Back to Blog
DPDP Act 8 min read

DPDP Act Marketing Consent: Email, SMS, and WhatsApp

How to obtain and manage DPDP Act-compliant marketing consent for email, SMS, and WhatsApp campaigns targeting Indian users — lawful bases, opt-in mechanics, and DND compliance.

Key Takeaways
  • Marketing communications (email, SMS, WhatsApp) require explicit consent under the DPDP Act — pre-ticked boxes and implied consent are not sufficient.
  • The TRAI DND framework for SMS/voice continues to apply alongside DPDP — compliance with both is required for telecoms marketing.
  • Consent must be specific to each channel (email, SMS, WhatsApp are separate consents) and each purpose.
  • Purchased or scraped contact lists for marketing violate the DPDP Act — all marketing contacts must have provided their own consent.
  • Consent records for marketing must be retained and producible to demonstrate compliance to the Data Protection Board.

In this guide

  1. Marketing Consent Under the DPDP Act
  2. Lawful Basis for Marketing Communications
  3. Building Compliant Opt-In Mechanics
  4. Email Marketing Compliance
  5. SMS and WhatsApp Marketing Compliance
  6. Contact List Hygiene and Purchased Lists
  7. Building a Marketing Preference Centre

Marketing Consent Under the DPDP Act

Direct marketing — sending promotional communications via email, SMS, WhatsApp, push notification, or any other channel — involves processing personal data (contact details, segmentation data, engagement behaviour) for the purpose of marketing. Under the DPDP Act 2023, this processing requires a lawful basis. In most marketing scenarios, the appropriate basis is explicit consent from the Data Principal.

Indian marketing practice has historically been characterised by aggressive outreach with limited regard for recipient consent: unsolicited cold emails, spam SMS campaigns, and mass WhatsApp broadcasts. The DPDP Act, combined with TRAI's DND regulations, significantly tightens the consent requirements for marketing communications and creates financial exposure for non-compliant marketing programmes.

The act of marketing is not just a communication channel issue — it is a data processing question. Every personalisation decision, every segmentation model, every A/B test in a marketing campaign involves processing personal data. The consent basis that covers sending a marketing email should also cover the analytics and profiling that determines who receives it and what they see.

Lawful Basis for Marketing Communications

For marketing communications where the primary purpose is promotion of goods or services rather than delivery of a contracted service, consent is the only clearly available lawful basis under the DPDP Act. The Section 7 legitimate uses do not cover commercial marketing — they cover state functions, medical emergencies, legal compliance, and employment. A SaaS company wanting to send product updates and promotional offers to prospective or current users needs consent.

One common confusion: transactional communications (receipts, order confirmations, security alerts, service status updates) are not marketing — they are part of service delivery. These can be sent under the contractual processing basis or Section 7 without separate marketing consent. Do not conflate transactional and marketing in your consent architecture — they have different lawful bases and different opt-out rules.

Re-engagement campaigns targeting lapsed customers present a specific challenge. If a customer's marketing consent has expired (through withdrawal or lapse of time), sending them a re-engagement email requires a new consent. You cannot send a re-engagement campaign without a pre-existing valid consent basis — the campaign itself cannot establish the consent it requires to be sent.

Building Compliant Opt-In Mechanics

Compliant marketing opt-in must be: active (the user must take a positive action — check a box, tap a button), separate from other consents (not bundled with T&Cs or service consents), informed (clearly describing what communications will be sent, at what frequency, and how to unsubscribe), specific (separate consents for email, SMS, and WhatsApp if you use multiple channels), and voluntary (checking the box cannot be required to complete registration or access the service).

Pre-ticked checkboxes, opt-out language ("We may send you marketing emails unless you uncheck this box"), and "by signing up you agree to receive marketing" phrases in terms of service are all non-compliant under the DPDP Act's Section 6 consent standard. These patterns must be removed from all registration flows and replaced with explicit opt-in mechanics.

Double opt-in — sending a confirmation email that the user must click to activate their marketing subscription — is a best practice that strengthens consent records and reduces bounce rates. While not explicitly required by the DPDP Act, double opt-in provides additional evidence of voluntary, informed consent and dramatically reduces the risk of consent disputes.

Email Marketing Compliance

Every marketing email sent to Indian Data Principals must satisfy DPDP Act requirements. Before sending: verify that each recipient on the list has provided valid, documented consent for email marketing. Do not import lists from other systems without first verifying consent provenance — if you cannot prove when and how each contact consented to email marketing from your company specifically, that contact should not receive marketing emails.

Every marketing email must include: your company name and registered address, a clear and functional unsubscribe mechanism, and a link to your privacy policy. The unsubscribe mechanism must actually work — recipients must be removed from marketing lists within 10 business days of unsubscription (or sooner if technically feasible). Test your unsubscribe flow regularly.

Maintain your email suppression list (the list of email addresses that have unsubscribed or requested to not be contacted) and apply it to every send. Importing a new list segment should not cause suppressed contacts to receive emails again. This is a common technical failure in email marketing operations — the suppression list must be applied before any send, not just maintained as a static file.

