How DPDP Affects WhatsApp Business: Consent, Broadcasts, and Customer Data

Roughly 78% of Indian small and medium businesses use WhatsApp for customer communication. That figure comes up in nearly every industry conversation I have about digital commerce in India. WhatsApp is not just a messaging app here; it is customer service infrastructure, sales pipeline, marketing channel, and order management system rolled into one green icon.

And almost none of these businesses have thought about what the DPDP Act means for how they use it.

I have spent the past several months talking to founders, marketing heads, and operations managers across sectors, from Jaipur-based D2C brands running their entire customer support through WhatsApp Business to Mumbai fintech startups using the WhatsApp Business API for transaction alerts. The pattern is consistent: they know the DPDP Act exists, they have a vague sense that consent matters, and they assume that because WhatsApp provides end-to-end encryption, they are somehow covered. They are not. For a comparison of how these obligations differ from other sectors, see our DPDP compliance by industry overview.

Key Takeaways

• Every business using WhatsApp Business to communicate with customers is a Data Fiduciary under the DPDP Act 2023. WhatsApp's own encryption does not satisfy your compliance obligations.
• Broadcast messages, promotional templates, and catalogue shares all constitute processing of personal data. Each requires specific, informed consent under Section 6.
• The "voluntary provision" ground under Section 7(a) covers transactional messages initiated by the customer, but not marketing follow-ups or promotional broadcasts sent weeks later.
• TRAI's DND regulations and WhatsApp's own Business API policies create a triple compliance layer alongside the DPDP Act. Violating any one of them carries separate penalties.
• As of February 2026, businesses must maintain timestamped consent records for every WhatsApp contact who receives marketing messages. "They messaged us first" is not a defensible consent record.

Why Does DPDP Apply to WhatsApp Business at All?

A common misconception I hear from business owners: "WhatsApp handles the data. WhatsApp is the Data Fiduciary, not us."

This is wrong, and it is a costly misunderstanding.

Under Section 2(i) of the DPDP Act 2023, a Data Fiduciary is any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data. When your business collects a customer's phone number, adds them to a WhatsApp broadcast list, sends them promotional messages, and uses their purchase history to personalise those messages, you are determining the purpose and means. You are the Data Fiduciary for that processing activity.

WhatsApp (Meta) is also a Data Fiduciary for its own processing, including metadata collection, account data, and platform analytics. But that does not reduce your obligations. Both entities bear independent compliance responsibilities.

To put it concretely: if your D2C brand collects phone numbers at checkout and adds customers to a WhatsApp broadcast list for weekly offers, you need DPDP-compliant consent for that specific activity. WhatsApp's terms of service, their end-to-end encryption, and their own privacy policy do not cover your processing. They cover WhatsApp's processing.

What Consent Rules Apply to WhatsApp Business Messaging?

Section 6 of the DPDP Act 2023 requires consent to be free, specific, informed, unconditional, and demonstrated through a clear affirmative action. For WhatsApp Business usage, this creates specific requirements that most Indian businesses are currently failing to meet.

Transactional Messages vs. Marketing Messages

Not all WhatsApp messages carry the same consent burden. The distinction matters.

Transactional messages (order confirmations, shipping updates, appointment reminders, payment receipts) can often rely on the legitimate uses framework under Section 7. When a customer places an order on your website and provides their phone number for delivery updates, Section 7(a) applies: the Data Principal voluntarily provided their data for a specified purpose, and they have not indicated objection to its use. Sending them a shipping update on WhatsApp is consistent with that specified purpose.

Marketing messages (promotional offers, new product announcements, seasonal sales, re-engagement campaigns) require separate, specific consent under Section 6. A customer who gave you their phone number for order tracking did not consent to receiving weekly promotional broadcasts. The purpose is different. The consent must be different.

This is where most businesses trip up. The typical flow looks like this: customer places order, enters phone number, receives order confirmation on WhatsApp, and then starts receiving promotional messages they never asked for. Under the DPDP Act, that promotional flow requires its own consent.

