India has over 500 million WhatsApp users. Tens of millions of small businesses — home bakers, tiffin services, clothing sellers, grocery delivery — run their entire operation on WhatsApp. Every single one of them is now covered under the DPDP Act 2023. Here's what that means and what you need to do.
Why WhatsApp Sellers Are Covered
Section 3(a)(i) of the DPDP Act covers processing of personal data collected in digital form in India. When a customer sends you their name, address, phone number, or payment details via WhatsApp — that is digital personal data collected directly in digital form. There is no question of applicability.
Even if you never built a website. Even if you're a home business. Even if you have 50 customers. The law applies the moment any personal data flows through your WhatsApp.
What Counts as Personal Data in Your WhatsApp?
- Any customer's name + phone number (already an identifier)
- Delivery addresses sent via DM
- UPI IDs, bank account details, payment confirmations
- Order history and preferences
- Any photograph that identifies the customer
- Your broadcast list itself — the phone numbers it contains
The Three Things You Must Do
1. Get Consent Before Collecting Data
Before you add someone to your broadcast list or take their address for the first time, you must send them a consent notice. This notice must explain:
- What data you're collecting (name, address, phone)
- Why you're collecting it (order processing, delivery, promotions)
- Whether you'll share it with anyone (delivery partners, payment gateways)
- That they can withdraw consent at any time
The consent must be "free, informed, specific, and unconditional." This means you cannot make consent a condition of getting your service — but you can explain that you cannot deliver without an address.
2. Respond to Data Access and Deletion Requests
Any customer can ask you: "What information do you have about me?" and "Please delete all my data." You are legally required to respond and comply. Under the DPDP Act, customers have the right to:
- Access — know what data you hold
- Correction — fix inaccurate data
- Erasure — delete their data when they withdraw consent
3. Secure the Data You Hold
You must implement "reasonable security safeguards" to prevent breaches. For a WhatsApp business, this means:
- Two-step verification on your WhatsApp account
- Password protecting any spreadsheets or files with customer data
- Not sharing your phone with others who could access customer data
- Using WhatsApp Business (not personal) for your selling
What About Your Broadcast List?
Your broadcast list is a collection of phone numbers — that's a database of personal data. Under the DPDP Act:
- Everyone on your broadcast list must have given consent to receive messages from you
- Every promotional message you send should include an opt-out option ("Reply STOP to unsubscribe")
- You must remove anyone who opts out within a reasonable time
Practical Steps to Get Compliant
Here's a simple compliance routine you can implement today:
- New customers: When someone first messages you to order, send them your consent notice before collecting their address. Keep a record that they agreed.
- Existing customers: Send a one-time consent message to your current broadcast list asking them to confirm they want to stay in touch. Anyone who doesn't reply in 30 days — remove them.
- Deliveries: Add a line to your order confirmation: "Your address is used only for delivery and will not be shared with anyone other than our delivery partner."
- Opt-outs: When someone says "remove me" — remove them immediately from all lists.
The Penalty If You Don't
Failing to obtain consent: up to ₹50 Crore. Failing to handle a data request: up to ₹50 Crore. A data breach (customer data leaked from your phone): up to ₹250 Crore. These penalties will likely be applied proportionally — a small home business won't face ₹250 Crore — but even a proportional penalty of ₹5 lakh would be devastating for most micro-businesses.
How EasyDP Helps WhatsApp Sellers
EasyDP's WhatsApp add-on automates this entire workflow. You forward a customer's first message to your EasyDP number. Our AI extracts their details and automatically sends a DPDP-compliant consent message in their preferred language (Hindi, Tamil, Telugu, Kannada, Malayalam, or English). Their consent is logged with a timestamp. If they ever ask to be removed, one click handles everything.