SMS and WhatsApp Marketing Compliance

SMS marketing in India is regulated by both the DPDP Act and the TRAI Telecom Commercial Communication Customer Preference Regulations (DND regulations). Under TRAI rules, you must register as a Principal Entity, register your templates, and obtain prior consent through the TRAI Distributed Ledger Technology (DLT) platform before sending promotional SMS. DND registrations operate as a consent record for TRAI purposes but do not replace DPDP Act consent requirements — both apply.

WhatsApp marketing via the WhatsApp Business API has its own consent framework. Meta (WhatsApp's parent) requires that you obtain explicit opt-in consent from users before sending them marketing messages via the WhatsApp Business API. This Meta requirement aligns with DPDP Act consent requirements. Maintain records of WhatsApp opt-ins, including the timestamp and the mechanism (web form, in-app consent, etc.).

Both SMS and WhatsApp marketing require channel-specific consent — a user who consented to email marketing has not thereby consented to SMS or WhatsApp outreach. Obtain explicit consent for each channel in your marketing preference centre. Given the more intrusive nature of SMS and WhatsApp (they appear on the user's personal mobile device), the threshold for consent should be applied rigorously.

Contact List Hygiene and Purchased Lists

Purchased, rented, or scraped contact lists are incompatible with the DPDP Act. When you purchase a contact list from a data broker, the individuals on that list have not consented to receive marketing from your company specifically — they may have consented to the data broker's terms, but consent is not transferable under the DPDP Act's specific consent standard. Sending marketing to a purchased list is processing personal data without a valid lawful basis.

Audit your existing marketing lists for consent provenance. For each segment in your email or SMS list, document: where the contacts came from, when they were added, what consent mechanism was used, and where the consent record is stored. Any segment for which you cannot produce consent records should be suppressed from marketing sends until consent is re-obtained.

Conference badge scanning, business card collection, and LinkedIn scraping are common B2B lead generation tactics that do not automatically create DPDP Act-compliant marketing consent. Adding a contact to your marketing automation system because you met them at a conference (without their explicit consent to receive marketing) is a DPDP Act violation. Move to consent-first lead generation: landing pages with explicit opt-in, webinar registrations with marketing consent, and direct consent at the point of contact.

Building a Marketing Preference Centre

A marketing preference centre is a self-service portal where contacts can view and manage their marketing consents: which channels they have opted into, what types of content they receive, and the ability to update or withdraw consents. It is both a DPDP Act compliance requirement (ease of withdrawal) and a marketing retention tool — users who manage their preferences are more likely to stay engaged than users who hit an all-or-nothing unsubscribe link.

The preference centre should be accessible without login for existing email subscribers (via a personal link in every email) and within the product UI for registered users. Include: a list of all marketing subscriptions with current status (subscribed/unsubscribed), channel-specific controls (email, SMS, WhatsApp separately), content-type controls (product updates, promotional offers, events, etc.), and a single "unsubscribe from all" option as required.

Sync preference centre choices in real time to your marketing automation platform, CRM, and any other systems that send marketing communications. A preference centre that takes days to propagate to downstream systems is not compliant with the ease-of-withdrawal requirement. Use webhooks or event-driven architecture to propagate preference changes immediately.

Frequently Asked Questions

Can we send promotional emails to customers who have purchased from us in the past without getting fresh consent?
Under the DPDP Act, prior purchase does not automatically create a consent basis for marketing. Unlike some other jurisdictions (e.g., UK PECR's "soft opt-in" rule for existing customers), the DPDP Act requires explicit consent for marketing. Unless your purchase flow included an explicit marketing opt-in that the customer selected, you should obtain fresh consent before sending marketing emails to past customers.
Does the DPDP Act require a specific frequency cap on marketing communications?
The Act does not specify frequency caps, but frequency is relevant to the "unconditional" and "free" consent standard — if users feel they cannot refuse communications or face excessive messaging, the consent quality is degraded. Use industry-standard email marketing hygiene: respect unsubscribe preferences immediately, use frequency caps to avoid overwhelming users, and monitor unsubscribe rates as a signal that your frequency is too high.
Can we add event attendees to our marketing list based on their event badge scan?
Not without explicit consent. Scanning a badge at a conference booth does not constitute consent to receive marketing emails. You must obtain explicit marketing opt-in at the point of badge scan — a tablet at the booth with a clear consent checkbox, or a verbal confirmation with a logged record. Pre-populate the email field from the badge scan but require an active opt-in action before adding to marketing lists.
How do TRAI DND regulations interact with the DPDP Act for SMS marketing?
Both frameworks apply and must be complied with independently. TRAI DND requires template registration and DLT platform consent for promotional SMS. The DPDP Act requires a valid lawful basis (typically consent) for the underlying personal data processing. Meeting TRAI requirements does not automatically satisfy DPDP requirements and vice versa. Compliance with both is mandatory.
If a user has opted into marketing and then their email address changes, do we need fresh consent for the new address?
The consent attaches to the individual, not the email address. If the individual updates their email in your system (while the consent relationship continues), the consent transfers to the new address — the person is the same. Document the email address update with a timestamp. If the email change comes through a third-party source (e.g., data enrichment) and you are not certain it belongs to the same consented individual, obtain fresh consent.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act Consent Requirements: What Valid Consent Means

DPDP Act

DPDP Act Consent Withdrawal: How to Handle Opt-Outs

DPDP Act

Personal Data Definition Under DPDP Act 2023