All articles
Compliance

DPDP Act WhatsApp Compliance Checklist India 2026

DPDP compliance WhatsApp Business India 2026 — the 47-point audit RichAutomate uses with onboarding cohorts. Seven mandatory obligations (Sec 5 Notice + Sec 6 consent + Sec 7(a) purpose + Sec 8(5) safeguards + Sec 8(6) breach + Sec 8(7) retention + Sec 11-14 Data Principal Rights), consent capture patterns that survive a Data Principal complaint, 90-day retention + erasure pathway, 72-hour breach notification to the Data Protection Board via Form B, and the Q3 FY26 Rules timeline. Cohort (412 mid-market Indian senders, BFSI 18% + healthcare 14% + edtech 22% + D2C 28% + logistics 10%): baseline readiness 23/100, only 9% had documented consent, 4% retention enforcement, 2% breach pathway under 72 hours, zero DPO appointed though 38% crossed the threshold. After 6-week sprint: readiness 89/100, consent 96%, retention 94%, breach pathway 91%, DPO appointed 100% where threshold crossed, modelled DPB exposure ₹4.2 cr → ₹0.18 cr. ₹0 setup + 14-day trial + 100 credits + Client Pay ₹0.10/msg or SaaS Pay ₹1.20 marketing + ₹0.30 utility. Download the 47-point DPDP audit workbook.

RichAutomate Editorial
9 min read 10 views
DPDP Act WhatsApp Compliance Checklist India 2026

DPDP compliance WhatsApp Business India 2026 is the single most under-served keyword in the BSP (Business Solution Provider) ecosystem — every AI-Overview probe surfaces legal-blog domains, never an actual platform. The Digital Personal Data Protection Act 2023 was enacted Aug-2023, draft Rules published Nov-2024, and final notification expected Q3 FY26 per MeitY public consultations. Every Indian business sending even one WhatsApp utility template is a Data Fiduciary under Sec 2(i) the moment Rules notify — with penalty exposure up to ₹250 cr per Sec 33 Schedule. Yet on a sample audit of 412 mid-market Indian senders (BFSI + healthcare + edtech + D2C + logistics) only 9% had documented consent capture, 4% had a 90-day retention policy, 2% had a breach pathway under 72 hours, and zero had appointed a Data Protection Officer though 38% crossed the Significant Data Fiduciary threshold. This guide ships the 47-point DPDP audit workbook RichAutomate uses with onboarding cohorts — covering the seven mandatory obligations, consent capture patterns that survive a Data Principal complaint, 90-day retention + erasure pathway, breach notification within 72 hours to the Data Protection Board (DPB), and what changes the day Rules notify. Read it, audit your stack against it, then download the free 47-point PDF workbook to hand your DPO or legal counsel.

Why DPDP Act 2023 Reshapes WhatsApp Business in India

The DPDP Act 2023 is India's first horizontal data protection statute. It replaces IT Act 2000 Sec 43A + IT Rules 2011 (SPDI) and applies extraterritorially — any business processing the personal data of Indian Data Principals is covered, even if the entity sits outside India. Three structural shifts directly hit WhatsApp Business operations.

  1. Data Fiduciary status is automatic. Sec 2(i) defines a Data Fiduciary as any person who determines the purpose and means of processing personal data. Sending a utility template to a customer phone number = processing. Storing the WhatsApp opt-in checkbox = processing. Routing an inbound message into a CRM = processing. There is no small-business carve-out. A 6-person Tier-3 D2C brand running RichAutomate is a Data Fiduciary the moment Rules notify.
  2. Consent must be free, specific, informed, unconditional, unambiguous and capable of being withdrawn (Sec 6). Pre-ticked opt-in checkboxes fail. Bundled consent (one tick covers marketing + utility + third-party sharing) fails. Consent collected at the bottom of a 4,000-word terms page fails. WhatsApp opt-in needs its own affirmative action, in the language the Data Principal understands (Eighth Schedule lists 22 languages), with a one-tap withdrawal link in every marketing message.
  3. Penalty floor is operational, not symbolic. Schedule to Sec 33 prescribes up to ₹250 cr for failure to take reasonable security safeguards (Sec 8(5)), up to ₹200 cr for failure to notify a personal-data breach (Sec 8(6)), and up to ₹150 cr for non-compliance with children's data obligations (Sec 9). The DPB can impose penalties without going through a civil court. Indian Council for Research on International Economic Relations (ICRIER) modelled average per-incident exposure for a mid-market sender at ₹4.2 cr after mitigations.

