random customer records in your CRM. If any contain data with no clear purpose tag, your collection process isn't controlled yet.
Friction warning: Front-desk staff often keep collecting fields because "we've always asked for that." The law doesn't care about habit. Retraining reception is where most salons stall.
Phase 2: Fix Your Consent Flow
This is where most salons think they're fine — and they're not.
A pre-checked box at the bottom of a booking form is not informed consent. The notice needs to appear *before* data entry, clearly state what's collected, why it's collected, and how customers can withdraw or complain. And you need separate consent for service communication versus marketing messages.
What to do:
- Write a short privacy notice (4–6 sentences max). Plain language. No legalese.
- Add it to your digital booking flow so it displays before the customer submits any information.
- Create two distinct opt-in checkboxes: one for appointment-related messages, one for promotional content.
- Store a timestamped record of each consent — the exact notice text shown, the date, and the customer's response.
Visual checkpoint: When a new customer books, they should see the notice first, then two unchecked boxes — one for service updates, one for marketing. The CRM should log a consent record with a date stamp.
Verification: Open 5 recent customer profiles. Can you see when consent was given and what notice was shown? If consent was verbal or buried in a generic terms page, it won't hold up if a customer disputes it.
Struggling to manage consent and booking data across disconnected tools?
DINGG's salon booking software centralizes customer data, consent records, and communication preferences in one system — so nothing slips through the cracks when a data principal asks questions.
Phase 3: Build a Deletion Workflow That Actually Works
Here's the ugly truth nobody talks about: the same customer record can exist in your booking software, an old Excel export, a marketing tool, a WhatsApp backup, and maybe a Google Sheet someone made during COVID. Deletion after purpose completion means all of it — not just the CRM entry.
What to do:
- Map every system from your Phase 1 audit.
- Create a simple deletion checklist: Received → Verified identity → Deleted/suppressed in each system → Confirmed to customer.
- Assign one person to own this workflow.
- Test it. Submit a fake deletion request and track whether records disappear from *every* location.
Visual checkpoint: After running the test deletion, search for that test profile across all systems. Zero results = success. If it still appears in an export file or a WhatsApp group contact list, the workflow has gaps.
Verification: Run the test deletion, then manually check all mapped systems. If records remain visible in more than one place, deletion is incomplete.
Phase 4: Set Retention Rules and Secure Access
Retention is usually accidental in salons. Systems never auto-delete old records, so appointment data from 2019 sits alongside yesterday's bookings. That's indefinite storage with no legal basis.
What to do:
- Set a retention period for each data type. Appointment history might be 24 months. Marketing consent records, keep for the duration of the relationship plus a buffer.
- Configure calendar-based purge rules in your CRM. If your system doesn't support auto-purge, set a monthly manual cleanup reminder.
- Kill shared logins. If five staff members use one "reception" account, that's not a reasonable security safeguard. Create individual logins. Rotate passwords. Remove ex-staff access the day they leave.
Visual checkpoint: Old records should show a retention date or purge status — not just sit there indefinitely. Staff login screen should show individual names, not "FrontDesk1."
Verification: Review 10 records older than your retention threshold. If they're all still active with no retention logic applied, this phase isn't done.
The Ugly Truth: Problems You Won't Find in Compliance Explainers
| Problem | The Weird Fix |
|---|---|
| Customer requests deletion, but records still appear in bookings | Manually search CRM, spreadsheet exports, SMS tool, WhatsApp backups, and email lists; document each deletion step |
| Promo messages continue after opt-out | Split service messages from marketing consent in your CRM tagging rules |
| Duplicate customer profiles keep reappearing | Dedup by phone number weekly; create a merge cleanup routine |
| Consent can't be proven during a dispute | Store timestamped consent records with the exact notice text shown |
| Old records never disappear | Set calendar-based purge rules; export-and-delete monthly |
| Front desk shares one login across devices | Create individual staff accounts; revoke ex-staff access immediately |
The real bottleneck in most salons? Data subject rights handling. Requests come through WhatsApp, phone calls, Instagram DMs — and nobody owns the response. That's where things fall apart.
FAQs
How long does DPDP Act compliance take for a single salon?
Most single-location salons can complete a basic compliance setup in 2–4 weeks if one person owns the process. The audit and consent flow take the longest. Ongoing maintenance — purging old data, handling rights requests — becomes a monthly routine, not a one-time project.
Does the DPDP Act apply to spas and beauty clinics too?
Yes. Any business collecting digital personal data — including spas and beauty clinics — falls under the Act. Treatment notes, health-related intake data, and before-and-after photos all qualify. The obligations around notice, consent, and deletion apply identically.
What happens if a salon doesn't comply with the DPDP Act?
The Data Protection Board can impose penalties. But the more immediate risk is operational: a customer complaint you can't resolve, a data breach notification you're unprepared for, or vendor contracts that expose you because your CRM or SMS gateway isn't handling data properly. As the data fiduciary, liability sits with the salon owner.
Can I still send marketing messages to existing customers?
Only if you have separate, documented marketing consent. If your original consent notice only mentioned appointment reminders, you can't repurpose that number for promo blasts. Withdrawal of consent must also be easy — one-tap unsubscribe, not a five-step process.
The DPDP Act isn't going away, and the salons that treat customer data with the same care they treat a client's hair will be the ones customers trust long-term. Start with the audit. Fix the consent flow. Build the deletion workflow. Everything else follows.
Ready to centralize your salon's customer data and consent management?
See how DINGG handles it — so compliance becomes a system, not a scramble.
