DPDP Act 2023 Klaviyo Compliance Checklist for Indian D2C Brands
India's DPDP Act is enforcement-active in 2026. This is the Klaviyo + Shopify compliance checklist Indian D2C brands need — consent tracking, data deletion workflows, SMS TRAI-DLT, and the specific Klaviyo settings that make you compliant instead of exposed.
Mark Cijo
Founder, GOSH Digital

The 30-second answer
India's DPDP Act is enforcement-active in 2026. If you run Klaviyo email or SMS to Indian users — whether you're a Mumbai-based D2C brand or a US DTC shipping to India — you need six specific Klaviyo settings configured, a DPDP-compliant privacy notice, and a documented data-deletion workflow. Non-compliance carries penalties up to INR 250 crore ($30M USD), but the practical risk is reputational damage from a Data Protection Board enforcement notice.
The compliance checklist:
- Double opt-in on every signup form (single opt-in is not DPDP-compliant for marketing)
- Consent records captured — timestamp, method, source per subscriber
- Data deletion workflow live — with documented response-window SLA
- Privacy notice published + linked from every form
- Profiling consent — separate checkbox if you use Klaviyo Predictive or Meta CAPI
- TRAI DLT registration if you send SMS to Indian numbers
If you're behind on any of these, a two-week sprint gets you to technical compliance. Below is what to build, in what order, and where the common Klaviyo gaps are.
Why this matters more in 2026 than it did in 2024
The Digital Personal Data Protection Act was passed in August 2023, but for the first 18 months it lived in that ambiguous space where the law exists but nobody's getting fined. Indian D2C brands mostly ignored it.
That's over. Three shifts made 2026 the enforcement year:
- The Data Protection Board of India became operational in mid-2025 with active investigation authority
- Enforcement notices started landing on non-compliant brands in Q4 2025 — including some high-profile Indian D2C companies whose privacy notices were quietly out of date
- DPDP compliance is being audited as part of Series A due diligence for Indian D2C startups — investors don't want to inherit legal exposure
If you're an Indian D2C brand and your last privacy policy review was 2023, you're already behind. If you're a non-Indian brand serving Indian consumers and haven't touched compliance, the extraterritorial reach means you're also in scope (same rule as GDPR — where you're headquartered doesn't matter, where your users are does).
Who DPDP applies to (and it's more brands than you think)
DPDP applies if you process personal data of a data principal — anyone physically in India when the data was collected, OR any Indian citizen regardless of location.
In scope:
- Indian D2C brands with Indian customers (obvious)
- Non-Indian brands (US, UK, UAE, EU) selling into India
- Non-Indian brands running Meta or Google Ads targeting Indian users
- Any brand collecting email/phone at Shopify checkout from Indian addresses
- Any Klaviyo profile that has an Indian phone number or IP-derived Indian location
Out of scope (limited exceptions):
- Purely internal HR data of your own employees
- Publicly available data that a data principal has intentionally made public
- Court-ordered processing
- Research and archival purposes with proper safeguards
For 99% of D2C brands, "we're not in India" is not a valid defense. If your Klaviyo has Indian profiles or your Meta Ads reach Indian users, DPDP is your problem.
The six Klaviyo settings for DPDP compliance
1. Double opt-in on every signup form
DPDP requires explicit, informed consent for marketing communications. Single opt-in (subscriber enters email → immediately added to list) does not meet the standard because there's no way to prove the subscriber actually confirmed the intent to receive marketing.
Fix: Klaviyo → Forms → Form settings → Enable Double Opt-in. Every subscriber must click a confirmation link before being added to the marketing list. This also improves list health — bounce rates typically drop 3-5% after switching.
Common gap: brands enable double opt-in on new signup flows but leave existing subscribers un-confirmed. If your database has any subscribers who joined via single opt-in and haven't been re-confirmed, they're technically non-compliant.
2. Consent records captured on every profile
DPDP requires you to prove consent when audited. Klaviyo captures three fields per subscriber that satisfy this:
- Consent timestamp (when they opted in)
- Consent method (form ID + double opt-in confirmation)
- Consent source (URL of the form)
Verify in: Klaviyo → Profile properties → Confirm these fields exist and are populated on new signups. If they're not, adjust your form configuration.
Store this data indefinitely — DPDP audits can request historical consent records going back years.
3. Data deletion workflow with documented SLA
DPDP grants data principals the right to erasure — subscribers can request deletion of their personal data. You must respond within a mandated timeframe (the Rules published under the Act specify response windows).
Fix: publish a dedicated deletion request email address in your privacy notice (e.g. privacy@yourbrand.com) + document the internal workflow — who receives, who authenticates, who executes in Klaviyo, who confirms completion to the subscriber.
Klaviyo's implementation: Profiles → search → Delete Profile removes all data. For bulk deletion, use the Data Deletion API.
Common gap: brands have the API access but no documented workflow. When a deletion request lands, staff scramble to figure out how to process it. Document the workflow BEFORE the first request arrives.
4. Privacy notice published + linked
DPDP requires a clear, accessible privacy notice that explains:
- What data you collect
- What you use it for
- Who you share it with (Klaviyo, Meta, Shopify, etc.)
- How long you retain it
- Their rights (access, correction, erasure)
- How to exercise those rights (contact address)
Fix: publish a DPDP-compliant privacy notice at /privacy or /legal/privacy. Link it from every Klaviyo signup form (Klaviyo → Forms → Settings → Privacy Notice URL) and every Shopify checkout.
