Service providers have been freely collecting customers' NRIC details to track parking redemptions and membership accounts, and to conduct lucky draws.
But from the middle of next year, when stricter privacy rules kick in, consumers will be able to refuse to hand over the data, and the onus will be on service providers to use other methods to identify them.
The change is overdue. Service providers have had free rein for too long - in the name of fraud prevention and payment dispute management.
As privacy advocate and engineer Ngiam Shih Tung said: "They are guilty of a classic fallacy. How does collecting NRIC numbers prevent fraud?"
Moreover, fraud prevention is already built into the credit card payment system - and many online shopping sites know not to ask for NRIC details. Even airlines do not collect NRIC or passport details when people buy air tickets online.
If NRICs are needed to verify the ages of patrons for movies with an age limit, manual checks at cinema entrances would suffice.
Singapore's privacy watchdog, the Personal Data Protection Commission, last week proposed stricter rules for NRIC use, recognising that such private data is collected indiscriminately here.
Tellingly, malls and retailers have automated systems that make data collection a breeze - all the data residing in the NRIC is captured with one scan of the barcode on the card.
Over the last eight years, more than 7.1 billion identities have been exposed in data breaches. Over-collection of data increases the risk of leaks.
The NRIC number is a permanent and irreplaceable identifier, which can be used to unlock vast amounts of personal information, including income details, residential address and medical status.
Consumers must be given the right to say no to sharing such information, as the risks of identity fraud are theirs to bear.