Several Indian hotel owners are actively revising long-standing contracts with international operators and online booking platforms to align with the Digital Personal Data Protection (DPDP) Act, which came into force last year. The new privacy law imposes stricter obligations on how personal data is handled and greater penalties for breaches, prompting a re-examination of agreements that were drafted long before data protection became a regulatory priority.
Industry stakeholders and legal experts say hotels now face heightened liability risks because guest data often flows across multiple parties, including hotel chains, technology providers and travel agents. Owners are pushing to clarify who bears responsibility for protecting and responding to data breaches, particularly as contracts signed decades ago contain limited guidance on data rights and duties.
Negotiations now focus on designating data fiduciary roles, tightening data-sharing protocols, and strengthening breach response obligations to ensure compliance and reduce exposure to legal and financial risks under the DPDP regime.