WhatsApp Business API Rules in India (2026 Updated): Complete Compliance Guide
Businesses in India using WhatsApp Business API must comply with multiple regulatory frameworks, including TRAI guidelines, data privacy laws, and Meta's platform policies. This comprehensive guide covers all WhatsApp Business API rules in India for 2026, including recent updates, compliance requirements, and best practices for legal WhatsApp communication.
In this guide
Overview of WhatsApp Business API Rules in India
WhatsApp Business API in India is governed by multiple regulatory bodies and policies:
- Meta's WhatsApp Business API Policies: Platform-specific rules set by Meta (WhatsApp's parent company)
- TRAI (Telecom Regulatory Authority of India): Regulations for commercial messaging and communication
- DoT (Department of Telecommunications): Licensing and operational requirements
- DPDPA (Digital Personal Data Protection Act): Data privacy and protection requirements
- IT Act 2000: Information technology and cybersecurity regulations
Businesses must comply with all these frameworks to legally use WhatsApp Business API in India. Non-compliance can result in account bans, legal penalties, and business disruption.
Regulatory Framework
1. TRAI (Telecom Regulatory Authority of India) Guidelines
TRAI regulates commercial messaging in India and has specific requirements for WhatsApp Business API:
- Commercial Communication Regulations: All commercial messages must comply with TRAI's guidelines for unsolicited commercial communication (UCC). Learn more about TRAI's commercial communication regulations
- DND (Do Not Disturb) Compliance: Businesses must respect DND registrations and cannot send promotional messages to numbers registered on DND. Use 2Factor's WhatsApp Business API to automatically filter DND numbers
- Entity Headers: Businesses must register entity headers with TRAI for commercial messaging
- Consent Requirements: Explicit opt-in consent is mandatory before sending commercial messages. Implement proper consent management with WhatsApp Automation tools
2. DoT (Department of Telecommunications) Requirements
DoT oversees telecommunications operations in India:
- Licensing: Businesses using WhatsApp Business API for commercial purposes may need appropriate licenses
- Number Verification: Phone numbers used for WhatsApp Business API must be verified and registered
- Operational Compliance: Businesses must follow DoT guidelines for commercial communication services
3. DPDPA (Digital Personal Data Protection Act) Compliance
India's Digital Personal Data Protection Act requires:
- Consent Management: Explicit consent for data collection and processing. Ensure your WhatsApp Business API implementation includes proper consent tracking
- Data Minimization: Collect only necessary data for business purposes
- Data Security: Implement appropriate security measures to protect personal data. 2Factor's WhatsApp API includes enterprise-grade security
- Right to Access and Deletion: Users have the right to access and request deletion of their data
- Data Localization: Certain categories of data may need to be stored within India
4. IT Act 2000 Compliance
The Information Technology Act 2000 requires:
- Cybersecurity Measures: Implement reasonable security practices and procedures. 2Factor's WhatsApp Business API includes encryption and security protocols
- Data Breach Notification: Notify authorities and affected users in case of data breaches
- Intermediary Guidelines: Compliance with intermediary liability and content moderation requirements. Review IT Intermediary Guidelines 2021
Message Categories and Restrictions
WhatsApp Business API categorizes messages into three main types, each with specific rules:
| Message Category | Purpose | Key Rules |
|---|---|---|
| Marketing Messages | Promotional content, offers, sales, advertising |
• Requires explicit opt-in consent • Must use approved message templates • Cannot send to DND-registered numbers • Must include opt-out instructions • Higher pricing than utility messages |
| Utility Messages | Order updates, delivery status, booking confirmations, account notifications |
• Can be sent to existing customers • Must use approved templates • Lower pricing than marketing • Must be transactional in nature • No opt-in required for existing transactions |
| Authentication Messages | OTP, verification codes, login confirmations |
• Must be time-sensitive and secure • Cannot contain promotional content • Lower pricing than other categories • Must use approved templates • Subject to strict security requirements |
Opt-In and Opt-Out Requirements
India has strict requirements for consent and opt-out mechanisms:
Opt-In Requirements
- Explicit Consent: Recipients must explicitly opt in to receive marketing messages. Implied or pre-checked consent is not valid. Implement proper consent collection with WhatsApp Automation
- Clear Purpose: Consent must specify what types of messages the recipient will receive
- Consent Documentation: Businesses must maintain records of consent with timestamps and method of consent collection. 2Factor's platform includes consent tracking features
- Double Opt-In (Recommended): Send a confirmation message asking recipients to confirm their subscription using WhatsApp Marketing tools
- Consent Validity: Consent must be recent and can be withdrawn at any time
Opt-Out Requirements
- Easy Opt-Out: Every marketing message must include clear opt-out instructions
- Immediate Processing: Opt-out requests must be processed within 24 hours
