How Zithara Handles Customer Consent: Data Shared = Consent Given, Always-On Opt-Out, and STOP-to-Unsubscribe

When a customer walks into your store, fills a webform, or DMs you on Instagram, they're sharing their data — and that act of sharing is the consent. Here's how Zithara captures consent at the source, how the always-on opt-out flag works, and why we recommend a 90-day re-consent check-in under India's DPDP Act.

May 7, 20266 min

Contents

What DPDP Requires

India's Digital Personal Data Protection Act (DPDP Act, 2023) changed the rules for how retailers can collect and use customer data. Under the Act, every customer is a 'data principal' with rights, and every retailer is a 'data fiduciary' with obligations. The data principal must give consent to have their data processed, and they must be able to withdraw that consent with the same ease with which they gave it.
Penalties under the Act can reach ₹250 crore per breach. The bigger cost is reputational: customers who feel their data was used without permission don't usually complain — they unsubscribe, switch brands, and warn their friends.

How Consent Actually Works in Zithara

In Zithara, the model is simple: when a customer voluntarily shares their details with you, that act of sharing is the consent. A customer walks into your store and gives their phone number at the billing counter — they've shared. A customer fills out an enquiry form on your website — they've shared. A customer DMs you on Instagram or WhatsApp asking about a product — they've shared.
Each of those moments creates a consent record in Zithara with three things: the channel they came in on (POS, webform, WhatsApp, Instagram, in-store tablet, Meta Ads lead form), the date and time, and the staff member or campaign that captured the entry. From that point on, the customer is reachable on the channel they used to reach you.
The Act expects this to be backed by clear notice — what data you're collecting, why, and how to withdraw. That's the customer-facing notice your store should display at the counter and link from your webforms and bot flows. Zithara provides templates retailers can customise; the consent capture in the system is the operational record of that notice.
How Zithara captures consent: in-store walk-ins, webforms, and social DMs all create a consent record tagged with channel, date, and capturing staff.

The Always-On Opt-Out Flag

Every customer record in Zithara carries an opt-out flag that any staff member can switch on at any time, on the customer's request. Walk into the store, ask to be removed from messages — store staff toggle the flag, and you're suppressed across every campaign, every channel, immediately.
When the flag is on, the customer is excluded from marketing audiences automatically. Campaign tools enforce this at the audience level, not after the fact: a flagged customer can't be added to a WhatsApp broadcast, an SMS blast, an email list, or a Meta Ads custom audience by accident or by intent. Transactional messages — order confirmations, delivery alerts, invoice copies — continue, because those are part of the service the customer is buying.
The flag is also reversible. If a customer changes their mind and asks to be put back on the list, staff toggle it off and the customer is back in the marketable audience. Every change is logged with a timestamp and the staff ID, so you have an auditable trail.

STOP, Unsubscribe, and Self-Serve Opt-Out

Customers shouldn't have to call the store or wait for staff to act. Zithara recognises self-serve opt-out signals automatically across every channel:
WhatsApp: Reply with stop, unsubscribe, opt out, or tap the 'Stop messages' quick-reply button on any marketing template. The opt-out flag flips on instantly. Marketing stops; transactional updates continue.
Email: A one-click unsubscribe link in the footer plus a standards-compliant List-Unsubscribe header (RFC 8058). Both update the same flag.
SMS: Reply STOP. Same flag, same instant suppression.
All three paths write to the same opt-out flag, so suppression is global across the brand and across channels. A customer who replies STOP on SMS won't reappear in next week's WhatsApp campaign or this month's email list — they're out of the marketable audience until they ask to come back.
Three opt-out paths — staff toggle, STOP keyword, and email unsubscribe — all flip the same flag, suppressing the customer across WhatsApp, SMS, email, and ad audiences.

Why We Recommend a 90-Day Re-Consent

Inferring consent from action is legally and operationally clean at the moment of capture. The challenge is time. A customer who shared their number eighteen months ago may have changed phones, changed cities, or stopped caring about your category. Their consent isn't withdrawn, but it's not exactly fresh either.
We recommend a 90-day re-consent cadence: every quarter, send a short WhatsApp or email check-in that lets customers reaffirm, update preferences, or quietly opt out. Something like:
"Hi {name}, you've been getting updates from {store} since {date}. Want to keep hearing from us? Tap below to confirm — or reply STOP anytime to opt out."
Ninety days is short enough to keep consent demonstrably current and long enough that customers don't feel pestered. It also lines up with major Indian retail cycles — pre-Diwali, pre-Akshaya Tritiya, pre-wedding season — so the check-in arrives just before your highest-value campaigns. Customers who reaffirm get a fresh timestamp. Silent customers move to a quieter cadence. Opt-outs are suppressed instantly via the same flag.
Zithara runs the whole flow — segmentation, dispatch, response capture, opt-out flag updates — without any manual work from your team.

