Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

WhatsApp Usernames Blocked in India: Why the DPDP Act Makes Every New Feature a Compliance Event

India froze WhatsApp's username rollout for 500M+ users, extended Meta's reply deadline to July 9. Here's why DPDP Act makes usernames personal data.

D
DPDPBot Research Team
🕐 10 min read

#WhatsApp Usernames Blocked in India: Why the DPDP Act Makes Every New Feature a Compliance Event

India froze WhatsApp's username feature within 48 hours of its global launch — and as of July 8, 2026, Meta has until tomorrow to explain itself to the government. What looks on the surface like a fraud-prevention standoff is actually India's most consequential demonstration yet of how the Digital Personal Data Protection Act 2023 applies to new product features, not just to data breaches after the fact.


#What Happened: From Global Launch to Government Freeze

On June 29, 2026, Meta announced that WhatsApp would allow users to create unique usernames — short handles that could be shared instead of phone numbers when starting conversations. The feature, already available in some markets, was framed as a privacy enhancement: users could message and be messaged without giving out their phone number, reducing one of WhatsApp's oldest friction points.

Within 48 hours, India's Ministry of Electronics and Information Technology (MeitY) issued a formal legal notice ordering Meta to halt the rollout entirely for Indian users. The government gave Meta three days to defend the feature or face regulatory consequences. When that deadline passed without a satisfactory response, MeitY extended it — after a face-to-face meeting between Meta executives and ministry officials — to July 9, 2026.

India is WhatsApp's single largest market. Estimates from multiple tracking platforms put the number of Indian WhatsApp accounts at over 500 million active users, with some counts including registered-but-inactive accounts exceeding 850 million. Whatever the precise figure, India is where this feature's fate will be decided.


#The Government's Stated Concern — And What Lies Beneath It

MeitY's notice identified four categories of risk: online fraud, phishing, "digital arrest scams," and impersonation attacks. The phrase "digital arrest" refers to a particularly vicious Indian scam in which fraudsters, posing as law enforcement or CBI officers, tell victims they are under digital arrest and extort money over hours-long video calls. The scam has cost Indian citizens hundreds of crores of rupees in recent years.

The government's specific worry: usernames detach messages from phone numbers, eliminating the one identifier that law enforcement can currently trace. A scammer who sets up a username like @cbi.officer.sharma or @rbi.compliance can contact victims without ever exposing a phone number — the primary forensic link that Indian police use when investigating WhatsApp fraud.

Meta's defence, outlined in its public response and in its meeting with MeitY officials, rests on three safeguards. First, users must know the exact username to message someone — there is no searchable directory, so scammers cannot browse for targets. Second, WhatsApp reserved high-profile namespaces at launch, blocking obvious spoofs of public figures and government agencies. Third, before a user replies to a first message from someone new, WhatsApp now displays context: the sender's country of registration, when the account was created, and whether they share any common groups.

These are sensible safeguards. Whether they satisfy MeitY — whose officials reportedly pressed for a law enforcement disclosure mechanism linking usernames back to phone numbers — will become clear on July 9.


#Why Usernames Are Personal Data Under the DPDP Act

The fraud angle is the headline, but the deeper regulatory issue is about personal data classification. And this is where the Digital Personal Data Protection Act 2023 enters in a way that most reporting has understated.

Under Section 2(t) of the DPDP Act, "personal data" means "any data about an individual who is identifiable by or in relation to such data." A WhatsApp username is, by design, an identifier — it is a string that maps uniquely to a specific account, and through that account to a verified phone number (which is, in turn, linked to an Aadhaar-verified SIM in India). Under DPDP's deliberately broad definition, usernames are personal data.

This matters for three reasons.

Consent obligations shift. Before WhatsApp collects a username from a user, it must obtain valid consent under Section 6 of the DPDP Act. The notice must clearly explain what the username will be used for, who it might be shared with, and how long it will be retained. WhatsApp's existing privacy policy — drafted for a phone-number-centric product — does not adequately describe username collection, processing, or the conditions under which a username might be disclosed to third parties (including, potentially, law enforcement).

Purpose limitation applies. The DPDP Act requires that personal data collected for one purpose not be used for a different, incompatible purpose. If WhatsApp collects a username to enable messaging, it cannot then use that username for behavioral profiling, advertising targeting, or cross-platform data matching without separate consent.

Data minimisation is mandatory. The Act requires fiduciaries to collect only the data necessary for the stated purpose. If a username is optional — as Meta emphasises — then WhatsApp must ensure that declining to create one carries no meaningful penalty for users (such as reduced functionality or poorer service quality).

Pawan Duggal, chairman of the International Commission on Cyber Security Law, was direct in his assessment: "WhatsApp has to make sure that its username offerings have to be compliant with not just the Information Technology Act 2000 but also with the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025." He described the feature as capable of "opening a Pandora's box" from a privacy standpoint — using India's foundational right-to-privacy jurisprudence from Justice K.S. Puttaswamy v Union of India as the constitutional backdrop.


#The Section 9 Problem: Children, Usernames, and the Advertising Ban

Section 9 of the DPDP Act creates a separate, stricter regime for the personal data of anyone under 18. Data fiduciaries must obtain verifiable parental consent before processing a child's data, must not track or monitor children's online behaviour, and are explicitly prohibited from serving behavioural advertising to anyone under 18. Violations carry penalties of up to ₹200 crore per instance.