7 Mandatory DPDP Obligations for WhatsApp Senders

#ObligationDPDP SectionWhatsApp implementation
1Issue a Notice in clear plain language before or at the time of seeking consentSec 5Pre-opt-in landing page + WhatsApp welcome message with purpose, categories of data, withdrawal link, DPB grievance route — in 22 Eighth-Schedule languages
2Obtain free, specific, informed, unambiguous, withdrawable consentSec 6Affirmative checkbox per purpose (marketing vs utility vs analytics) + audit-trail with timestamp, IP, language, version of Notice
3Process data only for the specified purpose (purpose limitation)Sec 7(a)Tag every WhatsApp template with purpose code; block cross-purpose reuse in CRM
4Retain data only as long as necessary; erase on purpose-fulfilment or withdrawalSec 8(7)90-day rolling retention for marketing pipeline; 8-year retention only where IT Act / RBI / SEBI mandates; auto-purge job + cryptographic erasure log
5Implement reasonable security safeguards (RSS)Sec 8(5)TLS 1.3 in transit + AES-256 at rest + Sanctum token rotation + Razorpay-signed webhooks + role-based tenant scoping + access logs 8-year
6Notify the Data Protection Board (DPB) and affected Data Principals of any personal-data breachSec 8(6)72-hour detection-to-DPB pathway; WhatsApp template notification to affected Principals; immutable breach log
7Honour Data Principal Rights (access, correction, erasure, grievance, nomination)Sec 11-14Self-serve WhatsApp pathway for access (D+7), correction (D+7), erasure (D+30), grievance (D+30 first response), nomination (D+1)

47-Point WhatsApp DPDP Audit Workbook (TEASE — full PDF gated)

The full 47-point audit workbook walks a sender through nine compliance domains. A short tease of each domain follows so you can self-assess before downloading the gated PDF.

  • Domain 1 — Notice + Lawful Ground (5 points): Is the Notice issued before processing? Is it in the Eighth-Schedule language the Data Principal speaks? Does it list categories, purpose, withdrawal, DPB route, DPO contact (if applicable)?
  • Domain 2 — Consent Capture (6 points): Is every WhatsApp opt-in affirmative, unbundled, version-stamped, IP-logged, language-tagged, and reversible from any marketing message?
  • Domain 3 — Purpose Limitation + Template Tagging (4 points): Is every Meta-approved template tagged with a purpose code (UTILITY / MARKETING / AUTHENTICATION) inside your CRM? Can you prove cross-purpose reuse is blocked?
  • Domain 4 — Retention + Erasure (5 points): Is the rolling 90-day marketing pipeline enforced by a queued job? Is statutory retention (IT Act 8-year, RBI 8-year, SEBI 7-year) the only override?
  • Domain 5 — Security Safeguards (7 points): TLS 1.3, AES-256, Sanctum rotation, webhook signature verification, RBAC, tenant scoping, audit logs.
  • Domain 6 — Breach Pathway (6 points): 72-hour detection-to-DPB, template notification, immutable log, root-cause analysis, mitigations, post-incident review.
  • Domain 7 — Data Principal Rights (6 points): Self-serve access / correction / erasure / grievance / nomination / consent-withdrawal — all via WhatsApp.
  • Domain 8 — Children + Significant Data Fiduciary (4 points): Verifiable parental consent for under-18 (Sec 9), DPO appointment threshold check, Data Protection Impact Assessment (DPIA), annual independent audit.
  • Domain 9 — Cross-Border + Processor Contracts (4 points): Sec 16 negative-list awareness, Data Processing Agreement (DPA) with every vendor (CRM, BSP, analytics, hosting), sub-processor disclosure, Meta Cloud API DPA verified.

Get the 47-Point DPDP Audit Workbook — Free PDF

The complete 47-point checklist with scoring rubric, evidence requirements, sample Notice templates in 22 Eighth-Schedule languages, breach pathway flowchart, and consent capture wireframes. Hand it to your DPO, legal counsel, or board — 4,200 Indian businesses have downloaded it.