What "Specific" Consent Looks Like for WhatsApp

Section 6 demands specificity. Here is what that means in practice for WhatsApp Business:

Message Type	Consent Requirement	Section Reference
Order confirmations and shipping updates	Section 7(a) legitimate use (voluntary provision for specified purpose)	No separate consent needed if purpose was disclosed at collection
Payment reminders and invoices	Section 7(a) or Section 7(e) (legal obligation)	No separate consent needed
Customer support responses	Section 7(a) (customer initiated the conversation)	No separate consent needed
Promotional offers and discounts	Section 6 (free, specific, informed consent)	Separate, explicit opt-in required
Product catalogue shares	Section 6	Separate opt-in required unless customer requested it
Re-engagement messages ("We miss you!")	Section 6	Separate opt-in required
Feedback and review requests	Section 6 (these serve a business purpose, not the customer's purpose)	Separate opt-in required

The "specified purpose" test under Section 7(a) is narrower than businesses assume. A customer providing their phone number "for delivery updates" has specified a purpose. Sending them a promotional offer three weeks later is a different purpose entirely. You cannot stretch the original purpose to cover marketing.

The Consent Collection Problem

Here is the practical challenge I hear from every WhatsApp-first business: "How do we collect DPDP-compliant consent for WhatsApp messages when the conversation is happening on WhatsApp?"

There is no single answer, but there are workable approaches:

At the point of number collection (best practice). When a customer provides their phone number on your website, app, or in-store, include a granular consent mechanism. One checkbox for transactional communications. A separate checkbox for promotional messages on WhatsApp. No pre-ticked boxes. This is the cleanest approach because you have consent before the first message.

Within the WhatsApp conversation (acceptable, with caveats). If a customer messages you first on WhatsApp, you can present a consent request within the conversation before sending any marketing content. "Would you like to receive offers and updates from us on WhatsApp? Reply YES to opt in." The customer's affirmative reply serves as the clear affirmative action Section 6 requires. But you must log this, including timestamp, the exact message content, and the customer's response.

Through a linked consent form. Send the customer a link to a DPDP-compliant consent form where they can review what they are consenting to and opt in with a clear action. This is more formal but produces the strongest consent record.

What does not work: assuming that because someone saved your business number, or because they once messaged you about a product, they have consented to ongoing marketing. That is not free, specific, or informed consent.

How Does DPDP Affect WhatsApp Broadcast Lists and Campaigns?

Broadcast messaging is the single most problematic area for WhatsApp Business compliance under the DPDP Act. Over 500 million WhatsApp users in India means the blast radius of non-compliant broadcasts is enormous.

The WhatsApp Business App (Small Businesses)

The standard WhatsApp Business App limits broadcast lists to 256 contacts, and messages only deliver if the recipient has saved your number. These platform-level restrictions provide a natural guardrail, but they do not replace DPDP compliance.

Even with 256 contacts, every recipient of a promotional broadcast must have given specific consent to receive marketing messages from you. "They saved our number" is not consent under Section 6. Saving a contact is a phone management action, not a clear affirmative action consenting to data processing for marketing purposes.

The WhatsApp Business API (Larger Businesses)

The API unlocks broadcast at scale, sending pre-approved template messages to thousands of users, even those who have not saved your number. This is where the DPDP risk concentrates.

Under the API model, businesses create template messages that WhatsApp approves, then broadcast them to their contact lists. The API operates on a tier system: businesses start at 1,000 unique contacts per day and can scale to unlimited volumes based on message quality scores.

Every single contact in that broadcast list needs documented DPDP consent for marketing messages. The API's approval of your template message does not constitute consent from recipients. WhatsApp's approval covers template policy compliance; it says nothing about whether you have lawful basis to send that template to each recipient.