- Permanent Removal: Once opted out, the number must be permanently removed from marketing lists
- Opt-Out Confirmation: Send confirmation when a user opts out
- DND Compliance: Respect DND registrations and never send promotional messages to DND numbers
Template Approval Process
All outbound messages (except replies within 24 hours) must use Meta-approved message templates. Here's how the process works:
Template Submission Requirements
- Template Format: Templates must follow Meta's format guidelines (header, body, footer, buttons)
- Content Restrictions: No spammy language, excessive promotional content, or misleading information. Review WhatsApp Business Policy
- Category Selection: Choose the correct category (MARKETING, UTILITY, or AUTHENTICATION)
- Language: Templates can be in English, Hindi, or regional languages
- Variable Parameters: Use dynamic variables for personalization (name, order number, etc.). Get expert template approval support with 2Factor's WhatsApp Business API
Template Approval Timeline
- Standard Review: 24–48 hours for most templates
- Complex Templates: Up to 72 hours for templates with multiple components or special features
- Rejection Reasons: Common reasons include spam-like content, misleading information, or format violations
- Resubmission: Rejected templates can be revised and resubmitted after addressing feedback
Template Best Practices
- Keep messages clear, concise, and relevant
- Avoid excessive use of emojis or special characters
- Include your business name and purpose clearly
- Use approved language and avoid prohibited content
- Test templates before submitting for approval
Data Privacy and Security Requirements
India's DPDPA and IT Act require strict data protection measures:
Data Collection and Consent
- Purpose Limitation: Collect data only for specified, legitimate business purposes
- Consent Management: Obtain explicit consent before collecting personal data
- Data Minimization: Collect only necessary data required for business operations
- Consent Records: Maintain detailed records of consent with timestamps and methods
Data Storage and Security
- Security Measures: Implement encryption, access controls, and security protocols
- Data Retention: Retain data only as long as necessary for business purposes
- Data Localization: Certain sensitive data categories may need to be stored within India
- Access Controls: Limit access to personal data to authorized personnel only
User Rights
- Right to Access: Users can request access to their personal data
- Right to Correction: Users can request correction of inaccurate data
- Right to Deletion: Users can request deletion of their data
- Right to Portability: Users can request data in a portable format
Data Breach Notification
- Immediate Notification: Notify authorities and affected users within 72 hours of a data breach
- Breach Documentation: Maintain detailed records of breaches and remediation actions
- Remediation Measures: Take immediate steps to contain and remediate breaches
2026 Policy Updates: AI Chatbot Restrictions
Effective January 15, 2026, WhatsApp has implemented significant policy changes affecting AI chatbots:
General-Purpose AI Chatbot Prohibition
WhatsApp now prohibits general-purpose AI chatbots on its Business API platform. This means:
- Prohibited: General-purpose AI services like ChatGPT, Perplexity, or Copilot that use WhatsApp as their primary interface
- Prohibited: AI providers offering general-purpose conversational AI through WhatsApp Business API
- Prohibited: AI services where AI functionality is the primary service, not a supporting feature
Review Meta's policy updates for the latest information on AI chatbot restrictions.
Allowed AI Use Cases
Businesses can still use AI for specific, business-oriented functions:
- Customer Support: AI chatbots for handling customer service queries and FAQs. Use 2Factor's WhatsApp Automation for compliant AI chatbots
- Booking Systems: AI for processing travel bookings, appointments, or reservations
- Order Processing: AI for handling order inquiries, status updates, and order management
- Industry-Specific Functions: AI for specific business functions like lead qualification, product recommendations, or support automation
Impact on Businesses in India
Indian businesses using WhatsApp Business API should:
- Review their AI chatbot implementations to ensure compliance
- Refocus AI on specific customer service or business functions
- Update chatbot workflows to align with the new policy
- Work with their Business Service Provider (BSP) to ensure compliance
Pricing and Billing Rules
WhatsApp Business API pricing in India follows Meta's global pricing structure with some India-specific considerations:
Pricing Model
- Per-Conversation Pricing: Businesses pay per conversation (24-hour session) initiated. Learn more about Meta's WhatsApp Business API pricing
- Category-Based Pricing: Different rates for marketing, utility, and authentication messages
- Regional Pricing: Pricing varies by region and currency
- BSP Fees: Business Service Providers may charge additional platform or setup fees. Check 2Factor's transparent pricing
Conversation Types and Pricing
- Marketing Conversations: Highest pricing for promotional messages
- Utility Conversations: Lower pricing for transactional messages
- Authentication Conversations: Lowest pricing for OTP and verification messages
Check 2Factor's WhatsApp Business API Pricing for detailed pricing information and plans.