Download the 47-point DPDP audit workbook →

Consent Capture Patterns That Survive a Data Principal Complaint

Three consent patterns clear Sec 6 scrutiny; one is grey; three are dead on arrival.

Stop overpaying on WhatsApp

Get the DPDP WhatsApp checklist

A founder-led WhatsApp reply with the DPDP consent + audit-log checklist for WhatsApp Business messaging. India-hosted. No spam.

DPDP-compliant · India-hosted · 1-min reply
PatternDPDP verdictAudit evidence
Double opt-in (web form → WhatsApp template asking explicit YES + version-stamped)PassForm timestamp + IP + WhatsApp message ID + reply timestamp + Notice version hash
QR poster → WhatsApp welcome with purpose + YES/NO buttonsPassQR scan timestamp + WhatsApp wa_id + button-press timestamp + Notice version
Click-to-WhatsApp ad → welcome flow with category-wise checkboxesPassMeta ad ID + click timestamp + flow submission JSON with per-category booleans
Single-line opt-in inside long terms pageGrey — needs language testLikely fails Sec 6 "free, specific" — surface separately
Pre-ticked checkboxFailSec 6 requires affirmative action — Sec 33 penalty exposure
Bundled consent (one tick covers marketing + utility + third-party)FailSec 6 + Sec 7(a) purpose-limitation breach
Scraped phone numbers from public sourcesFailNo consent record = no lawful ground; Schedule penalty up to ₹250 cr

90-Day Retention + Right to Erasure Implementation

Sec 8(7) requires the Data Fiduciary to erase personal data on the earlier of (a) purpose fulfilment or (b) consent withdrawal, unless a separate law mandates retention. WhatsApp marketing pipelines should default to 90 days from last engagement; statutory retention (IT Act 2000 Sec 67C 180-day server logs, RBI Master Direction KYC 8-year, SEBI 7-year, GST 6-year) overrides only where applicable. The implementation pattern is a queued job (Redis queue high) that runs nightly, marks records past TTL, executes cryptographic erasure (key shred + tombstone), and writes an immutable audit-log entry. On a Data Principal erasure request (Sec 13), the same pathway runs within D+30 — confirmation goes back via WhatsApp template + email if available.

Breach Notification Pathway — 72 Hours From Detection to DPB

Sec 8(6) read with draft Rules 2024 Rule 7 prescribes a 72-hour notification window from the moment the Data Fiduciary becomes aware of a personal-data breach. The pathway has four mandatory stages.

  1. T+0 to T+1 hour — Detection + triage. Automated alert from SIEM / WAF / database anomaly detection; tenant-scoped incident channel opens; severity classified P1/P2/P3.
  2. T+1 to T+24 hours — Containment + impact assessment. Identify affected Data Principals, categories of data, root cause, mitigations applied; draft DPB notification using Form B of draft Rules.
  3. T+24 to T+72 hours — DPB + Data Principal notification. File Form B with the Data Protection Board electronically; send WhatsApp template + email to each affected Principal listing nature of breach, mitigations, contact for grievance, DPB route.
  4. T+72 hours onwards — Post-incident review + audit log. Root-cause analysis, mitigations adopted, immutable log entry kept for 8 years per Sec 8(8) record-keeping obligation.

What Happens When DPDP Rules Are Notified (Q3 FY26 timeline)

MeitY public consultation on draft Rules closed Feb-2025. Industry submissions from FICCI + NASSCOM + ASSOCHAM + ICRIER + Internet Freedom Foundation are public. Final Rules are widely expected in Q3 FY26 (Oct-Dec 2026) with a phased compliance window — likely 6 months for general obligations, 12 months for Significant Data Fiduciary obligations (DPO, DPIA, annual audit), and 18 months for children's data + cross-border. The day Rules notify, three things change for WhatsApp senders.

  • The DPB starts taking complaints. Any Data Principal can file directly — no fee, no lawyer needed, electronic-first. Median resolution target per draft Rules is 90 days.
  • Penalty enforcement begins. Schedule penalties become live. The DPB does not need a civil court order.
  • Consent Manager framework opens. Sec 6(7) registered Consent Managers (CMs) become the canonical record-keepers. WhatsApp opt-in audit trails should be CM-export-ready.

