Skip to content
Meta Business PartnerGlossary term

Consent Record

A consent record is a stored, timestamped log of a specific customer's opt-in to receive WhatsApp messages from your business — capturing at minimum the source of the opt-in, the moment it was given, and the scope of what they agreed to receive. It is the evidence trail behind every message you send. On the WhatsApp Business API, Meta requires that you obtain opt-in before messaging a user, and a proper consent record is how you prove that opt-in existed if a customer complains, if your quality rating dips, or if Meta reviews your account. For Indian businesses, it also underpins compliance readiness under the Digital Personal Data Protection (DPDP) framework, where "consent" must be free, specific, informed, and demonstrable.

Source, timestamp, and scope of opt-in
What it captures
Meta / WhatsApp Business Messaging Policy
Required by
DPDP Act (India) consent principles
Compliance link
Keep for as long as you message the contact
Retention
Blocks, low quality rating, complaints undefended
Fails without it

In one line

A consent record is a timestamped log proving a customer opted in to your WhatsApp messages — showing where, when, and what they agreed to. It protects your account quality, defends against blocks and complaints, and is the backbone of DPDP-ready compliance in India.

What a consent record actually contains

A consent record is more than a checkbox — it is a structured piece of evidence tied to one contact. A well-formed record answers three questions unambiguously: where the opt-in came from, exactly when it happened, and what the customer agreed to receive. Vague or reconstructed consent ("we think they signed up somewhere") is worthless during a Meta review or a customer dispute. The strongest records are captured automatically at the moment of opt-in and stored immutably, so the timestamp and source cannot be edited after the fact.

  • Source: the channel and context where consent was given — a website checkout checkbox, an in-store QR scan, a keypad IVR confirmation, a signed order form, or a WhatsApp 'START' reply
  • Timestamp: the exact date and time the opt-in was recorded, ideally with a timezone
  • Scope: what categories the customer agreed to — order updates, delivery alerts, promotional offers, or all of the above
  • Identity: the phone number (and ideally name) the consent is tied to
  • Wording: a copy or reference to the exact opt-in language the customer saw

Why it matters on the WhatsApp Business API

Meta's Business Messaging Policy makes opt-in a hard requirement: you may only message people who have agreed to hear from you, through any channel, in a way that clearly names your business. Consent records are how you back that up. When customers block you or tap 'report', WhatsApp weighs those signals into your quality rating and messaging limits — and a solid consent trail is your defence that those recipients genuinely opted in. Without records, a spike in blocks can quietly throttle your number or, in serious cases, get it flagged. Consent is not the same as billing: since 1 July 2025, WhatsApp bills per delivered message by category (marketing, utility, authentication), and InfiQ applies transparent ₹ pricing. But no amount of correct billing setup protects a number that is messaging people who never agreed — consent is the layer that keeps your account healthy enough to keep sending.

How consent maps to message categories

Not all opt-in is equal, and the scope you record should match the kind of messages you intend to send. Utility messages (order confirmations, shipping updates, appointment reminders) are tied to a transaction the customer initiated, so consent is usually implicit in the purchase — but you should still record it. Marketing messages (offers, launches, re-engagement) require clearer, more explicit opt-in because they are promotional, and customers who did not expect them are far more likely to block or report. Recording scope granularly lets you honour a customer who wants delivery alerts but not promotions, which both keeps you compliant and protects your quality rating from unwanted marketing sends.

  • Utility / transactional: consent often implicit in the order, but log it anyway
  • Authentication: opt-in tied to the account the OTP secures
  • Marketing: needs explicit, unambiguous opt-in — the highest-risk category for blocks
  • Granular scope lets you respect partial consent (updates yes, offers no)

Consent records and India's DPDP Act

For Indian businesses, consent records are not only a Meta requirement — they are increasingly a legal one. India's Digital Personal Data Protection Act frames consent as something that must be free, specific, informed, unambiguous, and given by a clear affirmative action, with the business (the Data Fiduciary) able to demonstrate that valid consent was obtained. A timestamped consent record with a stored copy of the notice the customer saw is exactly the kind of evidence that demonstrates compliance. The DPDP framework also gives individuals the right to withdraw consent as easily as they gave it, which means your record-keeping must capture opt-outs too — a consent record that never updates when someone leaves is a liability, not an asset.

