Facebook Marketplace orders, Messenger chats, and Facebook Ads lead forms all collect personal data — here's what DPDP requires of you.
₹50–250 Cr
Penalty range for violations
Lead Forms
Facebook Ads leads = personal data
May 2027
Compliance deadline
Whether you're selling on Facebook Marketplace, running a Facebook Page shop, or collecting leads via Facebook Ads, you are processing personal data of Indian customers and the DPDP Act 2023 applies to you.
Facebook Marketplace
Buyer name, phone, location, delivery address via Messenger
Lead Ad Forms
Name, email, phone, job title — all personal data from lead forms
Page messages
Customer queries with personal details in Messenger
Pixel & Retargeting
If you run Facebook Ads with Pixel, you are tracking user behaviour
Event responses
RSVPs and ticket purchases contain personal data
Comments & tags
Customer complaints/tags on your page posts
Facebook Lead Ads require a DPDP privacy notice
Your lead ad must link to a DPDP-compliant privacy notice that explains how you use the collected information. Facebook's own terms do not satisfy this.
Messenger order data needs consent logging
Orders taken via Messenger include personal data. You need to log that the customer provided consent before processing their order.
Pixel requires disclosure
If you use Facebook Pixel for retargeting, you must disclose this in your privacy notice and give customers an opt-out mechanism.
Lead data must be deleted on request
If a customer who submitted a lead form asks you to delete their data, you must comply — including removing them from your CRM and ad audiences.
Check your specific obligations with our free 2-minute checker.