WhatsApp Marketing for Indian Malls: The Compliance-Aware Operator Handbook

WhatsApp is the dominant marketing channel for Indian mall shoppers in 2026. SMS reach has degraded under TRAI's template tightening. Email open rates for promotional content sit under 12 percent. Push notifications require app downloads most shoppers don't do. WhatsApp opens, gets read, and converts. It is also the channel most likely to violate Meta's business policy and India's DPDP rules at the same time. A bulk promotional broadcast to non-opted-in shoppers in 2026 risks account suspension by Meta, a DPDP complaint, and a TRAI regulatory inquiry — same single misstep.

It is also the channel most likely to violate Meta's business platform policy and India's DPDP rules at the same time. A bulk promotional broadcast to non-opted-in shoppers in 2026 risks: account suspension by Meta, a DPDP complaint, and a TRAI bulk-promotional-message regulatory inquiry. Same single misstep.

This piece is the compliance-aware handbook for running WhatsApp marketing at an Indian mall.

The platform constraints

WhatsApp Business Platform (Meta's official API for businesses) governs commercial messaging. The rules:

Template messages must be pre-approved by Meta. Categories: Marketing, Utility, Authentication. Marketing templates have the strictest review.

Session messages can be free-form but only within 24 hours of a customer message. The customer-initiated message opens the session window.

Quality rating determines whether your messages reach customers. Phone numbers with low quality ratings get throttled or blocked.

Broadcast volume limits scale with quality rating. Low quality: 1,000 unique customers per 24 hours. High quality: 100,000+ unique customers per 24 hours.

Opt-in evidence required. Meta can audit any account to demand proof of opt-in for messaged numbers. Bulk sends to scraped lists are detected and penalised.

The DPDP overlay

On top of Meta's rules, DPDP requires:

• Specific, granular consent for marketing (separate from loyalty operation consent)
• Withdrawal as easy as opt-in
• Each message traceable to the source consent that authorised it
• Suppression list honored globally across channels

These overlap with Meta's rules but go further. A mall could comply with Meta and still violate DPDP if the consent capture was bundled with loyalty enrollment.

The 12-rule compliance baseline

A WhatsApp marketing programme that complies with both Meta and DPDP follows these 12 rules:

1. Explicit double opt-in. Shopper signs up via loyalty enrollment, then sends a confirmation message via WhatsApp confirming they want to receive marketing.
2. Marketing consent separate from loyalty consent. Two distinct tickboxes at enrollment.
3. Template-only for marketing broadcasts. No free-form marketing messages outside the 24-hour session window.
4. Frequency cap. Maximum 2 marketing template messages per shopper per week. Policy enforced in the platform, not just in policy documents.
5. Time-of-day window. Marketing messages only between 09:00 and 21:00 IST. No 6am festival blasts.
6. Suppression respected within 24 hours. Unsubscribe action immediately propagates to all queued messages.
7. One-tap unsubscribe. Every marketing template includes a "Reply STOP to unsubscribe" line. STOP processing is automatic.
8. Audit log of every send. Phone number, template id, source consent id, send timestamp, delivery status, read status. Retained 13+ months.
9. No marketing to unverified numbers. Numbers that failed delivery 3 times in a row get auto-suspended.
10. No purchased lists, ever. Only consent-captured shoppers.
11. Quality rating monitoring. If quality drops below "high," pause marketing sends and investigate immediately.
12. DPDP-aligned consent notice. The opt-in message names the specific purpose, the data used, the withdrawal mechanism, and links to the privacy policy.

What marketing actually works on WhatsApp

Five message types that consistently perform:

Personalised birthday / anniversary messages. 38-52% redemption rate on associated vouchers. Highest ROI single mechanic.

Festival-anchored campaigns. Diwali, Eid, Christmas, Pongal, Onam, Durga Puja. 4-6 sends across a 30-day festival window with specific value propositions.

Loyalty tier-up celebrations. Personalised "You've reached Gold" with a tier-specific benefit (₹500 voucher, exclusive event access). 35-45% engagement.

Weekday-targeted offers. Tuesday-Thursday specific F&B or weekday-only category offers to drive soft footfall windows.

Event invitations. Curated event invites to shoppers based on past behaviour. Workshop for kids → families with kids in profile. Movie premiere → cinema-frequent visitors.

What doesn't work:

• Generic weekly newsletters (low open, high unsubscribe)
• Bulk "Sale starts Monday" blasts to entire base (frequency cap violation + DPDP risk)
• Re-engagement campaigns to long-dormant shoppers (Meta downgrades quality rating)

The operational stack

A WhatsApp marketing programme needs:

• WhatsApp Business API account — verified via Meta, with a green checkmark badge for trust.
• Business Solution Provider (BSP) — typically Gupshup, Twilio, Karix, or Wati. They handle the API connection.
• Template manager — to create, submit for Meta approval, and version-control marketing templates.
• Campaign engine — to segment shoppers by consent, schedule sends, respect frequency caps, log audits.
• Suppression list integration — connected to the global unified suppression list across all channels.

Sample campaign architecture

A well-run Diwali campaign for an Indian mall might look like:

• 30 days out. Template message to Gold and Platinum tier members announcing the festival programme. (1 send per shopper.)
• 15 days out. Personalised pre-festival voucher to Silver+ tier members based on past spend categories. (1 send per shopper.)
• 7 days out. Festival event invitation (in-mall activations). Send only to shoppers within 25km radius. (1 send per shopper.)
• 3 days out. Reminder for unredeemed vouchers. (1 send per shopper with unused voucher.)
• Diwali day. Greeting + same-day double points offer. (1 send to all marketing-consented shoppers.)
• 2 days post-festival. Thank-you + small loyalty bonus. (1 send.)

Total: max 5-6 sends across a 30-day festival window. Frequency cap respected. Each send template-approved. Audit log per send.

Frequently asked questions

What's the WhatsApp Business API pricing in India?

Marketing template messages in India cost approximately ₹0.78 per message (subject to Meta pricing tier and BSP markup). At mall scale (50,000 shoppers, 4 sends per month average), that's ₹1.5-2 lakh monthly. Still 5-10x cheaper than equivalent SMS reach.

Can we use WhatsApp for transactional messages without marketing consent?

Yes. Loyalty transactional messages (points earned, voucher issued) fall under the Utility category, not Marketing. Separate consent applies. Most malls capture utility consent automatically with loyalty enrollment.

What happens if Meta suspends our WhatsApp Business API account?

Recovery requires submitting evidence of consent capture for the messaged numbers, demonstrating remediation, and waiting for Meta review (3-30 days). The operational damage is significant.

Do we need separate WhatsApp Business APIs per property in a multi-mall group?

Best practice: one verified account per mall property, branded with the mall's name and logo. Shoppers expect to receive messages from "Phoenix Marketcity Mumbai" not from a corporate parent account.

How Portcart handles this

The DPDP- and Meta-compliant WhatsApp marketing pattern is built into Portcart's communication engine.

• [Communication Engine](/platform/communication) — template management, frequency cap enforcement, time-of-day windows, audit per send, automatic suppression list integration.
• [Shopper Wallet (Consent Ledger)](/platform/shopper-wallet) — granular marketing consent capture with one-tap withdrawal.
• [Loyalty Layer](/platform/loyalty) — utility messages (points, vouchers) automatically separated from marketing messages.

If your mall's WhatsApp marketing is currently a manual broadcast tool with no compliance scaffolding, request a demo and we will walk you through migration to the platform-managed pattern.