A mid-sized e-commerce company I spoke with last month was broadcasting promotional templates to 40,000 contacts through the API. When I asked how many of those contacts had given specific consent to receive promotional WhatsApp messages, the answer was illuminating: "They all bought from us." A purchase is not consent to marketing. Under the DPDP Act, that is 40,000 potential violations.

Consent Records for Broadcasts

Section 8 of the DPDP Act requires Data Fiduciaries to maintain records of processing activities. For broadcast messaging, this means you need a consent record for each recipient that documents:

1. When consent was given (timestamp)
2. How consent was given (website form, WhatsApp reply, in-app toggle)
3. What the consent covered (specifically: promotional messages via WhatsApp)
4. Whether consent has been withdrawn (and when)

If a customer sends "STOP" or "Unsubscribe" in response to a broadcast, that is a withdrawal of consent under Section 6(4). You must stop processing immediately and log the withdrawal. Section 6(4) requires that withdrawing consent must be as easy as giving it. If the customer consented with one tap, they must be able to withdraw with one message.

What About TRAI and WhatsApp's Own Policies?

This is where WhatsApp Business compliance in India gets genuinely complicated. You are not just navigating the DPDP Act. You are navigating three overlapping regulatory layers simultaneously.

Layer 1: The DPDP Act 2023

Section 6 consent requirements for marketing messages. Section 7 legitimate uses for transactional messages. Section 8 obligations for security safeguards, data retention, and breach notification. Penalties up to ₹250 crore for security failures and ₹50 crore for other obligation breaches.

Layer 2: TRAI Regulations (Telecom Regulatory Authority of India)

TRAI's Telecom Commercial Communications Customer Preference Regulations (TCCCPR) regulate unsolicited commercial communication. The National Customer Preference Register (NCPR), commonly known as the DND registry, allows consumers to block commercial messages.

As of February 2026, TRAI's existing DND regulations are primarily enforced through telecom operators for SMS and voice calls. WhatsApp, as an Over-the-Top (OTT) platform, does not currently fall directly under TRAI's TCCCPR framework. However, the government has signalled intent to extend commercial communication regulations to OTT messaging platforms. The Telecommunications Act, 2023 gives the government authority to regulate OTT services, and industry observers expect TRAI to bring WhatsApp marketing under some form of regulatory oversight in the near future.

The practical implication: even though TRAI's DND rules do not technically apply to WhatsApp messages today, building your WhatsApp marketing practices as if they do is the safest approach. Cross-referencing your broadcast list against the NCPR/DND registry is not legally required for WhatsApp, but it signals good-faith compliance and prepares you for the regulatory direction.

Layer 3: WhatsApp's Business Policies

WhatsApp's own Business API policies impose separate constraints:

• All business-initiated messages require pre-approved templates
• Marketing message limits apply (WhatsApp caps the number of marketing messages per user)
• Non-responsive contacts face messaging restrictions
• General-purpose AI chatbots were banned from the API effective January 2026
• Account quality ratings affect message delivery and can result in account suspension

Compliance Layer	What It Covers	Penalty for Violation	Status as of Feb 2026
DPDP Act 2023	Consent, data processing, security, breach notification	Up to ₹250 crore per violation	Enforcement deadline: May 2027
TRAI TCCCPR	Unsolicited commercial communication, DND preferences	Fines + telecom number disconnection	Does not currently apply to OTT; extension expected
WhatsApp Business Policy	Template compliance, message quality, opt-in requirements	Account suspension or permanent ban	Actively enforced by Meta

The sobering reality: you can be fully DPDP-compliant but still have your WhatsApp Business account suspended for violating Meta's policies. Or you can satisfy WhatsApp's requirements but fail DPDP compliance because WhatsApp's opt-in standards are lower than the Act's consent requirements. All three layers must be satisfied independently.

How Should You Handle Customer Data Collected via WhatsApp?

Beyond messaging consent, the DPDP Act affects how you handle every piece of customer data that flows through WhatsApp conversations.

