India to ban Aadhaar photocopying as UIDAI moves to regulate private sector verification

What once seemed ordinary and everyday in India, with the photocopying of Aadhaar cards, has an approaching expiry date as new regulations come in.

The Unique Identification Authority of India (UIDAI) will soon forbid hotels, event organizers and other private entities from collecting and storing photocopies of Aadhaar cards.

The notice comes as the government prepares to introduce a new registration requirement for Aadhaar‑based verification. UIDAI CEO Bhuvnesh Kumar said a rule mandating that any private entity wishing to verify Aadhaar must first register with UIDAI has been approved, according to an Indian news agency.

Once registered, these organizations must use approved verification methods, such as offline QR code checks, API‑based authentication or a forthcoming Aadhaar app, instead of collecting physical or digital copies of Aadhaar cards.

The move aims to curb widespread practices that violate the Aadhaar Act, including photocopying Aadhaar cards at hotel check‑ins, residential complexes and event venues. UIDAI has repeatedly warned that such copies often sit unsecured in files, phones or WhatsApp chats, creating significant risks of misuse.

Under the new system, registered entities will become “Offline Verification Seeking Entities” and must integrate UIDAI‑approved verification flows. The upcoming Aadhaar app will support selective data disclosure, allowing residents to share only the information required for a specific service (such as name, age bracket or address) rather than handing over a full identity document.

New rule demonstrates privacy shift in India, but concerns remain

UIDAI says the shift is designed to create a controlled, auditable and privacy‑preserving verification ecosystem, replacing informal and fragmented practices. The authority recently briefed more than 250 companies including hotels, logistics firms and real‑estate operators on compliance.

The rule also aligns with amendments introduced earlier this year that expanded Aadhaar authentication to private entities under the Good Governance Amendment Rules, while adding safeguards around consent and data minimisation.

The changes come as India undertakes a broader overhaul of its digital identity architecture. IT Minister Ashwini Vaishnaw has called for aligning the Aadhaar Act with the Digital Personal Data Protection Act and redesigning it as a modern identity law that emphasizes user autonomy and interoperability.

UIDAI is simultaneously upgrading its authentication technology, including work on face‑liveness detection, deepfake‑resistant checks and contactless fingerprint verification. Face authentication has already been piloted in exam settings, and the National Payments Corporation of India is exploring Aadhaar‑linked biometrics for high value digital payments ahead of the Reserve Bank of India’s April 2026 two‑factor authentication mandate.

However, concerns remain. Aadhaar‑enabled payment fraud accounted for 11 percent of cyber‑enabled financial fraud in 2023, and several states have reported misuse of cloned fingerprints. Privacy researchers warn that biometric identifiers cannot be reset, and that anonymized Aadhaar‑linked datasets remain vulnerable to re‑identification.

The new registration rule is expected to reduce risks by limiting the circulation of Aadhaar copies and giving residents more control over what data they share. But experts caution that Aadhaar’s expanding role in private‑sector verification could also entrench its use as a de facto universal ID, as highlighted by Medianama, even though it does not prove citizenship or independently validate date of birth.

Whether the shift ultimately strengthens privacy or deepens dependency on Aadhaar will depend on enforcement, oversight and how alternatives are preserved as the ecosystem evolves.

Article Topics

Aadhaar  |  data privacy  |  data protection  |  document verification  |  identity document  |  UIDAI