India's data protection law is live, and its rules were notified in November 2025. What it means for the consent behind your WhatsApp marketing, in plain English for businesses.
India now has a working data protection law. The Digital Personal Data Protection Act was passed in August 2023, and the rules that put it into practice were notified on 13 November 2025. If your business sends WhatsApp messages to customers in India, the law treats you as responsible for the personal data you hold and the consent behind every promotional message you send. This is a plain-English read of what that means, written for businesses rather than lawyers.
We are a WhatsApp platform, not a law firm. This article explains the shape of the DPDP framework as it stands in mid-2026 so you can ask the right questions. For how it applies to your specific business, speak to a qualified data protection professional.
Under the DPDP Act, a business that decides why and how to use personal data is a Data Fiduciary. Almost every business sending WhatsApp messages to customers is one. The person whose data you hold is a Data Principal. The Act is built around consent: you may process someone's personal data for marketing only with consent that is, in the law's words, free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action.
Two practical consequences follow. A blanket privacy consent buried in your terms is not enough for marketing; consent has to be specific to the purpose. And people must be able to withdraw consent as easily as they gave it. Those two points cover most of what changes for WhatsApp outreach.
The Digital Personal Data Protection Act receives assent on 11 August 2023, India's first standalone data protection law. Its provisions wait on rules and a government notification to take effect.
The Ministry of Electronics and Information Technology releases draft DPDP Rules for public consultation, with the comment period closing in March 2025.
MeitY publishes a Business Requirement Document for consent management systems, a non-binding preview of what compliant consent infrastructure is expected to look like.
The DPDP Rules 2025 are notified, operationalising the Act. Some provisions, like those setting up the Data Protection Board, take effect immediately; the substantive compliance obligations phase in over roughly the following 18 months.
The rollout is staged so businesses have time to build consent and data-handling practices before the substantive obligations bite. The widely cited runway points to enforcement maturing through 2026 into 2027.
Timeline compiled from MeitY notifications and analyses by EY India, India Briefing, and DLA Piper, current to early 2026. Exact enforcement dates are set by the government and may shift.
A customer buying from you creates a transactional relationship, which can support order-related messages tied to that purchase. A promotional broadcast serves a different purpose, and the Act requires consent specific to that purpose. In practice: the checkout consent that lets you send a delivery update does not automatically let you send a festival sale blast. You need an opt-in for marketing as its own, clearly described purpose.
WhatsApp's end-to-end encryption protects messages in transit. It does not satisfy your obligations as a Data Fiduciary. You still need valid consent for marketing, security safeguards for any data you store outside WhatsApp in a CRM or helpdesk, and a defined retention policy. Encryption is one safeguard among many the rules expect, not a substitute for the rest.
People must be able to withdraw consent as simply as they gave it. For WhatsApp this maps neatly onto honouring opt-outs promptly, which you should already be doing, because customers who cannot leave will block you instead, and blocks damage your quality rating far more than a clean unsubscribe.
DPDP does not sit alone. The Telecom Regulatory Authority of India has its own framework for commercial communication, including consent rules for non-transactional messages sent over telecom networks, building on its long-running effort to curb unsolicited commercial messages. The two regimes overlap, and the safe reading is to treat marketing consent as something you must obtain, record, and be able to prove.
The numbers attached to non-compliance are large. Penalties under the DPDP Act can run to crores of rupees per violation, set by a Data Protection Board, scaled by severity. The point of mentioning them is not alarm; it is that consent record-keeping has moved from good hygiene to something with a price attached if you skip it.
Ask for marketing consent as its own clearly worded choice, not bundled into terms. Record when and how each person opted in. Describe what they will receive. Make leaving a single step and act on it fast. Keep the record so you can show it. None of this stops you marketing; it just means the people on your list actually chose to be there, which is also what keeps your quality rating green.
The practical how-to for collecting and recording consent.
Read guide →Free trial, no credit card required. And if you ever get stuck, we are the only platform in India that answers you live on WhatsApp.