DPDP Act 2023 Compliance for Business Messaging in India
How India's Digital Personal Data Protection Act 2023 impacts WhatsApp Business API messaging and what businesses need to do to comply. A practical guide for Indian businesses.
Codlinh10 Team
20 January 2026
DPDP Act 2023 Compliance for Business Messaging in India
India's Digital Personal Data Protection Act 2023 (DPDP Act) is the country's first comprehensive data protection law. Enacted in August 2023, it establishes a framework for how businesses must collect, use, and protect personal data — including data processed for business messaging on platforms like WhatsApp™.
If your business uses WhatsApp Business API to communicate with customers, the DPDP Act applies to you. Here's what it means in practice and how to achieve compliance.
What is the DPDP Act 2023?
The DPDP Act 2023 creates a rights-based framework for personal data protection in India. Key features include:
- Data principals — individuals whose data is processed — have defined rights
- Data fiduciaries — businesses that determine how data is processed — have defined obligations
- Data processors — entities processing data on behalf of fiduciaries — also have obligations
- Significant data fiduciaries — large organisations with additional requirements
- Data Protection Board — the enforcement authority (being established)
For business messaging, your company is the Data Fiduciary, your customers are Data Principals, and your messaging platform provider (like Codlinh10) is a Data Processor.
How DPDP Act applies to WhatsApp Business API messaging
1. Consent is mandatory
The single most important requirement: you must obtain explicit, informed consent from every customer before sending them business-initiated WhatsApp messages.
What constitutes valid consent under DPDP Act:
- Must be freely given (not bundled with service acceptance without choice)
- Must be specific to the purpose (consent to "marketing messages" is separate from "order updates")
- Must be informed — the customer must understand what they're consenting to
- Must be unambiguous — a clear, affirmative action (not pre-ticked boxes)
- Must be withdrawable at any time
Practical implementation:
- Add a WhatsApp opt-in checkbox to your checkout flow (separate from T&C acceptance)
- Create a dedicated WhatsApp opt-in landing page
- Allow opt-in via SMS or your app
- Keep records of when consent was obtained and what it covered
2. Purpose limitation
Under DPDP Act, you can only use customer data for the purposes they consented to. If a customer gave consent for "order updates," you cannot send them marketing promotions without a separate consent.
Practical implementation:
- Use different WhatsApp message template categories correctly (utility vs. marketing)
- Segment your contact list by consent type
- Don't use transactional message opt-ins for marketing broadcasts
3. Data minimisation
Collect only the personal data you actually need. For WhatsApp messaging, this typically means:
- Phone number (required)
- Name (useful but optional — can be stored if provided)
- Order or account reference (for contextual messages)
Don't collect or store unnecessary additional data about customers just because you technically can.
4. Right to withdraw consent
Every customer must be able to withdraw their consent to receive messages — easily and at any time. "Unsubscribe" or "Stop" must work.
Practical implementation:
- Include "Reply STOP to unsubscribe" or equivalent in your messages
- Process opt-out requests immediately (within hours, not days)
- Do not re-add opted-out customers to any list
- Maintain a suppression list of opted-out numbers
5. Data retention limits
You should not retain personal data longer than necessary for the purpose it was collected. Define and document your retention periods.
Example retention policy for messaging:
- Customer contact (with active opt-in): Retain while relationship is active
- Message history: Retain for 2 years (for support and audit purposes)
- Consent records: Retain for 3 years after last communication
- Opted-out contacts (suppression list): Retain indefinitely to prevent re-adding
6. Data principal rights
Your customers have the following rights under DPDP Act, and you must be able to honour them:
- Right to access — "What data do you hold about me?"
- Right to correction — "Update my phone number"
- Right to erasure — "Delete all my data" (with exceptions for legal obligations)
- Right to grievance redressal — Must have a Grievance Officer
- Right to nominate — Nominate someone to exercise rights on their behalf
Practical implementation:
- Create a data request process (email or form)
- Designate a Grievance Officer with contact details
- Build the capability to export, update, or delete customer data from your systems
7. Children's data
The DPDP Act has specific protections for personal data of individuals under 18. You must:
- Obtain verifiable parental consent before processing minors' data
- Not track minors for targeted advertising
- Not process data "likely to have detrimental effect on the child"
For most WhatsApp Business API use cases (e-commerce, financial services), this means ensuring your opt-in process verifies that the person is 18+.
Data processor requirements (for platforms like Codlinh10)
If you're using Codlinh10 as your messaging platform, we are your Data Processor under the DPDP Act. As a responsible processor, Codlinh10:
- Processes your customer data only on your documented instructions
- Implements technical and organisational security measures
- Assists you in responding to data principal rights requests
- Notifies you of any data breach within 72 hours
- Deletes your data upon contract termination
- Maintains data in India for Indian customers
When evaluating any messaging platform, ask them specifically about their DPDP Act compliance posture.
Common compliance mistakes with WhatsApp Business API
Importing purchased contact lists
Absolutely prohibited. All contacts must have opted in specifically for WhatsApp messaging from your business. Purchasing lists and importing them violates DPDP Act, Meta's policies, and is likely to get your WhatsApp Business Account suspended.
Using transactional opt-in for marketing
If a customer opted in for "order updates," sending them promotional messages without separate marketing consent violates purpose limitation.
No opt-out mechanism
Every outbound message must have a way for customers to opt out. This is both a DPDP Act requirement and a Meta policy requirement.
Storing data indefinitely
Review your data retention policies. Customer data should not be retained indefinitely without a legitimate reason.
No Grievance Officer
The DPDP Act requires businesses to designate and publish a Grievance Officer contact. This is often overlooked.
DPDP Act vs. GDPR: What Indian businesses need to know
If you also have EU/EEA customers, you may need to comply with both GDPR and DPDP Act. Key differences:
| Aspect | DPDP Act 2023 | GDPR | |--------|---------------|------| | Lawful bases | Consent + legitimate uses | 6 lawful bases including legitimate interests | | Data minimisation | Required | Required | | Breach notification | To Data Protection Board | To supervisory authority + individuals | | Children | Under 18 | Under 16 (varies by country) | | DPO requirement | Grievance Officer (lighter) | DPO for certain organisations | | Penalties | Up to ₹250 crore per breach | Up to €20M or 4% global revenue |
Practical compliance checklist
Use this checklist to assess your current DPDP Act compliance for WhatsApp messaging:
- Documented, purpose-specific consent obtained from all contacts
- Opt-in consent records stored with timestamp and channel
- Separate consent for marketing vs. transactional messages
- Working opt-out mechanism in all outbound messages
- Suppression list maintained
- Data retention policy documented and implemented
- Grievance Officer designated and contact published
- Data request handling process in place (access, correction, erasure)
- Children's data safeguards in place (if applicable)
- Data Processor Agreement (DPA) signed with Codlinh10 or your messaging provider
- Privacy Policy updated to reflect WhatsApp messaging
Conclusion
The DPDP Act 2023 represents a significant shift in how Indian businesses must approach personal data. For WhatsApp Business API specifically, the most critical requirements are explicit consent, purpose limitation, and honoring opt-outs.
Codlinh10 is built with DPDP Act compliance as a core design principle — from consent capture at opt-in to suppression list management and data deletion capabilities. Book a demo to see how our compliance-first approach works in practice.
This article provides general guidance on DPDP Act 2023. It does not constitute legal advice. Consult a qualified legal professional for advice specific to your business situation. The DPDP Act is being implemented in phases — rules may be updated as the Data Protection Board is established.
Ready to start with WhatsApp Business API?
Book a demo and see how Codlinh10 can transform your customer conversations.