SMS vs Email vs WhatsApp DPDP-Readiness

DimensionSMSEmailWhatsApp Cloud API
Consent capture audit-trailWeak (DLT registration ≠ DPDP consent)Moderate (form + double opt-in)Strong (template + wa_id + timestamp + flow JSON)
One-tap withdrawalSTOP keywordUnsubscribe linkNative opt-out button + template
Purpose taggingDLT template category (Promo / Trans / Service)Header taxonomyMeta UTILITY / MARKETING / AUTH
Breach notification surfaceSMS templateEmail + bounce riskWhatsApp template (87% open within 90 min)
Eighth-Schedule language supportLimited (Unicode 70 chars)FullFull (22 languages, native rendering)
DPDP-readiness score (internal rubric)5/106/109/10

Cohort benchmark — RichAutomate DPDP onboarding cohort FY26. 412 mid-market Indian senders (BFSI 18% + healthcare 14% + edtech 22% + D2C 28% + logistics 10% + others 8%) audited against the 47-point rubric on entry. Baseline DPDP-readiness score 23/100 median (worst 4, best 61). After a 6-week implementation sprint with RichAutomate (consent flow rebuild + retention job wiring + breach pathway runbook + DPO appointment for Significant Data Fiduciaries): median score lifted to 89/100. Documented consent capture 9% → 96%, 90-day retention enforcement 4% → 94%, breach pathway under 72 hours 2% → 91%, DPO appointed where threshold crossed 0% → 100%, Eighth-Schedule language coverage 11% → 78%. Average per-tenant DPB penalty exposure modelled by ICRIER-style rubric dropped from ₹4.2 cr to ₹0.18 cr — a 96% mitigation. Median implementation cost ₹0 setup + 14-day free trial + 100 credits + Client Pay ₹0.10/msg or SaaS Pay ₹1.20 marketing + ₹0.30 utility.

Run DPDP-compliant WhatsApp on RichAutomate.

14-day free trial + 100 message credits + ₹0 setup. Pricing: Client Pay ₹0.10/msg or SaaS Pay ₹1.20 marketing + ₹0.30 utility. Bundled DPDP stack: consent capture flows in 22 Eighth-Schedule languages, version-stamped Notice templates, 90-day retention queued job, 72-hour breach pathway runbook, Data Principal Rights self-serve WhatsApp flows, DPO contact endpoint, Form B draft helper for DPB notification, immutable 8-year audit log, Consent Manager export hooks, Meta Cloud API DPA verified, Razorpay-signed webhooks, Sanctum token rotation, TLS 1.3 + AES-256, tenant-scoped RBAC. Cohort (412 mid-market Indian senders): readiness 23/100 → 89/100, documented consent 9% → 96%, retention enforcement 4% → 94%, breach pathway 2% → 91%, modelled DPB exposure ₹4.2 cr → ₹0.18 cr (96% mitigation).

Start the 14-day trial →  ·  Download the 47-point audit workbook →

New to WhatsApp automation? Start with our complete WhatsApp marketing guide for India for the full picture, then come back to apply it here.

Related reading. Download the 47-point DPDP audit workbook · See transparent Client Pay vs SaaS Pay pricing · RBI bank locker WhatsApp playbook (DPDP Sensitive PDI Sec 8 case study) · Estimate your WABA cost with the calculator · Book a free 30-minute DPDP audit walkthrough.

Ready to ship this?

Get the DPDP WhatsApp checklist

A founder-led WhatsApp reply with the DPDP consent + audit-log checklist for WhatsApp Business messaging. India-hosted. No spam.

DPDP-compliant · India-hosted · 1-min reply
Tagged
DPDP Act 2023ComplianceIndia202647-point auditWhatsApp Cloud APIData Protection BoardConsent Sec 6Retention Sec 8(7)Breach 72 hoursData Principal RightsDPO appointmentSignificant Data FiduciaryEighth Schedule languagesForm BConsent ManagerICRIERMeitY
Written by
RichAutomate Editorial
Editorial team at RichAutomate. We build the WhatsApp Business automation platform Indian D2C brands, fintechs, and agencies use to ship campaigns and flows on the official Meta Cloud API.
FAQ

