Is It Legal for Shops in Sri Lanka to Demand Your Phone Number for a Receipt? Sri Lanka personal data protection concerns are rising as more consumers question everyday retail practices that collect personal information without clear justification. Recent public discussions highlight a widespread issue: many outlets across the country insist on recording a customer’s mobile number before issuing a basic sales receipt or bill. While some businesses frame this as a system requirement for digital records or loyalty tracking, growing awareness of data privacy rights under the Personal Data Protection Act (PDPA) is prompting Sri Lankans to ask whether such demands are lawful or necessary.
The Personal Data Protection Act No. 9 of 2022, amended by the Personal Data Protection (Amendment) Act No. 22 of 2025, aims to safeguard personal information in line with global standards similar to the EU’s GDPR. Only provisions relating to the regulator (Data Protection Authority) and interpretation have been brought into operation so far. Substantive rules on data processing, data subject rights, controller/processor obligations, and penalties await a future gazette notification by the Minister, with no confirmed date as of April 2026. This article examines the legal framework, common retail practices, consumer rights, and practical steps individuals can take to protect their data in daily transactions and beyond.
Also in Explained | Can Sri Lanka Achieve True Digital Inclusion for Rural Communities?
Current Status of Sri Lanka Personal Data Protection Laws
Sri Lanka enacted the PDPA in March 2022, becoming the first South Asian nation with comprehensive data protection legislation. The Data Protection Authority (DPA) was established in 2023. The 2025 Amendment Act refined aspects such as automated decision-making, cross-border transfers, and sector-specific guidelines while removing fixed grace periods and granting the Minister flexibility to appoint operational dates via gazette.
As of April 2026, substantive provisions remain pending full operationalization. The DPA continues to build capacity, including recent appointments to its secretariat. Until full rollout, the Act’s foundational principles lawful processing, consent, purpose limitation, and data minimization already shape responsible conduct. A phone number qualifies as personal data, and its collection must meet legal thresholds rather than serve as a default requirement.
Parallel consumer protections under the Consumer Affairs Authority Act No. 9 of 2003 reinforce transparency in transactions. Traders must issue a receipt upon demand, and refusal to do so can constitute an offence.
Why Retail Outlets Commonly Request Phone Numbers
Across supermarkets, malls, pharmacies, and smaller shops, cashiers often request a mobile number at checkout. Businesses cite reasons such as generating digital receipts, enrolling customers in loyalty programmes, tracking warranties, or complying with internal accounting systems. In some cases, point-of-sale software is configured to require a number before printing a receipt.
Similar patterns appear in other service sectors. Apartment management companies frequently create WhatsApp groups for residents, automatically sharing phone numbers for notices and updates. While convenient for communication, these practices can expose contact details to large groups without explicit, informed consent.
These demands are not isolated to any single brand or outlet but reflect a broader cultural and operational norm in Sri Lankan retail and residential services. Many consumers comply without question, assuming it is mandatory. Yet under data protection principles, collection must be necessary, proportionate, and based on a valid legal ground.
Legal Rights: When Can Personal Data Be Collected?
The PDPA defines personal data broadly to include any information that can identify an individual, directly or indirectly. Processing such data requires one of several lawful bases, including explicit consent, contractual necessity, or legitimate interests that do not override the data subject’s rights.
Consent must be freely given, specific, informed, and unambiguous. Conditioning the issuance of a basic receipt on providing a phone number may not satisfy these criteria, as the receipt itself is a core element of the purchase transaction. The Consumer Affairs Authority Act requires traders to issue receipts on demand, setting out date, quantity, price, and nature of the transaction. Refusal to issue a receipt without additional conditions can violate consumer protection rules.
Even in the current transitional phase, consumers have a strong basis to question unnecessary data requests and seek alternatives such as printed receipts or email delivery. Once fully operational, the PDPA will grant clear rights to access data, request correction or deletion, withdraw consent, and object to processing.
Potential Risks of Unregulated Personal Data Collection
Sharing a phone number may seem minor, but repeated collection across multiple outlets can lead to broader privacy and security concerns. Data may be used for unsolicited marketing, shared with third parties, or stored insecurely, increasing risks of spam, identity theft, or targeted scams. In residential settings, exposed WhatsApp groups can inadvertently reveal household details to strangers.
From a socioeconomic perspective, weak data protection practices erode consumer trust in the digital economy. As Sri Lanka advances its digital transformation agenda, robust safeguards become essential to encourage participation in e-commerce, online services, and cashless transactions. Unaddressed gaps could also affect vulnerable groups who may feel pressured to comply.
Practical Steps for Consumers to Protect Their Data
Every Sri Lankan can exercise greater control in everyday situations:
- Politely decline to provide your phone number when it is not essential for the transaction. Request a printed receipt instead.
- Ask the outlet to note your refusal on record if the system flags an issue, this creates a paper trail.
- For apartment or housing schemes, request that management obtain explicit consent before adding numbers to group chats and offer opt-out options.
- Review privacy policies of frequent retailers and loyalty programmes.
- Report persistent refusals to issue receipts to the Consumer Affairs Authority hotline (1977) or use emerging DPA channels once available.
Simple habits, such as using a secondary number for non-essential services or enabling two-factor authentication, add layers of protection.
Role of Businesses and the Way Forward
Responsible organisations are reviewing their data collection practices to align with PDPA expectations. This includes conducting data audits, updating consent forms, training staff, and offering genuine alternatives to phone-based processes. The DPA’s forthcoming sector-specific guidelines will provide further clarity for retail, real estate, and other high-volume data handlers.
Public awareness campaigns, school education modules, and business associations can accelerate cultural change. By treating personal data as a valuable asset rather than a transactional convenience, Sri Lanka can strengthen both individual privacy and economic confidence.
Building Stronger Data Protection Habits in Daily Life
Sri Lanka data protection is not an abstract legal concept but a practical safeguard that touches every receipt, group message, and online interaction. The growing public discourse around phone-number demands at checkout signals a healthy shift toward greater accountability. While full PDPA enforcement continues to mature, existing consumer rights and emerging regulatory frameworks already empower individuals to say “no” when a request feels unnecessary.
By staying informed, asserting rights respectfully, and supporting businesses that prioritise privacy, Sri Lankans can help shape a digital environment that respects personal boundaries while enabling innovation. Small choices at the cashier or in residential groups today contribute to stronger systemic protections tomorrow.
Also in Explained | How Are Sri Lanka Education Sector Ratios Changing After the 2024 Census?
