The Digital Personal Data Protection Act 2023 is the most consequential change to Indian commercial messaging since TRAI's 2010 NCPR. As of June 2026 the Act is enacted but its operative Sections 4-38 await MeitY notification; the draft Rules circulated 03-Nov-2024 prescribe an 18-month transition from notification, which on the current timeline puts hard enforcement around May 2027. The penalty band is real — up to ₹250 crore per breach under Section 33 read with the First Schedule. This is the 25-step checklist we use internally at RichAutomate to keep every tenant's WhatsApp Business stack compliant. Each step cites the underlying section of the Act or the relevant draft Rule.
How to use this checklist
Treat each step as a discrete engineering or policy ticket. Owners differ — some sit with Legal, some with Engineering, some with Marketing. We tag each step with the Section, sub-section, or Rule it operationalises so your DPO can produce the citation chain if the Data Protection Board sends a Section 28(7) production notice. For the broader regulatory landscape (RBI, IRDAI, SEBI, AIGF, GST, ULIP, IT Rules), see our India 2026 WhatsApp regulation pillar.
“The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose.”
— DPDP Act 2023, Section 6(1) (MeitY gazette PDF)
The 25-step DPDP WhatsApp checklist
1Classify your role under the DPDP Act 2023
Confirm whether your business is a Data Fiduciary (determines purpose + means — typically the brand/tenant) or a Data Processor (operates on instructions — typically the BSP). RichAutomate is a Data Processor under Section 2(k); the tenant is the Data Fiduciary and carries primary liability under Section 8.
DPDP Act 2023 Section 2(i), 2(k)2Designate a Data Protection Officer or contact point
For Significant Data Fiduciaries notified under Section 10, a resident-Indian Data Protection Officer is mandatory. All other Data Fiduciaries must publish a contact for grievances under Section 8(9). Publish the contact on your privacy policy and WhatsApp Business profile.
DPDP Act 2023 Section 8(9), 10(2)(a)3Rewrite your consent notice to Section 6(3) language
The notice must describe (a) the personal data and the purpose, (b) the manner of exercise of rights, and (c) the manner of making a complaint to the Data Protection Board. Offer the notice in English plus any of the 22 Eighth Schedule languages on the Data Principal’s request.
DPDP Act 2023 Section 5, 6(3)4Capture consent that is "free, specific, informed, unconditional and unambiguous"
Section 6(1) verbatim: consent shall be "free, specific, informed, unconditional and unambiguous with a clear affirmative action." Pre-ticked boxes, bundled consents, and silence are not valid. WhatsApp opt-in via a quick-reply button or a typed YES counts as a clear affirmative action when paired with the Section 6(3) notice.
DPDP Act 2023 Section 6(1)5Separate marketing, utility, and authentication purposes
A single consent cannot cover all message categories. Capture marketing consent separately from transactional and authentication purposes. Meta’s WhatsApp template categories (Marketing, Utility, Authentication) align with this requirement.
DPDP Act 2023 Section 6(1) "specific"6Store consent with timestamp, purpose, channel, and notice version
Build a consent ledger that stores (a) the exact timestamp in ISO-8601 IST, (b) the purpose tag, (c) the source channel (WhatsApp / web / phone / in-store), (d) the IP or device fingerprint, (e) the notice version hash, and (f) the consent text. The Data Protection Board can demand production under Section 28(7).
DPDP Act 2023 Section 6(8), 28(7)7Build one-click withdrawal "comparable in ease" to giving consent
Section 6(4): withdrawal must be as easy as consent. Implement a "STOP" or "OPT OUT" keyword on WhatsApp that triggers withdrawal across all marketing purposes within 200 ms, propagating to template scheduler, campaigns, and flow runs. Confirm withdrawal back to the Data Principal.
DPDP Act 2023 Section 6(4)–(6)8Honour Data Principal access requests within statutory timelines
Section 11 grants the right to a summary of personal data processed and identities of all Fiduciaries with whom data has been shared. Build a "DOWNLOAD MY DATA" path that returns a machine-readable file within seven working days of request.
DPDP Act 2023 Section 119Honour correction and erasure rights under Section 12
Data Principals can demand correction, completion, updating, and erasure of personal data. Map every storage location (database, backups, S3, analytics, third-party CRM) and ensure erasure propagates across all of them within the statutory window.
DPDP Act 2023 Section 1210Implement a 72-hour breach intimation pathway to the Data Protection Board
MeitY draft Rule 6(1) (Nov-2024 consultation) verbatim: "Every Data Fiduciary shall, on becoming aware of any personal data breach, give intimation of such breach to the Board, without delay, and in any event within seventy-two hours of such awareness." Build a runbook, named on-call, and a Board-Form-B-ready template.
MeitY DPDP Rules (draft Nov-2024) Rule 611Notify affected Data Principals of the breach
Section 8(7) requires intimation to each affected Data Principal "in such form and manner as may be prescribed." Draft a WhatsApp utility template (pre-approved) that can carry the breach intimation without waiting for fresh Meta template review.
DPDP Act 2023 Section 8(7)12Default retention to the shortest period justified by the purpose
Section 8(8) requires erasure when the purpose is no longer served and retention is not required by law. Set per-purpose retention defaults (marketing: 24 months from last engagement; utility: as required by GST/income-tax law; authentication: 90 days) and run automated erasure jobs at the schema level.