Usernames introduce a Section 9 problem that Meta has not yet addressed publicly. A username on WhatsApp is potentially more persistent and more memorable than a phone number — a teenager's username might be shared across platforms, linked in Instagram bios, or used to connect WhatsApp to other services. That cross-platform linkage is precisely the kind of behavioural tracking and profiling that Section 9 prohibits for minors. WhatsApp's age-verification mechanism for Indian users — already weak by most analyses — would need to be significantly strengthened before the company can credibly argue that its username collection complies with Section 9.

This is not a hypothetical concern. The Data Protection Board of India, which has been constituted and appointed its first leadership as of June 2026, has enforcement powers that extend precisely to situations where platforms process children's data without adequate safeguards.


#The Bigger Pattern: DPDP Compliance Is Now a Feature-Launch Gate

What makes this episode genuinely significant for Indian businesses and global tech companies is the precedent it sets. MeitY did not wait for a data breach. It did not act after a complaint reached the Data Protection Board. It intervened before the feature even launched, on the basis that insufficient compliance groundwork had been laid.

This is the enforcement posture that the DPDP Rules 2025 were always designed to enable. India's law treats personal data protection as a proactive obligation — companies must build compliance in, not bolt it on after the fact. The whatsApp episode shows that regulators are prepared to act on that logic in real time.

Several Indian and global companies have already learned this lesson in adjacent contexts:

WhatsApp's username situation is the clearest case yet because it involves a consumer feature from one of the world's most scrutinised platforms, and because the government's intervention was public, specific, and time-bound.


#What Tech Companies Must Do Before Their Next India Launch

The practical lesson for product teams is uncomfortable but clear: in India, a new data collection feature is not a UX decision — it is a legal event.

Before any Indian feature launch that introduces, changes, or extends personal data collection, companies need to work through the following checklist against the DPDP Act and Rules 2025:

1. Does the new data point qualify as personal data? If users can be identified through or in relation to the new data, it is personal data. Names, usernames, device IDs, location inferences, behavioural patterns — all qualify. The DPDP Act's definition is intentionally wide.

2. Is the existing notice adequate? Section 5 requires that users receive a clear, standalone notice explaining what is being collected, why, for how long, and who gets access. If the new feature was not contemplated when the current notice was written, the notice must be updated and fresh consent obtained.

3. Is there a children's data exposure? If the platform has any under-18 users — and virtually every consumer platform in India does — does the new feature risk creating identifiers, behavioural signals, or cross-platform links that would fall foul of Section 9? If yes, age-gating and parental-consent flows must be in place before launch.

4. What is the cross-border data transfer position? Under Section 16 of the DPDP Act, personal data can be transferred outside India unless the Central Government notifies a country as restricted. No restricted list has been issued yet — but for Significant Data Fiduciaries, cross-border obligations are likely to be tightened significantly once the SDF notification arrives, expected before November 2026.

5. Is there a Data Protection Impact Assessment? High-risk features — those involving new identifiers, children's data, or sensitive personal data categories — warrant a DPIA before launch. Significant Data Fiduciaries will be legally required to conduct these under Rule 13; other organisations should treat them as standard practice.

A consent management platform — such as what DPDPBot's consent manager provides — can help organisations operationalise notice-and-consent flows, maintain audit trails of consent for each data collection event, and demonstrate compliance if regulators ask. The WhatsApp episode underscores why having this infrastructure in place before a product ships is not optional.


#What Happens on July 9?

Meta must submit its detailed response to MeitY by July 9, 2026. Three outcomes are plausible:

Approval with conditions. MeitY accepts Meta's safeguards, possibly requiring India-specific modifications — a law enforcement disclosure mechanism for username-to-phone linkage, stricter age verification, or a DPDP-aligned consent notice at the point of username creation.

Extended review. The government refers the matter to the Data Protection Board or seeks further technical review, leaving Indian users in limbo.

Launch blocked. MeitY determines that the feature cannot be made compliant in its current form and orders a permanent halt for Indian users — an outcome that, given the market size, would be commercially catastrophic for Meta and would set a powerful precedent for every other platform.

The Internet Freedom Foundation has characterised MeitY's intervention as regulatory overreach, drawing a parallel to a 2024 MeitY circular that required government approval before deploying AI systems — a requirement quietly withdrawn within two weeks after industry backlash. Whether this episode ends similarly will depend on whether Meta's response adequately addresses both the fraud and the DPDP compliance gaps.


#The Takeaway for Indian Businesses

The WhatsApp username standoff sends a clear signal to every company operating in India: the DPDP Act is no longer just a compliance framework to be prepared for. It is an active regulatory lens through which new product launches will be evaluated, in real time, by a ministry that has demonstrated both the appetite and the authority to intervene.

For businesses building for India's digital market, the cost of a pre-launch DPDP review — consent notice drafts, DPIA, children's data assessment — is a fraction of the reputational and operational cost of a public regulatory freeze like the one Meta is now navigating. The WhatsApp episode won't be the last of its kind.

Ensure your data collection practices have proper consent flows in place before your next launch. If you're unsure whether your product's data handling meets DPDP standards, start with a consent manager that provides notice-and-consent infrastructure built for India's regulatory requirements.

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial