Instagram has become India's biggest social commerce platform. Millions of sellers — fashion, food, beauty, handicrafts — take orders via DMs, collect delivery addresses, and build customer lists entirely on Instagram. The DPDP Act 2023 applies to every single one of them.
The Legal Position: Section 3(a)(i)
Instagram DMs are digital. When a customer sends you their name, address, phone, or payment details via an Instagram message, that is personal data collected in digital form under Section 3(a)(i) of the DPDP Act. Unlike some grey areas in data protection law, this is unambiguous.
You don't need to be a registered company. You don't need to have a GST number. You don't need to have a website. If you take orders via DMs, you are a Data Fiduciary under the DPDP Act.
What Data Does a Typical Instagram Seller Collect?
- Customer's Instagram username (an identifier)
- Full name — often sent when confirming an order
- Delivery address — for every order
- Phone number — for delivery coordination
- Payment confirmation screenshots — containing financial data
- Size, preference, or medical information (for beauty/health products)
If you're a seller who screenshots order DMs or copies addresses into a notebook or sheet — that's data processing under Section 3(a)(i)/(ii).
What Must You Do?
Pre-Collection Consent Notice
Before collecting a customer's delivery address for the first time, you must send them a consent notice explaining what you're collecting and why. The simplest implementation: add a standard line at the top of your order confirmation message. Something like:
"By sharing your address with us, you consent to us using it for delivery purposes only. We won't share it with anyone except our courier. You can ask us to delete your data anytime."
This is a simplified version. A proper consent notice needs to be more specific — EasyDP generates these automatically per customer and per language.
Privacy Notice in Your Bio or Link-in-Bio
Every Data Fiduciary must publish a privacy notice. For Instagram sellers, the practical implementation is a link-in-bio page that includes your data practices. This doesn't need to be a law firm document — it needs to cover what data you collect, for what purpose, who it's shared with, and how customers can exercise their rights.
Respond to Access and Deletion Requests
Any customer who DMs "what information do you have about me?" or "please delete my data" has a legal right to a response. You must be able to tell them what data you hold and delete it if they ask.
Instagram-Specific Challenges
Screenshots: Many sellers screenshot DMs containing addresses. Once that screenshot is in your camera roll or Google Drive, it's a stored personal data record. Apply all the same rules.
Broadcast Channels: Instagram's Broadcast Channels now allow mass messaging. Everyone in your channel has implicitly shared their Instagram identity with you. Consent is still required for using that identity for marketing.
Story polls and question stickers: If you collect customer preferences via stories and store the results, that's data processing. Get consent.
The Practical Compliance Minimum
If you're a small Instagram seller and want to be basically compliant without a tool:
- Add a consent statement to every first order confirmation DM
- Add a simple privacy page via Linktree or Beacons in your bio
- Keep a record (even in a notes app) of who has consented
- Delete a customer's data within 30 days of them asking
- Don't share addresses with third parties except your courier
This won't make you 100% compliant with all provisions, but it demonstrates good-faith effort — which the Data Protection Board will consider when determining penalties.
Use EasyDP to Automate All of This
EasyDP's Instagram integration monitors your incoming order DMs. When a new customer messages you, EasyDP automatically sends a consent link in their language. All consents are logged. When you ship, EasyDP captures the address in a DPDP-compliant record. If the customer ever asks for deletion, one click handles everything. You sell — EasyDP handles compliance.