DPDP Act 2023 Section 8(8), draft Rule 513Restrict cross-border transfer to whitelisted countries
Section 16 empowers the Central Government to restrict transfer of personal data to specified countries. Draft Rule 12 (Nov-2024) prescribes Significant Data Fiduciary controls including data flow restrictions. Default storage to Indian AWS Mumbai (ap-south-1) and document any cross-border processor.
DPDP Act 2023 Section 16; MeitY draft Rule 1214Maintain reasonable security safeguards under Section 8(5)
Implement encryption at rest (AES-256), encryption in transit (TLS 1.3), role-based access, audit logging of every read of personal data, and quarterly penetration tests. Section 33 First Schedule attaches the highest penalty band (up to ₹250 crore) to failure of security safeguards.
DPDP Act 2023 Section 8(5), 33 + First Schedule15Implement verifiable parental consent for children under 18
Section 9 requires verifiable parental consent before processing the personal data of any individual under 18. Disable WhatsApp marketing flows where age is undeclared or self-declared as under 18, and offer a guardian-consent path for fintech / gaming / health verticals.
DPDP Act 2023 Section 916Disable tracking and behavioural monitoring of children
Section 9(2) prohibits tracking, behavioural monitoring, or targeted advertising directed at children. Audit WhatsApp campaign segmentation rules to exclude any age-tagged minor cohort from retargeting.
DPDP Act 2023 Section 9(2)–(3)17Publish a DPDP-compliant privacy notice on every collection surface
The website privacy policy, the WhatsApp Business profile description, the lead-magnet form, and the chatbot first-touch must all carry a link to the same notice. Use RichAutomate’s privacy-policy generator for a base draft tailored to your sector.
18Sign a Data Processing Agreement with every Processor
Section 8(2) makes the Fiduciary liable for Processor non-compliance unless a written contract is in place. Sign a DPA with the BSP, the analytics vendor, the CRM, the SMS fallback provider, and any sub-processor. Publish the list of Processors in the privacy notice for transparency.
DPDP Act 2023 Section 8(2)19Validate Meta template content against Section 6 consent scope
A marketing template can only be delivered to Data Principals who opted in to marketing. A utility template can only carry transactional content tied to an existing relationship. Use the template-category gate inside RichAutomate to refuse sends that breach scope.
20Audit third-party pixels, tags, and SDKs on the WhatsApp lead funnel
A Click-to-WhatsApp ad that fires a Meta Pixel, a Google Tag, and a third-party CDP simultaneously creates four data flows. Each one needs separate consent or a legitimate-use justification under Section 7. Document the lawful basis per pixel.
DPDP Act 2023 Section 721Build the Section 28 cooperation runbook
When the Data Protection Board issues a notice under Section 28, the Fiduciary must produce records within the stipulated time. Pre-index your consent ledger, breach log, processor list, and DPIA file so production is hours, not weeks.
DPDP Act 2023 Section 28(7)22Track Significant Data Fiduciary thresholds
Section 10 + draft Rule 11 (Nov-2024) prescribe additional obligations — DPIA, periodic audit, algorithmic risk assessment — once the Central Government notifies an entity as a Significant Data Fiduciary. Monitor volume, sensitivity, and risk to know when you cross the line.
DPDP Act 2023 Section 10; MeitY draft Rule 1123Run a Data Protection Impact Assessment for high-risk processing
For volumetric marketing, behavioural profiling, financial / health data, and minor-facing flows, run a DPIA documenting the purpose, data categories, retention, security controls, and risk-mitigation. Refresh annually or on material change.
MeitY draft Rule 11(b)24Train every team handling personal data
Customer support, marketing, growth, ops, and engineering all touch personal data. Mandate annual DPDP training, log completion, and gate access to production data behind certification.
DPDP Act 2023 Section 8(4) "reasonable safeguards"25Maintain a public grievance redressal channel
Section 8(9) requires a published grievance mechanism. Publish the grievance officer name, email, phone, and SLA on the privacy page and WhatsApp Business profile. Track every complaint to closure with timestamps.
DPDP Act 2023 Section 8(9), 1326Refresh the compliance posture every 90 days
MeitY notifications, Board guidance, and judicial interpretation will all shift over the next 18 months. Schedule a quarterly compliance review, track gazette publications, and version your privacy notice with dated changelogs.
Quick-reference compliance status table
| Instrument | Status as of June 2026 | Expected enforcement |
|---|---|---|
| DPDP Act 2023 (Act 22 of 2023) | Enacted, awaiting Section-wise notification | Phased from MeitY notification date |
| MeitY draft DPDP Rules (Nov-2024) | Consultation closed 18-Feb-2025; final notification pending | Operative on notification |
| Data Protection Board | Members not yet appointed | 12 months from Rules notification |
| Significant Data Fiduciary list | Not yet notified | Per Section 10(1) on MeitY assessment |
| Cross-border transfer whitelist | Not yet notified | Per Section 16 on Central Government order |
Official sources cited on this page
Every claim above is grounded in one of the following primary instruments:
Where RichAutomate fits
RichAutomate is the only Indian WhatsApp Business platform that ships every tenant with a DPDP consent ledger, a 72-hour breach intimation runbook, default Indian residency on AWS Mumbai (ap-south-1), a Section 11 access portal, and a Section 12 erasure path — all baked in at the tenant layer. We sign a model Data Processing Agreement on signup and refresh the compliance posture every 90 days. Start a 14-day free trial at /register or read the full India 2026 regulation pillar for the broader picture.