What Retailers Should Do This Week

Three concrete tasks:
1. Display the consent notice where data is captured. Print a short customer-facing notice for the billing counter (what you collect, why, how to opt out) and link the same notice from webforms, WhatsApp bot flows, and lead-ad forms. The act of sharing is consent, but the notice is what makes it informed.
2. Brief store staff on the opt-out flag. Anyone working the floor or the billing counter should know how to toggle a customer's opt-out flag from the dashboard in under thirty seconds. If a customer asks to be removed in person, the suppression should happen before they leave the store.
3. Schedule the 90-day re-consent. Set up a recurring quarterly check-in for your marketable audience. Write it warmly. Make 'yes, keep me on the list' the obvious choice and make 'reply STOP to opt out' equally visible.
Done well, the 90-day cadence shrinks your marketable list by about 10–15% in the first quarter and lifts WhatsApp open rates 15–25% over the next two. The customers who remain are the ones who actually want to hear from you, which is the audience worth spending campaign budget on.

Frequently Asked Questions

Does Zithara collect customer data without consent?

No. Zithara only stores customer data that the customer has voluntarily shared — at the billing counter, through a webform, by DMing your social channel, by replying to an ad, or by giving details to staff in-store. The act of sharing is the consent. Each record is tagged with the channel, date, and capture point, and every record can be opted out instantly via the always-on opt-out flag.

How does a customer opt out of Zithara messages?

Three ways. (1) Ask any staff member, who toggles the opt-out flag on the customer's record from the dashboard. (2) Reply STOP, UNSUBSCRIBE, or OPT OUT on WhatsApp or SMS — Zithara recognises the keyword and flips the flag automatically. (3) Click the unsubscribe link in any email. All three write to the same flag, so suppression is global across WhatsApp, SMS, email, and ad audiences.

If I opt out, do I stop getting all messages?

You stop getting marketing messages — campaigns, offers, festive promotions. Transactional messages continue: order confirmations, delivery updates, invoice copies, appointment reminders. Those are part of the service you're buying, not marketing, and DPDP allows transactional communication based on the underlying contract.

How often should retailers refresh customer consent?

Quarterly. A 90-day re-consent cadence keeps consent demonstrably current, lines up with Indian festive cycles, and is frequent enough to maintain trust without nagging customers. Zithara automates the segmentation, message dispatch, response capture, and flag updates.

Is Zithara compliant with India's DPDP Act?

Zithara is built around the DPDP Act's core requirements: consent captured at the source with channel and timestamp, purpose-limited usage with marketing and transactional separated, an always-on opt-out flag accessible to staff and triggerable by customers themselves, and right-to-erasure handled from the dashboard. We follow ISO 27001 controls and our infrastructure on AWS Mumbai inherits AWS's compliance posture. See our Trust Center for the full security and compliance overview.

Does the re-consent campaign hurt my marketing reach?

Short-term, your marketable audience shrinks by about 10–15% in the first quarter as inactive customers drop off. Long-term, engagement, click-through, and conversion rates rise — because the audience that remains is the audience that actually wants to hear from you. Most Zithara customers see WhatsApp open rates climb 15–25% within two quarters of running the 90-day cadence.

DATA PRIVACYDPDP ACTCONSENT MANAGEMENTRETAIL CRMWHATSAPP MARKETING

Run Consent-First Campaigns on Zithara

Get a free personalised demo of Zithara.AI

Zithara.AI

Learn more about retail CRM, loyalty programs, WhatsApp marketing, and AI agents for retail on the Zithara blog.

Written by Ravi Bhushan Ojha
VP – Product Engineering, Zithara.AI
Ravi leads product and engineering at Zithara.AI, building AI-powered CRM, loyalty programs, and WhatsApp automation for retail and consumer brands across India and globally. He works closely with jewelry chains, fashion retailers, and electronics brands to help them use data and AI to grow customer lifetime value — without needing a large tech team to make it happen.