WBIZ.INWhatsApp Business Suite
All posts
Compliance

DPDP Act + WhatsApp marketing: Compliance checklist for Indian businesses

India's DPDP Act in plain English, applied to WhatsApp marketing — consent records, opt-outs, retention, vendor due diligence, and what auditors look for.

WBIZ TeamFeb 14, 20267 min read
A team meeting around a conference table reviewing documents

India's Digital Personal Data Protection Act 2023 (DPDP Act) came into force in stages through 2024–25 and is, by 2026, the binding privacy framework that governs how Indian businesses handle customer data — including data collected and used for WhatsApp marketing.

This piece is the practical checklist we use internally and with customers. It is not legal advice — your DPO or legal counsel should sign off on the specific implementation for your business. But it'll get you 80% of the way there.

The DPDP Act in 90 seconds

The Act gives "Data Principals" (you and me, the citizens) a set of rights over their personal data, and imposes obligations on "Data Fiduciaries" (any organisation that decides why and how to process personal data). Key principles:

  • Lawful basis for processing: The Act recognises consent and a small set of "legitimate uses" (employment, medical emergency, court order, etc.). Marketing is not one of the legitimate uses — it requires consent.
  • Purpose limitation: You can only use personal data for the specific purpose the user consented to.
  • Data minimisation: Don't collect more than you need.
  • Storage limitation: Don't keep data longer than necessary.
  • Accountability: You must be able to demonstrate compliance, not just claim it.
  • Significant Data Fiduciaries (SDFs): Larger or higher-risk processors get extra obligations (DPO appointment, DPIAs, audits). The threshold is set by central government notification.
For WhatsApp marketing specifically, the practical constraint is simple: you need provable opt-in consent for every contact you market to, and you need a one-tap opt-out.

The Act requires consent to be:

  • Free (not coerced)
  • Specific (named purpose)
  • Informed (the user knew what they were agreeing to)
  • Unambiguous (clear affirmative action)
  • Capable of being withdrawn (one-tap opt-out)
For WhatsApp specifically, the consent moment must mention:
  • That the user is opting in to receive marketing on WhatsApp (not just generally).
  • The specific business name (e.g. "Acme Apparel").
  • A link to the privacy notice.
  • A clear way to opt out later.
What this means in practice:

| Consent moment | DPDP-compliant? |
|---|---|
| Pre-checked WhatsApp opt-in checkbox at checkout | ❌ No — must be unchecked, user must affirmatively check |
| Tiny grey footer text: "By continuing, you consent to receive WhatsApp messages" | ❌ No — not unambiguous |
| Customer messages your business first | ✅ Yes — affirmative initiation, but only counts for service replies, not for unrelated marketing later |
| Customer ticks "Yes, send me WhatsApp updates from Acme" with a link to privacy notice | ✅ Yes — the gold standard |
| Customer signs up for newsletter at a kiosk and provides phone number | ❌ No — that's email consent, not WhatsApp consent |
| QR-code in-store scan that opens a WhatsApp chat | ✅ Yes — the user's first message is opt-in |

Opt-in records — what auditors look for

If a regulator (or angry customer) asks "prove this person consented," you need to be able to produce:

  • The exact timestamp of consent.
  • The exact text the user saw at the consent moment.
  • The IP address / device / channel from which consent was given.
  • A snapshot of the privacy notice in force at the time.
WBIZ stores all of this on every contact. The opt-in audit log is exportable as CSV or queryable via the public API.

This sounds like overkill until you hit your first complaint. Then it's the difference between a 20-minute response and a multi-week investigation.

Every marketing message must offer a one-tap opt-out. The clearest pattern is a quick-reply button labelled "Stop these messages" appended to every marketing template.

When the user taps:

  • WBIZ marks the contact as opted-out for marketing immediately.
  • All scheduled future marketing sends to that contact are cancelled.
  • An audit trail records the opt-out timestamp and source.
  • Service messages (replies to customer-initiated conversations) continue to flow — opting out of marketing isn't opting out of all communication.
Optionally, you can confirm the opt-out: "You've been unsubscribed from Acme marketing messages. We won't message you again unless you message us first."

