All articles
Best Practices

The DPDP Act and Your CRM: Consent-Based Communication

ASH Team · 5 July 2026 · 5 min read

The Digital Personal Data Protection Act, 2023 has changed how Indian businesses need to think about the customer data sitting in their CRM. Phone numbers, email addresses and enquiry details are personal data, and the business that collects them is expected to handle them with a clear purpose and the person's consent. This article describes practical, consent-first habits worth building into daily CRM use. It is not legal advice, and no software makes you compliant by itself — for obligations specific to your business, consult a qualified legal advisor.

What the Act broadly expects

Stripped of legal language, the DPDP Act rests on a few plain ideas. Collect personal data for a stated purpose. Take consent in a manner the person can understand. Let them withdraw that consent as easily as they gave it. Keep the data only as long as the purpose requires. None of this is exotic — it is what a well-run sales operation should be doing anyway.

Where CRM practice usually slips

Few teams set out to misuse data; they simply never record where a lead came from or what the person actually asked about. A number collected at an exhibition quietly joins every campaign that follows. A student who enquired about one course starts receiving messages about all of them. Someone asks to be removed, and the request lives in one salesperson's memory rather than in the system everyone works from. Each of these is a consent problem hiding inside a process problem.

Consent habits worth building

  • Record the source of every lead. An enquiry from your website form, IndiaMART or a Meta ad carries context about what the person wanted. Preserve it, because purpose starts there.
  • Keep messages tied to the original purpose. If someone asked about one product, updates on that product are expected; unrelated promotions are not.
  • Honour opt-outs centrally and at once. A "please stop messaging me" should update the shared record immediately, not one person's chat history.
  • Prefer channels with consent built in. The WhatsApp Business platform, for example, requires Meta-approved templates for outreach and lets users block or report a sender — mechanics that keep businesses honest. We have explained how its 24-hour messaging window works separately.

What your CRM contributes: a record

Where a system such as ASH helps is evidence. Every lead carries its source and a timeline of every message, note and task against it, so when a person asks what you hold about them, or asks to be removed, answering is a lookup rather than an investigation. Contact details are stored encrypted, access is limited to your team's accounts, and workflow automations act on records inside the system rather than on exported spreadsheets — which is usually where data discipline breaks down.

Treat consent as an operating standard

Consent-based communication is not merely a legal posture; it is better selling. People who agreed to hear from you respond better than people who did not, and a clean, well-documented database ages far more gracefully than a scraped one. Build the habits above into your team's routine, write them down, and review them with counsel as the rules under the Act continue to be notified.

Ready to capture every lead on WhatsApp?

Start your free trial
DPDP Act and CRM: Consent-Based Communication | ASH | ASH