Yes, DPDP applies to you — even if you sell exclusively on Instagram DMs, WhatsApp Business, Facebook Marketplace, or Telegram. The moment you collect customer names, phone numbers, addresses, or payment details, you're processing personal data and DPDP compliance is mandatory.
This guide covers: Instagram selling • WhatsApp Business • Facebook Marketplace • Telegram channels • Where to publish privacy policies • How to get consent via chat • What data to delete and when.
Does DPDP Apply to Social Commerce?
Short answer: Yes, absolutely.
DPDP compliance is triggered by data collection, not platform choice. If you sell products and collect any of the following via Instagram, WhatsApp, Facebook, or Telegram:
- 📱 Customer names
- 📱 Phone numbers
- 📱 Email addresses
- 📱 Delivery addresses
- 📱 Payment details (UPI IDs, bank accounts)
- 📱 Order details and preferences
- 📱 Chat history with customers
...then DPDP applies to you.
❌ Common Myth: "I don't have a website, so DPDP doesn't apply." WRONG. The law doesn't care whether you sell on a website, Instagram, WhatsApp, or carrier pigeon. If you collect personal data from Indian customers, you must comply.
Why Social Sellers Are High-Risk for DPDP Violations
Social commerce sellers are more likely to violate DPDP because:
- ❌ No privacy policy (nowhere to publish it)
- ❌ No formal consent mechanism (just assume customers consent by messaging)
- ❌ Storing customer data in insecure places (Excel spreadsheets, Google Sheets, phone contacts)
- ❌ Keeping chat history forever (WhatsApp messages from 2019 still saved)
- ❌ No awareness that DPDP even applies to them
Penalties don't care about ignorance. The Data Protection Board can fine you up to ₹50 crore even if you "didn't know" DPDP applied.
DPDP Compliance for Instagram Sellers
What Data You Collect on Instagram
Even if you sell via Instagram DMs and posts, you're still collecting massive amounts of personal data:
- Instagram usernames and profile names
- Phone numbers (when customers share for order confirmation)
- Delivery addresses (shared via DM)
- Payment screenshots (UPI receipts, bank transfers)
- Product preferences and order history (in DM chat)
- Customer photos (if they send photos for custom orders)
All of this is personal data under DPDP.
1. Publish a Privacy Policy
Problem: Instagram doesn't let you add a privacy policy to your profile in a structured way.
Solution:
- Option A: Create a free privacy policy webpage using Google Sites, Notion (make it public), or Carrd (free plan)
- Option B: Host privacy policy on a free GitHub Pages site
- Option C: Use a link-in-bio tool (Linktree, Hoo.be) and add privacy policy link
Then add this link to your Instagram bio: "Privacy Policy: [link]"
2. Get Customer Consent
How to get consent via Instagram DM:
When a customer places their first order, send this message:
"Hi! Before I confirm your order, please review our Privacy Policy: [link]. By proceeding with this order, you consent to us collecting your name, phone number, and address for order fulfillment. Reply 'I agree' to confirm."
Save their "I agree" response as proof of consent.
3. Secure Data Storage
Don't do this:
- ❌ Keeping all customer data in an unprotected Google Sheet
- ❌ Saving customer addresses in phone Notes app
- ❌ Screenshotting payment details and storing in Photos
Do this instead:
- ✅ Use a secure CRM (free options: Notion with password, Airtable with access controls)
- ✅ Use Google Sheets but enable 2-factor authentication on your Google account
- ✅ Never share access to customer data spreadsheets publicly
4. Delete Old Customer Data
You cannot keep Instagram DM chat history forever. Set a retention policy:
- Active customers: Keep data while they're ordering regularly
- Inactive customers: Delete DM history and stored data after 1 year of no orders
- Payment screenshots: Delete after order is delivered + 30 days
Instagram Shop vs Instagram DM Selling
Instagram Shop (with checkout): Meta (Facebook/Instagram parent company) handles payment processing, but YOU are still the Data Fiduciary for customer data. You must comply with DPDP.
Instagram DM selling: You handle everything manually, so DPDP compliance is 100% your responsibility.
DPDP Compliance for WhatsApp Business
WhatsApp Business App vs WhatsApp Business API
There are two types of WhatsApp Business:
- WhatsApp Business App: Free app for small businesses (1 phone number, manual messaging)
- WhatsApp Business API: Paid service for larger businesses (automated messages, multiple agents, CRM integration)
DPDP applies to both.
1. Privacy Policy Requirement
For WhatsApp Business App users:
- Create a privacy policy webpage (Google Sites, Notion, etc.)
- Add link to your WhatsApp Business profile (Settings → Business Profile → Website)
- Share privacy policy link when customer places first order
For WhatsApp Business API users:
- Add privacy policy to your website
- Include privacy policy link in automated welcome messages
- Add to order confirmation templates
2. Consent Mechanism
First-time customer message template:
"Welcome! Before we process your order, please review our Privacy Policy: [link]. By placing an order, you agree to us collecting your name, phone number, and delivery address for order fulfillment. Reply YES to confirm."
Log their "YES" response as proof of consent.
3. Chat History Retention
Critical issue: WhatsApp chats contain full customer data — names, addresses, payment details, order history.