Data subject rights — what you must support

The Act gives Data Principals four core rights you must support:

  • Right to access — show the user what data you hold on them.
  • Right to correction & erasure — let them fix or delete their data.
  • Right of grievance redressal — provide a contact for complaints with a defined response timeline.
  • Right to nominate — name another person to exercise rights on their behalf in case of incapacity.
For WhatsApp specifically:
  • Build (or use) an export endpoint that returns a JSON dump of every conversation, contact field, and consent record for a given phone number.
  • Build (or use) a deletion endpoint that hard-deletes (not just soft-flags) on request, except where legal retention requires otherwise.
  • Publish a grievance contact in your privacy notice with a defined SLA (the Act requires "reasonable" — most companies promise 30 days).
WBIZ exposes both the export and deletion endpoints in the contact detail view in /app/contacts/.

Retention — don't be a pack rat

The Act doesn't set a fixed retention period — it requires that data is kept only as long as necessary for the stated purpose, and then deleted.

For WhatsApp:

  • Active customer data — retain as long as the customer relationship is active.
  • Inactive contacts (no engagement in 24+ months) — review for deletion.
  • Conversations — retain for as long as you might need to handle a dispute (typically 12–24 months for D2C, longer for regulated sectors).
  • Consent records — retain for as long as you retain the underlying contact, plus a defensive buffer (e.g. 2 years post-deletion).
Build a retention policy, document it, and operationalise it. WBIZ has a configurable auto-archive setting that flags inactive contacts for periodic review.

Vendor due diligence — your processors are your responsibility

If you use a vendor (like WBIZ.IN) to process WhatsApp messages, the Act treats them as your "Data Processor" and you remain the responsible Data Fiduciary. You need to:

  • Have a written agreement with the vendor that defines the processing purpose, data categories, and security measures.
  • Verify the vendor's security posture (encryption, access controls, audit logs).
  • Verify the vendor's data residency story — where is the data physically stored?
  • Verify the vendor's sub-processors (does the vendor itself outsource any part of the pipeline?).
We publish all of this for WBIZ.IN at our trust centre and provide a Data Processing Addendum (DPA) on request.

Cross-border transfers

Personal data can be transferred outside India unless the central government specifically restricts a country. For most use-cases this isn't an issue, but BFSI, healthcare and government-adjacent sectors should check sector-specific localisation rules (RBI's data localisation circular for payments, IRDAI for insurance, etc.).

WBIZ stores all primary customer data in India by default.

A 10-point pre-launch checklist

Before sending your next batch of marketing messages, run through:

  • [ ] Every contact in the audience has an opt-in record (timestamp, source, consent text).
  • [ ] The opt-in moment named WhatsApp specifically and your business specifically.
  • [ ] Every marketing template has a one-tap opt-out.
  • [ ] Your privacy notice mentions WhatsApp/Meta as a processor.
  • [ ] Your privacy notice has a grievance contact.
  • [ ] You have a documented retention policy.
  • [ ] You have a vendor DPA in place with WBIZ (or your platform).
  • [ ] You have an export endpoint for data subject access requests.
  • [ ] You have a deletion workflow that hard-deletes within 30 days of request.
  • [ ] You can produce a consent audit log on demand for any contact.
If you can tick all 10, you're well-positioned. If you can tick 7 or 8, you have a clear roadmap. If you're at 0–3, prioritise this — the cost of a single complaint that escalates is multiples of what it costs to do this right up front.

Where to start tomorrow

The most common gap is the consent record. If you can't produce a consent record for every contact in your marketing list, your single highest-leverage action is to build the consent capture into your forms today. Going forward, every new contact has a clean opt-in record. Going backward, segment your existing list and re-confirm consent through a one-time opt-in template.

Compliance done well is invisible — to customers, to regulators, and to your finance team. The brands that treat DPDP as table stakes in 2026 will be the ones still standing in 2027 when enforcement intensifies.

Tagged#India#OPT IN#Compliance#Dpdp ACT#Consent#Data Protection

Written by

WBIZ Team

The WBIZ.IN team — engineers, product managers, and customer success folks building the WhatsApp Business platform Indian teams actually want to use.

About WBIZGet in touch

Keep reading

Related posts

Ready to transform your WhatsApp?

Join the 1,000+ teams already running on WBIZ.IN. Set up in under an hour, scale to a million conversations a month.

Free forever. All features included. No hidden charges.