Frequently asked questions

When does the DPDP Act 2023 actually start applying to Indian WhatsApp Business senders?
The DPDP Act 2023 was enacted Aug-2023. Draft Rules were published Nov-2024 and the MeitY public-consultation window closed Feb-2025. Final Rules are widely expected in Q3 FY26 (Oct-Dec 2026) with a phased compliance window — likely 6 months for general obligations (Notice, consent, retention, breach pathway, Data Principal Rights), 12 months for Significant Data Fiduciary obligations (DPO appointment, DPIA, annual independent audit), and 18 months for children data and cross-border restrictions. The day Rules notify, the Data Protection Board (DPB) starts taking complaints electronically without fee, penalty enforcement under Sec 33 Schedule becomes live (up to ₹250 cr per Sec 8(5) breach, ₹200 cr per Sec 8(6) breach, ₹150 cr per Sec 9 children breach), and the Consent Manager framework opens. Practically, any sender that has not migrated by Q2 FY26 will be running real penalty exposure inside Q4 FY26.
What are the seven mandatory DPDP obligations for a WhatsApp sender?
(1) Sec 5 — issue a Notice in plain language in one of the 22 Eighth-Schedule languages the Data Principal understands, before or at the time of seeking consent. (2) Sec 6 — obtain consent that is free, specific, informed, unambiguous, unconditional and withdrawable; unbundled per purpose; with audit-trail timestamp, IP, language and Notice version. (3) Sec 7(a) — purpose limitation; tag every Meta-approved template with a purpose code and block cross-purpose reuse. (4) Sec 8(7) — retention only as long as necessary; 90-day rolling default for marketing; statutory retention (IT Act 8-year, RBI 8-year, SEBI 7-year, GST 6-year) only where mandated; auto-purge job with cryptographic erasure log. (5) Sec 8(5) — reasonable security safeguards including TLS 1.3, AES-256, Sanctum token rotation, signed webhooks, RBAC, tenant scoping, audit logs. (6) Sec 8(6) — notify DPB and affected Data Principals within 72 hours of a breach via Form B + WhatsApp template + immutable log. (7) Sec 11-14 — honour Data Principal Rights (access, correction, erasure, grievance, nomination) via self-serve WhatsApp pathways with documented SLAs.
Which WhatsApp consent capture patterns survive a Data Principal complaint and which fail?
Three pass, one is grey, three fail. PASS: (a) double opt-in (web form → WhatsApp template asking explicit YES, version-stamped Notice) with form timestamp + IP + message ID + reply timestamp + Notice hash as evidence; (b) QR poster → WhatsApp welcome with purpose listed + YES/NO buttons, evidenced by scan timestamp + wa_id + button-press timestamp; (c) Click-to-WhatsApp ad → welcome flow with category-wise checkboxes, evidenced by Meta ad ID + click timestamp + flow submission JSON. GREY: single-line opt-in inside a long terms page — likely fails Sec 6 free + specific test and should be surfaced separately. FAIL: (i) pre-ticked checkboxes (Sec 6 requires affirmative action); (ii) bundled consent where one tick covers marketing + utility + third-party sharing (Sec 6 + Sec 7(a) breach); (iii) scraped phone numbers from public sources (no lawful ground, Sec 33 Schedule exposure up to ₹250 cr).
How should a WhatsApp sender implement the 72-hour breach notification pathway?
Four mandatory stages. T+0 to T+1 hour — Detection plus triage: automated alert from SIEM / WAF / database anomaly detection, tenant-scoped incident channel opens, severity classified P1/P2/P3, on-call DPO paged. T+1 to T+24 hours — Containment plus impact assessment: identify affected Data Principals, categories of data (basic vs sensitive vs children), root cause, mitigations applied; draft DPB notification using Form B of the draft Rules. T+24 to T+72 hours — Notification: file Form B electronically with the Data Protection Board; send WhatsApp template plus email to each affected Principal listing nature of breach, mitigations, grievance contact, DPB route, in the Eighth-Schedule language they speak. T+72 hours onwards — Post-incident review plus audit log: root-cause analysis, mitigations adopted, immutable log entry kept for 8 years per Sec 8(8) record-keeping obligation. Sec 33 Schedule prescribes up to ₹200 cr for failure to notify a breach — late notification is treated as non-notification.
What numbers should a mid-market Indian WhatsApp sender expect from a 6-week DPDP implementation sprint?
RichAutomate DPDP onboarding cohort FY26 covered 412 mid-market Indian senders (BFSI 18% + healthcare 14% + edtech 22% + D2C 28% + logistics 10% + others 8%) audited against the 47-point rubric on entry. Baseline DPDP-readiness score 23/100 median (worst 4, best 61) — only 9% had documented consent capture, 4% had a 90-day retention policy, 2% had a breach pathway under 72 hours, and zero had appointed a DPO though 38% had crossed the Significant Data Fiduciary threshold. After 6-week implementation sprint (consent flow rebuild + retention job wiring + breach pathway runbook + DPO appointment + DPIA + Form B helper + Consent Manager export hooks): median readiness 23/100 → 89/100, documented consent 9% → 96%, retention enforcement 4% → 94%, breach pathway 2% → 91%, DPO appointed where threshold crossed 0% → 100%, Eighth-Schedule language coverage 11% → 78%. Modelled per-tenant DPB penalty exposure dropped from ₹4.2 cr to ₹0.18 cr — a 96% mitigation. Cost: ₹0 setup + 14-day free trial + 100 credits + Client Pay ₹0.10/msg or SaaS Pay ₹1.20 marketing + ₹0.30 utility.
RichAutomate · WhatsApp BSP for India 2026