Common gap: brands have a generic "privacy policy" from a Shopify template that doesn't mention DPDP or Indian data principals. Generic templates don't meet DPDP's specificity requirements.
5. Profiling consent — separate opt-in for behavioral use
This is where most brands fail. DPDP requires explicit consent for the specific purpose you're processing data.
General marketing consent covers sending campaigns and flows. It does NOT automatically cover:
- Klaviyo Predictive LTV scoring
- Meta Custom Audience sync from Klaviyo segments
- Personalization at flow-level using behavioral events
- Cross-device profile matching
For these, you need a separate profiling consent — a distinct checkbox on your signup form or checkout that says something like: "I consent to my data being used to personalize product recommendations and predict order timing."
Fix: add a profiling_consent custom profile property in Klaviyo. Update your signup forms to capture it separately. Segment your predictive features and Meta CAPI events to only fire for profiles with profiling_consent = true.
Without this, your Klaviyo Predictive features are technically non-compliant when applied to Indian data principals — even if your general marketing consent is clean.
6. TRAI DLT registration for SMS
TRAI DLT (Distributed Ledger Technology) is India's SMS-specific compliance layer. You cannot legally send marketing SMS to Indian phone numbers without DLT registration.
Steps:
- Register your business entity as a Principal Entity with one of the six approved Indian telecom access providers (Airtel, Jio, VI, BSNL, MTNL, Videocon)
- Register a Header ID — the sender ID your subscribers see (e.g.
GOSHDG) - Register each message template you'll send — TRAI approves each template variant before you can use it
Klaviyo supports DLT via its Twilio and Karix Mobile integrations. Configure the DLT-registered sender in Klaviyo → SMS settings before launching any SMS campaign.
Common gap: brands attempt to send Klaviyo SMS to Indian numbers using non-DLT sender IDs. Result: automatic block by Indian telecom operators + violation of TRAI regulations. If your Klaviyo SMS to Indian phones is failing to deliver, DLT setup is almost certainly the cause.
The two-week DPDP-compliant rebuild sprint
If you're starting from scratch or need to catch up fast:
Week 1 — Foundation:
- Day 1-2: Audit current consent language on all Shopify forms + Klaviyo popups + checkout
- Day 3-4: Publish DPDP-compliant privacy notice at
/privacy— use a template from a reputable Indian legal source, then customize for your specific data flows - Day 5-6: Add profiling consent checkbox to signup forms + checkout with clear language
- Day 7: Tag existing Indian profiles into a dedicated Klaviyo segment (filter by phone country code = +91 or shipping address = India)
Week 2 — Klaviyo technical compliance:
- Day 8-9: Enable double opt-in on all Klaviyo signup forms + verify consent record fields are being captured
- Day 10-11: Configure data deletion request workflow — dedicated email address, documented internal SLA, tested Klaviyo Data Deletion API access
- Day 12-13: If you send SMS to India — start TRAI DLT registration with your telecom access provider (this can take 5-10 business days for approval, so start earlier if possible)
- Day 14: Run a test data-access request + deletion request end-to-end to confirm the workflow works before the first real request arrives
Full compliance takes longer for the deep policy work (DPO designation if you cross the qualifying threshold, breach response procedures, cross-border data transfer contracts), but the Klaviyo-specific technical compliance can hit a functional state in 10-14 days.
What NOT to do
Don't rely on a Shopify template privacy policy. Generic templates don't meet DPDP's specificity requirements. Get a DPDP-specific privacy notice.
Don't assume single opt-in is fine because "everyone does it." Everyone did it. That's why enforcement notices are landing now.
Don't send SMS to Indian numbers without DLT registration. Klaviyo's SMS layer won't block you technically, but Indian telecom operators will, and TRAI can act against you.
Don't treat compliance as a one-time project. DPDP requires ongoing consent management, breach response readiness, and privacy notice updates as your data practices evolve. Build it into your quarterly ops review.
Don't tell your team "we'll deal with a data request when it comes." The first data-access or deletion request under DPDP has a fixed response window. Scrambling to figure out your workflow AFTER the request lands is how brands miss the window and land in violation.
Where to go from here
If you're running Klaviyo for an Indian D2C brand and want the compliance rebuild done properly — book a free Klaviyo audit and we'll assess your current setup + map the two-week sprint.
If you're a non-Indian brand serving Indian customers, the same architecture applies. See our India market entry playbook for the broader context on running growth marketing across Indian and international markets.
For the deeper technical Klaviyo work — flows, segments, deliverability — that layers on top of DPDP compliance, see our complete Klaviyo guide for 2026.
Related reading
- The Complete Klaviyo Guide for 2026 — the full retention playbook
- Klaviyo Consent Management Guide — CAN-SPAM, GDPR, TCPA + now DPDP
- Kerala D2C Playbook 2026 — Kerala-specific strategy including compliance
- Onam 2026 Marketing Playbook — festival-timed campaigns for Kerala D2C
- How to Sync Klaviyo Segments to Meta Ads — the Meta CAPI + Klaviyo integration

Written by Mark Cijo
Founder of GOSH Digital. Klaviyo Gold Partner. Helping eCommerce brands grow revenue through data-driven marketing.
Book a free strategy call →

