Wamafy
WhatsApp Marketing Compliance in India 2026: Opt-In, Opt-Out, Quality, DPDPA
Compliance & Deliverability

WhatsApp Marketing Compliance in India 2026: Opt-In, Opt-Out, Quality, DPDPA

10 min read

WhatsApp marketing in India in 2026 sits at the crossroads of two rulebooks. Meta's Business Platform policies decide whether your messages get delivered and whether your number stays alive. India's Digital Personal Data Protection Act decides whether your business stays out of legal trouble. Most Indian SMBs running WhatsApp campaigns today are aware of one but not the other. This guide walks through both: the opt-in rules, opt-out requirements, quality rating mechanics, and the DPDPA obligations that came into force in 2024 and are now actively enforced.

The penalty for getting this wrong is not just a banned WhatsApp number. Under DPDPA, fines can go up to Rs 250 crore per breach. The good news: compliance is mostly a few small process changes. Get them right at setup and you are covered for the long run.

The two rulebooks every Indian WhatsApp marketer must follow

There are two distinct sets of rules that apply to every WhatsApp marketing campaign in India. They overlap but are not the same.

RulebookWho enforcesPenalty for violation
Meta WhatsApp Business PolicyMeta (automatic, via quality rating and suspensions)Number suspension, lost templates, account ban
Digital Personal Data Protection Act, 2023 (DPDPA)Data Protection Board of IndiaFines up to Rs 250 crore per breach

Meta's rules are about message delivery. DPDPA is about consent and customer data rights. You need to comply with both. Following one does not automatically mean you are following the other.

Opt-in rules: what counts and what does not

Both Meta and DPDPA require explicit opt-in before you send any marketing message to a customer on WhatsApp. The bar is higher than email. A pre-ticked checkbox does not count. A vague "we may message you" line does not count. The opt-in must be specific, unambiguous, and stored with a timestamp.

WhatsApp opt-in methods compliant with Meta and Indian DPDPA Act 2026
Opt-in methods ranked by strength. Strong methods pass both Meta and DPDPA audit.

Strong opt-in methods

An unchecked checkbox at checkout that says "Send me order updates and offers on WhatsApp" is the gold standard. Around 60-80 percent of Indian shoppers tick it. A WhatsApp toggle on your signup form is similar. An in-store QR code that lands on an opt-in form (not direct WhatsApp chat) is strong because the customer takes a deliberate action. A click-to-WhatsApp ad counts as opt-in because the customer is initiating the chat themselves.

Risky opt-in methods

Importing your existing email subscriber list to WhatsApp is risky unless your original email opt-in explicitly mentioned WhatsApp. If it said "we will message you about our products" with no channel specified, that does not give you WhatsApp permission. Re-collect opt-in through a dedicated email or in-store before adding email subscribers to WhatsApp.

Banned opt-in methods

Bought lists are zero opt-in. Lead lists from data brokers, scraped numbers from public sources, and free databases all fall here. Two campaigns to a bought list will drop your quality rating to Red and trigger a Meta suspension. DPDPA also makes it a major violation. Never use a bought list, ever.

Opt-out rules and the 24-hour processing window

Every marketing message you send must include a clear opt-out path. The phrase "Reply STOP to opt out" at the bottom of the template body is the most common. Once a customer opts out, you must process the request within 24 hours and never send another marketing message to that number until they opt back in.

Most WhatsApp Business API platforms handle opt-outs automatically. When a customer replies STOP, the platform tags them as opted-out and stops including them in future broadcasts. Test this on your platform: send a test message to your own number, reply STOP, then try to add yourself to a broadcast. The platform should refuse.

For SMBs sending in regional languages, add opt-out phrasing in those languages too. "Reply BAND for stop" in Hindi or "Reply NIRUTHU for stop" in Tamil. Customers respond in the language they read; recognize the opt-out in that language.

