If you take orders via Instagram DMs, Stories, or Link-in-Bio — you're collecting personal data and DPDP applies to you.
₹50–250 Cr
Penalty for DM data violations
Section 3(a)(i)
DMs with name/address = personal data
May 2027
Compliance deadline
Every time a customer sends you their name, address, phone number, or payment details via Instagram DM, that message contains personal data under Section 3(a)(i) of the DPDP Act. You become a Data Fiduciary the moment you store, process, or use that information.
Most Instagram sellers don't have a consent notice, don't have a process for data deletion requests, and don't have an incident response plan. This is a violation — even if you're a solo seller with 500 followers.
DM orders
Customer name, address, phone via chat
Stories & polls
Customer preferences and interactions
Google Form orders
Name, email, address, item selection
Payment details
UPI IDs forwarded via DM
Highlight viewer data
Instagram provides analytics on viewers
CRM/spreadsheet
If you log customer orders anywhere
Send a consent notice
Before or at the point of collecting their address/phone, send them a message explaining what you collect and why. EasyDP automates this.
Log the consent
You need proof that consent was given. A screenshot isn't enough — it needs to be timestamped and stored securely.
Handle erasure requests
If a customer asks "delete my data", you must comply within 72 hours. This includes removing them from your WhatsApp lists and spreadsheets.
Secure your data
Customer details in a plain spreadsheet or WhatsApp group are high risk. Encrypt and restrict access.
Our Instagram add-on (available on Growth+ plans) auto-handles DM compliance:
Takes 2 minutes. Get your exact obligations and penalty exposure.