DPDP Act and WhatsApp Marketing: What Indian Businesses Must Know
ASH Team · 21 May 2026 · 6 min read
India's Digital Personal Data Protection (DPDP) Act raises the bar for how businesses collect and use customer data. If you generate leads and message people on WhatsApp, this affects you — here's the practical version.
This is general information, not legal advice — consult a professional for your specific situation.
The core idea: consent
DPDP is built on consent. You should collect personal data (name, phone, email) for a clear purpose, with the person's agreement, and use it only for that purpose. In practice, that means capturing consent at the point of enquiry — not assuming it.
What this means for WhatsApp outreach
- Opt-in: people should agree to be contacted on WhatsApp, ideally recorded with a timestamp and source.
- Easy opt-out: honour STOP requests instantly and stop messaging.
- Purpose limits: don't repurpose a support number for cold marketing.
Data security expectations
You're expected to protect the data you hold — encryption at rest, access controls, and not keeping data longer than needed. A shared spreadsheet of customer numbers is exactly what the Act discourages.
Build compliance into your tools
The easiest way to stay compliant is to use tools that do it by default: consent captured on every enquiry, opt-in and STOP handling built in, and encrypted storage. Retrofitting compliance later is far harder.
How ASH helps
ASH captures consent on every lead, supports WhatsApp opt-in with instant STOP handling, and encrypts data at rest — so DPDP-aligned practice is the default, not an afterthought.
Ready to capture every lead on WhatsApp?
Start your free trial