Meta's quality rating mechanics

Meta's quality rating is the early warning system that tells you whether your sending behavior is compliant with their policies. It is scored on three levels: Green, Yellow, Red. The score is based on the last 7 days of user signals: blocks, reports, message reactions, and engagement.

What triggers WhatsApp quality rating drops from Green to Yellow to Red
The specific signals that drop your number from Green to Yellow and then Yellow to Red.

What drops you from Green to Yellow

Block rate climbing to 2-3 percent is the most common cause. It happens when you send to dormant or stale contacts who do not remember opting in. A sudden volume spike (10x your normal day) can also flag you. Negative customer reports (when users tap "Report" instead of just "Block") count more heavily. Daily marketing frequency to the same list is another big trigger. To recover, pause marketing broadcasts for 5-7 days, send only to your most engaged 10 percent, and let the rating refresh.

What drops you from Yellow to Red

Block rate over 3 percent. High user reports (more than 5 per 1,000 sends). Policy violations like asking for sensitive info inside templates or using shorteners. Bought list detection from high block rates on numbers Meta knows are commonly scraped. At Red, your daily cap drops to 1,000 and you face suspension risk if not fixed within 7-14 days. Recovery means stopping all broadcasts and reaching customers only inside the free 24-hour service window. For the full step-by-step guide on running broadcasts that protect quality rating, see our broadcast guide.

The DPDPA Act: what every Indian WhatsApp marketer must do

India's Digital Personal Data Protection Act came into force in 2024 and is now actively enforced in 2026. It applies to any business that processes the personal data of Indian residents, which includes every Indian SMB running WhatsApp marketing. The core obligations are simpler than they sound.

DPDPA Act compliance checklist for WhatsApp marketers in India 2026
The 6 things every WhatsApp marketer in India must do to comply with DPDPA.

1. Get explicit consent before sending

The DPDPA standard for consent is "free, specific, informed, unconditional, and unambiguous." A pre-ticked checkbox fails. A bundled "agree to terms and marketing" fails. The consent has to be a separate, clear opt-in for marketing messages on WhatsApp specifically. Verbal opt-ins (at the point of sale, for example) are valid if you follow up with a confirmation message to the customer.

2. Tell customers what data you collect

Add a short privacy notice to your opt-in form. Mention what data you collect (name, phone number, purchase history, etc.), how you use it (order updates, marketing, support), how long you keep it, and how to opt out. A 4-line notice is enough. Link to your full privacy policy from the notice.

3. Give an easy opt-out

"Reply STOP to opt out" in every marketing template is the minimum. Process the opt-out within 24 hours and stop all marketing to that number until the customer opts back in. Keep a record of when each opt-out happened in case of audit.

4. Honor data access requests

If a customer asks "What data do you hold about me?", you have 30 days to respond. The easiest format is a downloadable CSV with their contact details, opt-in records, message history, and purchase history. Most WhatsApp Business API platforms can export this with one click.

5. Delete on request

If a customer asks you to delete their data, you have 30 days to comply. Document the deletion. If you keep some data for legal or accounting reasons (GST records, for example), tell the customer which data you are keeping and why. Tax records must be kept for 6-8 years under GST and Income Tax laws, which DPDPA accepts as a legitimate exception.

6. Notify breaches within 72 hours

If customer data leaks (even by accident), you have 72 hours to inform affected customers and the Data Protection Board of India. A breach can be a CSV download going to the wrong email, an exposed database, or a stolen laptop with customer info. Have an incident response plan ready before you need it.

What happens if you ignore the rules

Meta's enforcement is automatic and fast. A Red quality rating drops your daily cap to 1,000 within 24 hours. Continued violations lead to a 30-day suspension. Repeat suspensions or major policy violations (like a bought list) trigger a permanent number ban with no appeal. Your templates, message history, and customer list are gone with the number.

DPDPA enforcement is slower but the penalties are larger. Fines can go up to Rs 250 crore per breach incident, scaled by company size and harm caused. A small SMB doing 10,000 messages a month is unlikely to face the top-end fine, but Rs 5-50 lakh fines are realistic for repeat opt-in violations. The Data Protection Board has powers to investigate, audit, and impose penalties without going to court.