What you must do:
- Don't keep WhatsApp chats forever
- After order is delivered + return period (30 days), delete the chat (Settings → Chats → Delete chat)
- If you need order history for tax purposes, export necessary data to a secure database, then delete the WhatsApp chat
- For inactive customers (no orders in 1 year), delete all chats and data
4. Payment Data Security
Never do this:
- ❌ Ask customers to share UPI screenshots with transaction IDs visible
- ❌ Keep payment screenshots in WhatsApp media forever
- ❌ Share customer payment details with delivery partners via WhatsApp
Do this instead:
- ✅ Use UPI payment links (PhonePe, Google Pay, Paytm) instead of manual bank transfers
- ✅ Delete payment screenshots after confirming payment
- ✅ Never share full payment details with third parties
WhatsApp Business Catalog Feature
If you use WhatsApp Business Catalog to showcase products:
- The catalog itself doesn't collect personal data
- BUT when customers message you to place orders, DPDP compliance kicks in
- Follow the same consent + privacy policy + data retention rules
DPDP Compliance for Facebook Marketplace
Facebook Marketplace sellers collect data through:
- Facebook Messenger chats (names, addresses, phone numbers)
- Product listings (customer browsing behavior)
- Payment details (if using Facebook Pay)
Privacy Policy Location
- Create a privacy policy webpage
- Add link to your Facebook Business Page "About" section
- Share privacy policy link via Messenger when customer inquires
Messenger Chat Retention
- Delete old Messenger conversations after order completion + 30 days
- Don't keep years of customer chat history
- For regular customers, keep only recent conversations (last 6 months)
DPDP Compliance for Telegram Channels/Groups
Telegram business channels/groups are increasingly popular for:
- Product announcements
- Order management
- Customer support
- Flash sales and exclusive offers
1. Privacy Policy
- Pin a message with privacy policy link in your Telegram group/channel
- Add privacy policy to channel description
- Share with new members when they join
2. Member Data
What data you collect from Telegram:
- Telegram usernames
- Phone numbers (if visible in profile)
- Messages containing orders, addresses, preferences
Compliance requirements:
- Don't export member lists and use for marketing without consent
- If members leave the group, delete their personal data
- Don't share member data with third parties
Top 5 Mistakes Social Commerce Sellers Make
Why it's wrong: Every business processing personal data MUST publish a privacy policy. "I only sell on Instagram" is not an exemption.
Penalty: Up to ₹50 crore.
Fix: Create a simple privacy policy webpage (free: Google Sites, Notion public page). Add link to Instagram bio, WhatsApp Business profile, or Facebook About section.
Why it's wrong: Keeping customer names, phone numbers, and addresses in a publicly-accessible Google Sheet or Excel file with no password = security failure.
Penalty: Up to ₹250 crore if data is breached.
Fix: Enable 2FA on your Google account. Use access controls on Google Sheets (don't share publicly). Or use a secure CRM.
Why it's wrong: WhatsApp chats from 2019 containing customer addresses, payment screenshots = violates data retention requirements.
Penalty: Up to ₹50 crore.
Fix: Delete old chats. Retention policy: Keep chats for 30 days after delivery, then delete. For inactive customers (1+ year no orders), delete everything.
Why it's wrong: "They DM'd me, so they must consent to data collection" is NOT valid consent under DPDP. Consent must be explicit and informed.
Penalty: Up to ₹50 crore.
Fix: Send privacy policy link. Ask customer to confirm: "Reply YES to agree to our privacy policy and proceed with order." Save their YES response.
Why it's wrong: Customer messages you: "Please delete my data." You ignore it because "it's just WhatsApp, I can't delete." You must honor deletion requests.
Penalty: Up to ₹50 crore.
Fix: Delete the WhatsApp chat, remove from your customer database/spreadsheet, delete from Instagram DM history. Respond: "Your data has been deleted as requested."
Social Commerce DPDP Compliance Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy published (Google Sites, Notion, or webpage) | ☐ |
| Privacy policy linked from bio/profile (Instagram, WhatsApp, Facebook) | ☐ |
| Consent mechanism in place (ask customers to agree before processing order) | ☐ |
| Consent responses saved (proof that customer agreed) | ☐ |
| Customer data secured (not in publicly-accessible spreadsheets) | ☐ |
| 2FA enabled (on Google/Instagram/WhatsApp accounts) | ☐ |
| Data retention policy set (delete old chats/data after X months) | ☐ |
| Payment screenshots deleted (after payment confirmation) | ☐ |
| Inactive customer data deleted (no orders in 1+ year) | ☐ |
| WhatsApp/Instagram chat history cleaned (old conversations deleted) | ☐ |
| Data deletion process ready (can delete customer data on request) | ☐ |
| No data sharing with third parties (without explicit consent) | ☐ |
FAQ for Social Commerce Sellers
Does DPDP apply to Instagram sellers in India?
Yes. If you sell via Instagram DMs, Instagram Shop, or Instagram posts and collect customer data (names, phone numbers, addresses, payment details), DPDP applies. Platform doesn't matter — data collection triggers compliance.
Do WhatsApp Business sellers need DPDP compliance?
Yes. Both WhatsApp Business App and WhatsApp Business API users who collect customer data must comply with DPDP.
Where do I publish a privacy policy if I only sell on Instagram?
Create a simple webpage: Use Google Sites (free), Notion (make it public), or Carrd (free plan). Link to it from your Instagram bio. Share the link via DM when customers place their first order.
Can I keep customer WhatsApp chats forever?
No. DPDP requires data retention limits. Delete customer chat history after order fulfillment + return period (30 days). For inactive customers (1+ year), delete all chats and stored data.
How do I get consent via Instagram DM or WhatsApp?
Send this message: "Before we confirm your order, please review our Privacy Policy: [link]. By proceeding, you consent to us collecting your data for order fulfillment. Reply YES to confirm." Save their YES response as proof.
What if I store customer data in Google Sheets?
That's okay IF: (1) You enable 2-factor authentication on your Google account, (2) You don't share the spreadsheet publicly, (3) You use access controls to limit who can view it. Don't store payment card details or UPI IDs in plain text.