Consent Record
A consent record is a stored, timestamped log of a specific customer's opt-in to receive WhatsApp messages from your business — capturing at minimum the source of the opt-in, the moment it was given, and the scope of what they agreed to receive. It is the evidence trail behind every message you send. On the WhatsApp Business API, Meta requires that you obtain opt-in before messaging a user, and a proper consent record is how you prove that opt-in existed if a customer complains, if your quality rating dips, or if Meta reviews your account. For Indian businesses, it also underpins compliance readiness under the Digital Personal Data Protection (DPDP) framework, where "consent" must be free, specific, informed, and demonstrable.
In one line
A consent record is a timestamped log proving a customer opted in to your WhatsApp messages — showing where, when, and what they agreed to. It protects your account quality, defends against blocks and complaints, and is the backbone of DPDP-ready compliance in India.What a consent record actually contains
A consent record is more than a checkbox — it is a structured piece of evidence tied to one contact. A well-formed record answers three questions unambiguously: where the opt-in came from, exactly when it happened, and what the customer agreed to receive. Vague or reconstructed consent ("we think they signed up somewhere") is worthless during a Meta review or a customer dispute. The strongest records are captured automatically at the moment of opt-in and stored immutably, so the timestamp and source cannot be edited after the fact.
- Source: the channel and context where consent was given — a website checkout checkbox, an in-store QR scan, a keypad IVR confirmation, a signed order form, or a WhatsApp 'START' reply
- Timestamp: the exact date and time the opt-in was recorded, ideally with a timezone
- Scope: what categories the customer agreed to — order updates, delivery alerts, promotional offers, or all of the above
- Identity: the phone number (and ideally name) the consent is tied to
- Wording: a copy or reference to the exact opt-in language the customer saw
Why it matters on the WhatsApp Business API
Meta's Business Messaging Policy makes opt-in a hard requirement: you may only message people who have agreed to hear from you, through any channel, in a way that clearly names your business. Consent records are how you back that up. When customers block you or tap 'report', WhatsApp weighs those signals into your quality rating and messaging limits — and a solid consent trail is your defence that those recipients genuinely opted in. Without records, a spike in blocks can quietly throttle your number or, in serious cases, get it flagged. Consent is not the same as billing: since 1 July 2025, WhatsApp bills per delivered message by category (marketing, utility, authentication), and InfiQ applies transparent ₹ pricing. But no amount of correct billing setup protects a number that is messaging people who never agreed — consent is the layer that keeps your account healthy enough to keep sending.
How consent maps to message categories
Not all opt-in is equal, and the scope you record should match the kind of messages you intend to send. Utility messages (order confirmations, shipping updates, appointment reminders) are tied to a transaction the customer initiated, so consent is usually implicit in the purchase — but you should still record it. Marketing messages (offers, launches, re-engagement) require clearer, more explicit opt-in because they are promotional, and customers who did not expect them are far more likely to block or report. Recording scope granularly lets you honour a customer who wants delivery alerts but not promotions, which both keeps you compliant and protects your quality rating from unwanted marketing sends.
- Utility / transactional: consent often implicit in the order, but log it anyway
- Authentication: opt-in tied to the account the OTP secures
- Marketing: needs explicit, unambiguous opt-in — the highest-risk category for blocks
- Granular scope lets you respect partial consent (updates yes, offers no)
Consent records and India's DPDP Act
For Indian businesses, consent records are not only a Meta requirement — they are increasingly a legal one. India's Digital Personal Data Protection Act frames consent as something that must be free, specific, informed, unambiguous, and given by a clear affirmative action, with the business (the Data Fiduciary) able to demonstrate that valid consent was obtained. A timestamped consent record with a stored copy of the notice the customer saw is exactly the kind of evidence that demonstrates compliance. The DPDP framework also gives individuals the right to withdraw consent as easily as they gave it, which means your record-keeping must capture opt-outs too — a consent record that never updates when someone leaves is a liability, not an asset.
Common mistakes to avoid
Most consent problems are not malicious — they come from shortcuts that seem harmless until a review or a complaint exposes them. The classic error is uploading a bought or scraped contact list and treating a business relationship as consent; it is not, and it is the fastest route to blocks and a damaged number. Another is capturing a single blanket opt-in and then messaging across every category, which frustrates customers who only wanted transactional updates. Teams also frequently forget to log opt-outs, so a customer who unsubscribed keeps receiving messages — a direct policy and DPDP violation. Finally, storing consent only in a spreadsheet a staff member edits by hand undermines the whole point: if the timestamp can be changed after the fact, it is no longer trustworthy evidence.
- Treating purchased or scraped lists as consent — never valid
- Using one broad opt-in to justify marketing the customer never expected
- Failing to record and honour opt-outs and withdrawal requests
- Keeping editable, un-timestamped records that cannot survive scrutiny
- Re-messaging a number after a long silence without re-confirming interest
Frequently asked questions
Is a consent record legally required in India?+
What is the difference between opt-in and a consent record?+
How long should I keep a consent record?+
Does a consent record affect what I pay for WhatsApp messages?+
Can I message customers who bought from me before, without a fresh opt-in?+
What counts as a valid source of consent?+
How do I handle a customer who withdraws consent?+
Does InfiQ store consent records for me?+
Get your WhatsApp opt-in right from day one
Talk to an InfiQ onboarding specialist and set up compliant, timestamped consent capture across every channel before you send your first campaign.