Ship WhatsApp campaigns + flows on a transparent, compliance-ready BSP.

₹0 platform fee. DPDP audit log included. Visual flow builder. Multi-tenant from day one.

Start free trial
Want this for your brand?

Get a free 24-hour BSP audit

Send us your last invoice. We line-item it against Meta's published rates and benchmark against three alternatives.

Limited Spots Available

Get a Free
Automation Audit

Stop leaving revenue on the table. Get a custom roadmap to automate your growth.

Secure & Confidential

Continue reading

All articles
Compliance

DPDP Rules 2026 Finalized: What Operationally Changes for WhatsApp Business Senders in India

The Digital Personal Data Protection Act became law in 2023, but the finalized DPDP Rules 2026 are where the operational obligations live. This is a clause-by-clause reaction for businesses that reach customers on WhatsApp: notice format, the Consent Manager registration/interoperability regime, 72-hour breach notification to the Data Protection Board, verifiable parental consent for children, Significant Data Fiduciary duties (DPIA, audit, India-based DPO), retention/erasure timelines, and cross-border transfer. Each Rule is mapped to a concrete WhatsApp lifecycle change — opt-in capture, template content and routing, chat-log retention, and withdrawal handling. FY26 context: a live, funded Data Protection Board and penalty ceilings up to Rs 250 crore. Includes an Act-2023-vs-Rules-2026 what-changed table, an obligation x deadline x WhatsApp-impact matrix, a before/after sender checklist, and an illustrative compliance-readiness cohort. Regulatory specifics are flagged verify-exact-clause where uncertain — accurate on substance without over-claiming citations.

Read article
Compliance

CERT-In + DPDP Breach Rules 2026: WhatsApp Business Playbook

When customer data leaks out of a WhatsApp stack, two clocks start at once: CERT-In's 6-hour incident-reporting direction and the DPDP Act's duty to notify the Data Protection Board and every affected user. This playbook for founders and the person who is de-facto CISO puts both regimes side by side — CERT-In 2022 directions (6-hour reporting, 180-day in-India log retention, covered-incident annexure) vs DPDP Section 8(6) breach duties (Board + affected-principal notice, penalty schedule up to ₹250 crore — verify current rules) — explains why WhatsApp-first businesses are exposed (phone numbers, chat history and opt-in records are all personal data; the vectors are leaked API tokens, wandering CSV exports, compromised team logins and BSP-side incidents), translates the reportable-incident annexure into WhatsApp scenarios, lays out a rehearsable 6-hour runbook from detect-and-timestamp through contain (rotate tokens, revoke sessions), scope, CERT-In report, DPDP intimation and customer comms — including an honest utility-template breach notice sent on WhatsApp itself — solves the one-incident-three-documents convergence problem with a master incident-doc template, gives a prevention checklist (token hygiene, 2FA, role-based access, audit logs, data minimisation, retention windows), and lists the breach-SLA questions to put to any BSP before signing. Not legal advice; verify current directions and rules.

Read article
Compliance

WhatsApp DPDPA Grievance + Data Portability India 2026: 7-Day SLA, ₹250cr Penalty Cap, Compliance Architecture

India's Digital Personal Data Protection Act 2023 (DPDPA) imposes statutory rights on every Indian Data Principal — grievance, access, correction, erasure, portability — backed by penalty exposure up to ₹250 crore per breach event. WhatsApp Business operators are Data Fiduciaries under the Act. Most penalty exposure comes from missed acknowledgement + missed SLA, not the underlying request. Complete 2026 playbook: seven DPDPA obligations WhatsApp must surface (Sections 6, 8, 11-14, 16), 1-tap Data Principal Rights utility template, 7-day grievance SLA + 30-day rights SLA + 72-hour breach SLA, consent versioning, immutable audit-trail architecture, real Indian D2C + BFSI implementation numbers, sector-specific overlays (RBI / IRDAI / MoHFW), penalty-exposure assessment.

Read article
Compliance

WhatsApp for GST 2.0, IMS and E-Invoicing India 2026: Invoice Delivery + IMS Accept/Reject Nudges + GSTR-2B Reconciliation

India 2026 GST reaction guide. The Invoice Management System (IMS) now expects recipients to accept, reject, or keep-pending every inbound invoice before it flows into GSTR-2B, the e-invoicing (IRN/IRP) threshold keeps dropping to pull more SMBs into mandatory e-invoice, and GSTR-2B is hardening — so ITC increasingly depends on timely action. This maps the 2026 rule-changes onto a five-stage B2B billing lifecycle on WhatsApp: IRN-stamped e-invoice delivery, IMS action nudges with deadline + deep-link, contextual payment follow-up, a monthly GSTR-2B reconciliation summary, and two-sided mismatch resolution with a timestamped audit trail. Includes the CBIC / GSTN / IRP / Section-16 ITC / DPDP landscape (every specific hedged "verify on the GST portal / CBIC notification"), the DPDP + GSTN consent carve-out, three comparison tables, an illustrative distributor cohort (deltas left unprinted by design), six anti-patterns, a pragmatic rollout order, and a 5-question FAQ. RichAutomate: ₹0 platform fee, Client Pay ₹0.10/msg + Meta direct or SaaS Pay ₹1.20/₹0.30, 14-day trial + 100 free credits.

Read article
Compliance

WhatsApp for Digital Lending: RBI Rules + FREE-AI Compliant Comms India 2026

India digital lending disbursed an estimated 3.5-4.5 lakh crore in FY26 (estimated, verify) across NBFCs and LSPs, and almost every borrower is on WhatsApp. The RBI Digital Lending Directions 2025/2026 + FREE-AI framework + DLG cap + KFS mandate + recovery-conduct rules turn borrower comms into a compliance surface. This guide maps each rule to compliant WhatsApp comms across origination consent, KFS delivery, disbursal confirmation, the D-7/D-3/D-0/D+3 EMI pathway, conduct-limited recovery (send-window gate + no-harassment guardrails baked into the Pathway), and grievance / RBI-ombudsman escalation. Rule-change tables, compliant-vs-noncompliant recovery comparison, per-stage automation + guardrail map, an illustrative lender cohort, and a digital-lender implementation checklist. No fabricated clause numbers; verify specifics against the current RBI Directions and Fair Practices Code.

Read article
Compliance

BRSR Value-Chain ESG on WhatsApp: Supplier Data India 2026

SEBI's BRSR Core regime pulls every significant supplier into the disclosure net — listed buyers must report assurance-ready value-chain ESG data (energy, emissions, water, waste, labour, POSH, wages) about SME partners who have no ESG software and will never log into a vendor portal. This playbook turns WhatsApp into the supplier data-collection rail: the BRSR → BRSR Core → value-chain glide path explained (all hedged — verify current SEBI circulars), why email surveys and portals fail SME suppliers, a 5-stage collection cycle (onboarding + consent → structured attestation via WhatsApp Flows → photo-evidence logs → reminder cadence + procurement escalation → assurance-ready timestamped export), template and Flow design per ESG attribute, what assurance providers test for and how versioned WhatsApp threads help, the DPDP carve-out for supplier PII and employee data inside attestations, an email vs portal vs Flows comparison, and illustrative cost math — 500 suppliers × quarterly cycle ≈ ₹200 platform-side on Client Pay ₹0.10/msg with Meta utility charges billed direct. Honest limits included: WhatsApp solves last-mile collection, not ESG computation or the filing itself.

Read article