The cost of compliance is small. The cost of non-compliance can end a business.

A pre-launch compliance checklist

Before you send your first WhatsApp marketing broadcast in India, run through this 10-point checklist:

  1. Opt-in checkbox added to checkout, signup, and lead forms (unchecked by default)
  2. Short privacy notice next to the opt-in field, linking to full privacy policy
  3. All marketing templates include "Reply STOP to opt out" in the body
  4. STOP keyword tested: send to yourself, reply STOP, try to add yourself to a broadcast (should fail)
  5. Opt-out logs stored with timestamp for every user who has unsubscribed
  6. Data access request process documented (who handles it, what gets sent)
  7. Data deletion request process documented (who deletes what, how it is logged)
  8. Incident response plan for data breaches (who calls whom in the first 72 hours)
  9. Privacy policy on your website updated to mention WhatsApp marketing
  10. Team trained on DPDPA basics: 30-min internal briefing is enough for a 5-10 person team

This takes 4-8 hours of work end-to-end. Most of it is one-time setup. Once done, ongoing compliance is mostly automatic if your WhatsApp Business API platform handles opt-out processing correctly.

Frequently Asked Questions

Are WhatsApp marketing messages legal in India?

Yes, when sent through the WhatsApp Business API to customers who have explicitly opted in. The Digital Personal Data Protection Act and Meta's Business Policy both allow marketing messages with proper consent. Sending without opt-in or through unauthorized bulk senders is illegal and can result in fines up to Rs 250 crore plus a permanent number ban.

What is WhatsApp opt-in compliance in India?

Opt-in compliance means getting explicit, unambiguous consent before sending marketing messages. The standard methods are an unchecked checkbox at checkout, a WhatsApp toggle on signup forms, in-store QR code scans, or click-to-WhatsApp ad clicks. Pre-ticked checkboxes and bought lists do not count as valid opt-in.

What is the WhatsApp quality rating and how do I keep it Green?

Quality rating is Meta's score of your number based on the last 7 days of user signals like blocks, reports, and engagement. Keep it Green by sending only to opted-in engaged contacts, keeping block rates under 2 percent, limiting marketing to 2-3 broadcasts a month per list, and avoiding pressure language in templates.

What happens if my WhatsApp quality rating drops to Red?

Your daily messaging cap drops to 1,000. Tier upgrades freeze. If not fixed within 7-14 days, the number faces a 30-day suspension. Recovery means stopping all marketing broadcasts and reaching customers only inside the free 24-hour service window for at least 7-14 days to let the rating refresh.

Do I need to comply with DPDPA if I am a small Indian business?

Yes. DPDPA applies to every business processing personal data of Indian residents, regardless of size. Small businesses get the same obligations as large ones, though enforcement intensity scales with the risk. A solo founder with 1,000 customers needs to follow the same opt-in, opt-out, and data rights rules as a 1,000-person enterprise.

What is the maximum DPDPA fine for non-compliance?

Up to Rs 250 crore per breach incident, depending on the severity, scale, and harm caused. Smaller penalties of Rs 5-50 lakh are realistic for repeat opt-in violations in small business contexts. The Data Protection Board has the power to investigate and impose penalties without going to court.

Stay compliant from your first message

Compliance with both Meta and DPDPA is mostly a few small process changes done correctly at setup. Add the opt-in checkbox. Include opt-out language. Process unsubscribes within 24 hours. Keep records. Train your team for 30 minutes on DPDPA. Once that is in place, you are covered for years. Start a free 14-day Wamafy trial and use the pre-launch checklist above to set up a compliant program from day one. Card is authorized during trial activation and charged only on day 15.

Tags:
WhatsApp opt-in compliance India
WhatsApp marketing compliance 2026
DPDPA Act WhatsApp
WhatsApp quality rating India
WhatsApp opt-out rules

Share this article

TwitterLinkedIn
← Back to Blog