What Counts as Personal Data on WhatsApp?

Under Section 2(t) of the DPDP Act, personal data means any data about an individual who is identifiable by or in relation to such data. In a WhatsApp business context, this includes:

• Phone numbers (obviously)
• Customer names from WhatsApp profiles
• Location data shared in conversations
• Photos of products, documents, or IDs shared by customers
• Payment information discussed in chat
• Health information (if you are a pharmacy or health service)
• Purchase preferences inferred from conversation history
• Delivery addresses shared in messages

All of this is personal data under the Act. Your obligations under Section 8 apply to every piece of it: purpose limitation, accuracy, security safeguards, retention limits, and breach notification.

Data Retention for WhatsApp Conversations

Section 8(7) of the DPDP Act requires data erasure once the purpose is fulfilled. For WhatsApp business conversations, you need a clear retention policy.

A customer service chat about a delivery issue has a definable end: when the issue is resolved. Retaining that conversation indefinitely is not consistent with Section 8(7). An order-related conversation can be retained for the duration needed to fulfil statutory obligations (GST records retention, consumer dispute timelines), but not beyond that.

The challenge is operational. WhatsApp does not offer granular conversation-level deletion controls for business accounts. Most businesses using the API store conversation logs in their CRM or helpdesk system, where access controls and retention policies can be implemented. If you are using the standard WhatsApp Business App, conversation data sits on the device, with no systematic way to enforce retention limits.

This is one of the less-discussed DPDP compliance gaps for small businesses: WhatsApp Business does not give you the tools to comply with data retention requirements at the platform level. You need external systems, a CRM, a ticketing tool, something with configurable retention and deletion, to manage this properly.

Cross-Border Data Considerations

WhatsApp stores data on Meta's global server infrastructure. Section 16 of the DPDP Act restricts the transfer of personal data to countries that the Central Government has not approved. As of February 2026, the restricted country list has not been published, but the provision is live in the Act.

For most Indian businesses using WhatsApp, this creates a potential compliance question: if your customer conversations (containing personal data) are stored on Meta's servers in jurisdictions that later appear on the restricted list, you may have a cross-border transfer issue, and one you cannot control because WhatsApp decides where data is stored.

This risk is theoretical for now. But it is worth tracking, especially for businesses in regulated sectors like fintech or healthcare where sector-specific regulators already mandate data localisation.

What Should Indian Businesses Do Right Now?

If your business relies on WhatsApp for customer communication, here are seven concrete steps to align with the DPDP Act before the May 2027 enforcement deadline.

1. Audit your WhatsApp contact list. For every contact in your WhatsApp Business account, can you document when and how they consented to receive messages from you? Separate transactional contacts (who provided their number for a specific service purpose) from marketing contacts (who should have given separate promotional consent). If you cannot trace consent for a marketing contact, they should not be on your broadcast list.

2. Build a consent mechanism before collecting numbers. Whether it is a website checkout form, an in-store QR code, or an app screen, add a dedicated WhatsApp marketing opt-in that is separate from your service-related data collection. No pre-ticked boxes. Clear language about what "promotional messages on WhatsApp" means.

3. Segment your messaging. Stop treating all WhatsApp messages as the same category. Transactional messages (order updates, payment confirmations) operate under Section 7 legitimate uses. Marketing messages (promotions, re-engagement, catalogues) require Section 6 consent. Your systems should reflect this distinction.

4. Implement opt-out handling. When a customer replies "STOP" or any variant of opting out, your system must cease marketing messages immediately and log the withdrawal with a timestamp. Section 6(4) makes this mandatory. If you are using the WhatsApp Business API, automate this through your messaging platform.

5. Set up consent record-keeping. Maintain a log for every contact: consent timestamp, method of collection, scope of consent, and withdrawal status. This is your evidence if the Data Protection Board or an individual Data Principal ever questions your practices. The compliance checklist covers this in detail across all data processing activities.