Common mistakes to avoid

Most consent problems are not malicious — they come from shortcuts that seem harmless until a review or a complaint exposes them. The classic error is uploading a bought or scraped contact list and treating a business relationship as consent; it is not, and it is the fastest route to blocks and a damaged number. Another is capturing a single blanket opt-in and then messaging across every category, which frustrates customers who only wanted transactional updates. Teams also frequently forget to log opt-outs, so a customer who unsubscribed keeps receiving messages — a direct policy and DPDP violation. Finally, storing consent only in a spreadsheet a staff member edits by hand undermines the whole point: if the timestamp can be changed after the fact, it is no longer trustworthy evidence.

  • Treating purchased or scraped lists as consent — never valid
  • Using one broad opt-in to justify marketing the customer never expected
  • Failing to record and honour opt-outs and withdrawal requests
  • Keeping editable, un-timestamped records that cannot survive scrutiny
  • Re-messaging a number after a long silence without re-confirming interest

See InfiQ pricing

Talk to InfiQ

See how this works on InfiQ

Tell us your use-case — we’ll show it running in a sandbox, usually within a working day.

Step 1 of 2
WhatsApp

Protected by invisible spam checks · replies within 1 working day

Frequently asked questions

Is a consent record legally required in India?+
Meta's Business Messaging Policy requires opt-in before you message on the WhatsApp Business API, and a consent record is how you prove it. Separately, India's DPDP Act requires businesses to obtain valid, demonstrable consent for personal data processing — so a stored, timestamped record supports both your platform compliance and your legal readiness.
What is the difference between opt-in and a consent record?+
Opt-in is the customer's action — agreeing to hear from you. The consent record is the stored evidence of that action: when it happened, where it came from, and what they agreed to. You need the record because the opt-in itself is a moment in time that you would otherwise have no way to prove later.
How long should I keep a consent record?+
Keep it for as long as you continue messaging that contact, plus a reasonable buffer after they opt out, so you can demonstrate the relationship if it is ever questioned. If a customer withdraws consent, update the record to reflect the opt-out rather than deleting the history of it.
Does a consent record affect what I pay for WhatsApp messages?+
Not directly. Since 1 July 2025, WhatsApp bills per delivered message by category — marketing, utility, or authentication — and InfiQ applies transparent ₹ pricing. Consent does not change the rate, but poor consent leads to blocks and complaints that can throttle your number, which is far more costly than any per-message price.
Can I message customers who bought from me before, without a fresh opt-in?+
A prior transaction can support consent for related utility messages like order or delivery updates, but it does not automatically grant permission to send marketing. For promotional messages, capture explicit opt-in and record it. When in doubt, treat marketing as needing its own clear consent.
What counts as a valid source of consent?+
Any channel where the customer clearly agreed and your business was named — a website checkbox, an in-store or receipt QR code, a signed form, an IVR confirmation, or the customer messaging you first. The key is that the agreement was affirmative and specific, not assumed, and that you logged where it came from.
How do I handle a customer who withdraws consent?+
Stop messaging them promptly and update the consent record to reflect the withdrawal, including when it happened. Under DPDP, withdrawing consent should be as easy as giving it, so honour opt-out keywords and unsubscribe requests without friction, and keep the record so you can prove you complied.
Does InfiQ store consent records for me?+
InfiQ helps you capture opt-in at the point of contact and keep an organised, timestamped trail tied to each number, so your team is not relying on manual spreadsheets. An onboarding specialist can walk you through capturing consent for your specific flows — checkout, in-store, IVR, or WhatsApp-initiated.

Get your WhatsApp opt-in right from day one

Talk to an InfiQ onboarding specialist and set up compliant, timestamped consent capture across every channel before you send your first campaign.