Billing and Payment
- Monthly Billing: Most providers bill monthly based on usage
- Prepaid/Postpaid: Options for prepaid credits or postpaid billing
- GST Compliance: All invoices must comply with Indian GST regulations
- Payment Methods: Bank transfers, UPI, credit cards, or other approved payment methods
Compliance Checklist for Indian Businesses
Use this checklist to ensure your WhatsApp Business API implementation complies with all Indian regulations:
Regulatory Compliance
- Registered entity header with TRAI (if required)
- Compliance with TRAI commercial communication regulations
- Respect for DND registrations. Use 2Factor's WhatsApp Business API for automatic DND filtering
- DPDPA compliance for data collection and processing
- IT Act compliance for cybersecurity and data protection
Consent and Opt-Out
- Explicit opt-in consent for all marketing messages. Use WhatsApp Automation for consent management
- Consent documentation with timestamps
- Clear opt-out instructions in every marketing message
- 24-hour opt-out processing
- DND number filtering with WhatsApp Marketing tools
Message Templates
- All outbound messages use approved templates
- Templates follow Meta's format guidelines
- Correct category selection (MARKETING/UTILITY/AUTHENTICATION)
- No prohibited content or spam-like language
- Template approval before sending. Get expert support with 2Factor's WhatsApp Business API
Data Privacy
- Data collection limited to necessary information
- Explicit consent for data processing
- Security measures implemented (encryption, access controls). 2Factor provides enterprise-grade security
- Data retention policies in place
- User rights (access, correction, deletion) supported
AI Chatbot Compliance (2026)
- No general-purpose AI chatbots (if applicable)
- AI focused on specific business functions. Use 2Factor's compliant AI automation
- Compliance with January 15, 2026 policy updates
- Review and update AI implementations
Frequently Asked Questions
Do I need TRAI registration to use WhatsApp Business API in India?
TRAI registration requirements depend on your use case. If you're sending commercial/promotional messages, you may need to register entity headers with TRAI. For transactional messages to existing customers, registration may not be required. Consult with your Business Service Provider like 2Factor or legal advisor to determine your specific requirements.
Can I send marketing messages to DND-registered numbers?
No. Sending marketing messages to DND-registered numbers violates TRAI regulations and can result in account bans and legal penalties. Always filter DND numbers from your marketing lists. 2Factor's WhatsApp Business API automatically filters DND numbers. Utility and authentication messages to existing customers may be allowed, but check with your provider for specific guidelines.
What happens if I violate WhatsApp Business API rules in India?
Violations can result in account bans, legal penalties, fines (up to ₹25,000 per violation under TRAI regulations), and business disruption. Meta may permanently ban your WhatsApp Business API account for serious violations. It's essential to comply with all regulations from day one.
How do I ensure DPDPA compliance when using WhatsApp Business API?
Ensure DPDPA compliance by: obtaining explicit consent before collecting data, implementing security measures, maintaining data minimization practices, supporting user rights (access, correction, deletion), and having data breach notification procedures. Work with your Business Service Provider like 2Factor to ensure technical and operational compliance.
Can I use AI chatbots with WhatsApp Business API after January 15, 2026?
Yes, but only for specific business functions like customer support, bookings, or order processing. General-purpose AI chatbots (like ChatGPT or Copilot) are prohibited per WhatsApp's updated policy. Ensure your AI implementations focus on specific business functions, not general-purpose conversations. Use 2Factor's compliant WhatsApp Automation for business-specific AI chatbots.
What is the difference between marketing and utility messages in India?
Marketing messages are promotional (offers, sales, advertising) and require explicit opt-in consent and cannot be sent to DND numbers. Utility messages are transactional (order updates, delivery status) and can be sent to existing customers without opt-in, but must still use approved templates. Pricing and compliance requirements differ for each category.
Do I need to store WhatsApp data in India?
DPDPA may require certain categories of sensitive personal data to be stored within India. However, WhatsApp Business API data storage is managed by Meta. Consult with legal advisors to understand your specific data localization requirements based on the type of data you're processing.
Conclusion: Stay Compliant with WhatsApp Business API Rules in India
Compliance with WhatsApp Business API rules in India requires understanding and adhering to multiple regulatory frameworks: Meta's platform policies, TRAI regulations, DPDPA requirements, and IT Act provisions. Key takeaways:
- Always get explicit opt-in consent for marketing messages and respect DND registrations
- Use approved message templates for all outbound messages
- Comply with data privacy laws (DPDPA, IT Act) for data collection and processing
- Update AI implementations to comply with 2026 policy changes (no general-purpose AI chatbots)
- Work with authorized Business Service Providers like 2Factor for compliance support
- Maintain documentation of consent, templates, and compliance measures
By following these rules and working with compliant providers like 2Factor's WhatsApp Business API, you can use WhatsApp for business communication in India while staying fully compliant with all regulations.
Get Compliant WhatsApp Business API for India
Ensure your WhatsApp Business API implementation complies with all Indian regulations. 2Factor provides compliant WhatsApp Business API solutions with expert guidance on TRAI compliance, data privacy, template approval, and regulatory requirements for businesses in India.