Subscribe
Consumer-related disclosures by major Indian companies are often difficult to compare, verify or use.
Under SEBI’s Business Responsibility and Sustainability Report framework, large listed companies must report how they handle consumer complaints, product safety, recalls and data privacy.
The analysis found wide variation in how companies define and report complaints, with some counting routine service requests and others reporting regulatory or adverse event data.
The report argues that sharper disclosure formats are needed so corporate sustainability reporting can move from paperwork to meaningful consumer accountability.
A farmer’s crop loss after a hailstorm is measured in hectares, tonnes and compensation claims. But when a company loses a consumer’s complaint, mishandles a product recall or fails to explain what happened to personal data, the trail often disappears into a sustainability report few people can read.
How many complaints did your electricity company receive last year? How many went unresolved? Did your phone company ever lose your personal data? You will not find an easy answer, even though every large listed company in India is legally required to disclose it.
The world of corporate sustainability reporting is strange, where companies say a great deal and reveal very little. Every year, India’s biggest listed companies file a Business Responsibility and Sustainability Report (BRSR), with the stock market regulator SEBI. It is SEBI’s mandatory environmental, social and governance disclosure framework for India’s top 1,000 listed companies by market capitalisation.
Think of it as a report card on how a company treats the world around it: its workers, the environment and, crucially, its customers. One section of this report card, called Principle 9, is meant to answer a question every consumer should care about: does this company treat me fairly? It is built on a simple idea — that businesses should engage with consumers and provide value to them in a responsible manner.
Principle 9 asks companies to disclose how they handle complaints, what safety information they put on products, how they protect personal data and what they do when a product turns out to be dangerous. These are not vague ideals. India’s Consumer Protection Act gives every consumer the right to be heard and the right to a remedy. The data protection law passed in 2023 requires companies to safeguard personal information and report breaches. Principle 9 exists to show whether companies are living up to these laws.
A new analysis by Delhi-based think tank Centre for Science and Environment studied how nine large companies — Tata Power, ITC, IndianOil, Cipla, Sun Pharma, GSK, Lupin, JSW Energy and Bharat Forge — answered these questions in their 2024-25 filings. What it found is that the answers often reveal less about how a company treats consumers and more about how a question happened to be worded.
Consider the first and simplest question Principle 9 asks: describe how you handle consumer complaints. Tata Power answers with a detailed table, listing call centre hours, chatbots, WhatsApp alerts and customer satisfaction surveys for each of its business segments. JSW Energy answers that it engages through “various channels” with a “holistic approach”, naming none of them.
Both companies have technically answered the question. Neither has broken any rule. The format simply asks for a description, and a description can be one sentence or three pages. This design flaw runs through the entire report. Nowhere does it show up more clearly than in the numbers companies report for consumer complaints.
Tata Power reports more than 3.8 million complaints in a year. That sounds alarming until you realise these are routine service requests from millions of electricity consumers — power cuts, billing queries and similar issues.
Lupin reports more than 27,000 complaints, but these are adverse drug event reports sent to medical regulators, not consumer grievances in the usual sense. Cipla reports exactly one complaint, a matter that is sub judice. Five of the nine companies report zero.
None of these numbers can be placed next to one another. They are not measuring the same thing. The BRSR format does not define what counts as a complaint, so each company quietly decides for itself. A table that cannot be compared is not really a disclosure. It is nine companies filling in nine different boxes and calling it the same exercise.
The pattern repeats with data privacy, an issue that should worry every Indian, given how much personal information companies now hold.
BRSR asks a single yes-or-no question: does the company have a data privacy and cybersecurity policy? All nine companies say yes. All nine provide a website link. And there the disclosure mostly ends.
Only one company, Cipla, goes further. It discloses that it had a cybersecurity incident during the year, states clearly that no customer data was lost, names the number of security tests it ran, and publishes the contact details of an officer consumers can approach with data complaints — exactly what India’s 2023 data protection law requires.
The other eight companies, by answering “yes” and adding a link, have technically met the same requirement.
A consumer reading these filings cannot tell which companies have a serious data protection programme and which simply have a policy document sitting unopened in a drawer.
The disconnect goes further still. Sun Pharma discloses 91 voluntary product recalls in one part of its report and serious regulatory action by the US drug regulator across three of its factories in another. Yet in its complaints table, it reports zero complaints, with no explanation for how a company can recall a product 91 times while receiving no complaints about it.
IndianOil reports more than 1.1 million complaints about the delivery of essential services, then marks the section on corrective action as not applicable. The BRSR does not require different sections of the same report to add up, so they often do not.
It would be unfair to read every short answer as avoidance. Bharat Forge makes auto parts for other businesses, not for individual consumers. JSW Energy sells power to distribution utilities, not households. Questions written for a soap company or a phone brand do not always apply to them, and both companies are right to say so.
Bharat Forge, in fact, describes a “Voice of Customer” system that reviews feedback from its industrial clients every month — a thoughtful answer adapted to its own business.
The problem is not that business-to-business companies answer differently. It is that BRSR gives them no clear guidance on what a good answer should look like, leaving honest effort and genuine vagueness looking identical on paper. This is where an international benchmark is useful.
The Global Reporting Initiative, a widely used global standard for corporate disclosure, asks companies far more precise questions on the same issues. It wants proof that a grievance mechanism actually works, not just a description of it. It wants data breaches counted regardless of whether a formal complaint was filed. It separates complaints lodged by ordinary customers from those raised by regulators.
Where BRSR accepts a sentence, a number or a yes, the global standard asks for evidence.
The good news is that Indian companies clearly have the information SEBI wants. Cipla’s disclosures prove that. Tata Power’s detailed complaint tables prove that. ITC, almost alone among the nine, voluntarily explains what each complaint category means for its own business — a simple step that makes its numbers far easier to trust.
What is missing is not necessarily corporate willingness, but a format that asks for specifics. A column for the type of recall. A box for how long a complaint took to resolve. A line asking whether a data breach was reported to the regulator, as the law already requires. None of this demands new data collection. It only asks companies to write down what most of them already know internally.
The next time you wait on hold with your electricity provider, or wonder where your personal data goes after you download an app, remember that somewhere in a filing meant for investors, a company has already answered — or avoided answering — that question.
BRSR Principle 9 was built to turn corporate promises into evidence. Right now, it mostly turns them into paperwork.
The fix is not complicated. It just requires regulators to ask companies sharper questions, the way a good reporter would.