6. Review your CRM and helpdesk integrations. If WhatsApp conversations are synced to your CRM, helpdesk, or analytics tools, each of those systems processes personal data under the DPDP Act. Ensure they have appropriate security safeguards, access controls, and retention policies. Every integration is another processing activity that needs a lawful basis.

7. Prepare for TRAI extension. Build your WhatsApp marketing practice to survive DND registry cross-referencing, even though it is not legally required for OTT messaging today. When TRAI extends commercial communication regulations to WhatsApp (and industry consensus is that it will), you do not want to scramble.

Frequently Asked Questions

Does WhatsApp's end-to-end encryption make my business DPDP-compliant?

No. WhatsApp's encryption protects message content in transit between devices. It does not address your obligations as a Data Fiduciary under the DPDP Act 2023. You still need valid consent under Section 6 for marketing messages, security safeguards under Section 8(4) for data you store outside WhatsApp (in CRMs, helpdesks, or exported chat logs), and retention policies under Section 8(7). Encryption is one security safeguard among many that the DPDP Rules 2025 require. It does not substitute for consent, purpose limitation, or data minimisation.

Can I send promotional WhatsApp broadcasts to customers who bought from me?

Not without separate consent. A purchase creates a transactional relationship, and you can send order-related messages under Section 7(a) of the DPDP Act (voluntary provision of data for a specified purpose). But promotional messages serve a different purpose. Section 6 requires consent that is specific to each purpose. A customer who gave their phone number for "delivery updates" has not consented to "weekly offers and promotions." You need a separate, explicit opt-in for marketing messages.

What happens if a customer sends "STOP" to my WhatsApp Business number?

Under Section 6(4) of the DPDP Act 2023, withdrawing consent must be as easy as giving consent. If a customer sends any message indicating they want to stop receiving promotional messages, you must cease marketing communications immediately and log the withdrawal with a timestamp. You can continue sending transactional messages (order updates, payment confirmations) if they have a separate lawful basis under Section 7, but all promotional messaging must stop. Failure to honour a withdrawal of consent is a breach of Section 6(4), which carries a maximum penalty of ₹50 crore under the DPDP penalty schedule.

Does TRAI's DND registry apply to WhatsApp messages?

As of February 2026, TRAI's Telecom Commercial Communications Customer Preference Regulations (TCCCPR) and the National Customer Preference Register (DND registry) are primarily enforced through telecom operators for SMS and voice calls. WhatsApp, as an Over-the-Top (OTT) messaging platform, does not currently fall directly under these regulations. However, the Telecommunications Act, 2023 grants the government authority to regulate OTT communication services, and regulatory extension to platforms like WhatsApp is widely expected. Building your WhatsApp marketing practices as if DND rules apply now is the prudent approach.

What is the penalty for sending unsolicited WhatsApp marketing messages under DPDP?

The DPDP Act 2023 does not have a specific "unsolicited marketing" penalty. However, sending marketing messages without valid consent violates Section 6, which triggers the general penalty for breach of obligations by a Data Fiduciary: a maximum of ₹50 crore per violation under Item 5 of the Schedule. If the messages involved children's data (recipients under 18), the penalty ceiling increases to ₹200 crore under Item 3. These are per-violation maximums; the Data Protection Board has discretion to set actual penalties based on severity and mitigating factors.

Time to Get Your WhatsApp House in Order

This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.

WhatsApp is not going anywhere as India's primary business communication channel. Neither is the DPDP Act. The companies that build compliant messaging practices now, while the enforcement deadline is still months away, will have a structural advantage over those scrambling in the final weeks before May 2027. ComplyZero helps Indian businesses build consent infrastructure, including WhatsApp marketing opt-in flows, that aligns with Section 6 requirements from day one. Automated consent records, easy withdrawal mechanisms, and audit-ready logs, all designed for how Indian businesses actually operate.

Join the waitlist →