Your broadcast list, contact register, and order chat history are all personal data records under Section 3(a)(ii) of the DPDP Act.
₹50 Cr
Penalty for processing without consent
Section 3(a)(ii)
Digital data records are covered
May 2027
Compliance deadline
Many small businesses maintain a WhatsApp broadcast list of 50–5000 customers. Under Section 3(a)(ii) of the DPDP Act, a digitised record containing personal data — including a phone contacts list — is fully covered by the Act, even if you never intended it to be a "database."
This means every WhatsApp seller who has saved customer contacts and sends them promotional messages is technically operating as a Data Fiduciary without a consent framework.
Broadcast list
Every customer on your list has "opted in" to receive messages — but without explicit DPDP consent, this is insufficient
Saved contacts
Phone numbers saved in your phone = personal data records
Order chat history
Messages containing names, addresses, preferences
Google Sheets order log
If you maintain a digital order register
WhatsApp groups
Group members' phone numbers are personal data
Voice messages about orders
If saved digitally, these are records
Get explicit consent
Before adding someone to your broadcast list or saving their data, you need to send them a DPDP-compliant consent request in their language.
Make it easy to opt out
Every broadcast must include a way to request data erasure. "Reply STOP" alone is not sufficient — you need to delete their data, not just stop messaging.
Secure your contact list
Customer phone numbers saved in personal phone or unencrypted spreadsheet is a security risk. Use a compliant CRM.
Don't share data with third parties without consent
Sharing customer details with delivery partners or other vendors without their consent is a violation.
Find out in 2 minutes with our free checker.