Platform
Chatbot Builder Bulk Messaging Team Inbox Mini CRM API & Webhooks AI Integration WhatsApp Flows
Industries
E-commerce & D2C Real Estate Education Healthcare Finance & BFSI Logistics Hospitality Retail
Integrations
Learn
Learning Hub Help & Docs Connect Guides Automation Codex Blog Message Templates
Pricing Get Started →
HomeBlog › What DPDP penalties mean for a small WhatsApp business
Compliance24 Jun 2026· 6 min read

What DPDP penalties mean for a small WhatsApp business

The headline penalty under India's data law is Rs 250 crore, which sounds terrifying for a small business. Here is what it actually means for an SME on WhatsApp.

You may have seen the number: penalties under the Digital Personal Data Protection Act can reach Rs 250 crore. For a small business sending WhatsApp messages, that figure can be alarming. It helps to understand what the penalties are really aimed at and what a smaller operation actually needs to do.

What the big numbers are for

The penalty schedule sets maximum amounts for serious failures, such as not having reasonable security safeguards or failing to protect children's data. These are ceilings, applied by the Data Protection Board after considering the nature and gravity of the breach. They are designed with large data handlers in mind, not a neighbourhood shop sending order updates. The point of the ceilings is to make large platforms take security seriously.

What a small business actually needs

For an SME the practical obligations are manageable: collect clear consent and keep a record of it, give people a plain notice of what you do with their data, let them withdraw and raise grievances, keep data only as long as you need it, and protect it with sensible security. A grievance mechanism and an honest opt-in process cover most of it.

The realistic risk

Enforcement attention naturally falls on larger players and on clear, careless breaches. The way a small business gets into trouble is by ignoring consent entirely, buying lists, or messaging people who never agreed. Run a clean opt-in operation and your real-world risk is low. The compliance is mostly good practice you would want anyway.

Do these and you are most of the way there

Clear opt-in with records, a plain privacy notice, an easy opt-out, a way for people to reach you with concerns, and only keeping data you still need. None of it is exotic, and all of it builds customer trust.

This article is general information, not legal advice. Rules change and your situation may differ, so check the current text of the law or speak to a qualified adviser before you act.

Keep reading

DPDP Act and WhatsApp → Consent under the DPDP Rules → Is WhatsApp marketing legal in India? →

Running WhatsApp the right way? Start free, and if you get stuck, we are the only platform in India that answers you live on WhatsApp.

Start Free →  Browse the docs
1