Is sending an OTP a "processing" event under DPDP?

Yes. Phone number + OTP code + timestamp is personal data being processed. You need a lawful basis (typically performance of contract / consent), a stated purpose, and a retention policy.

Do I need explicit consent for OTP login?

Sign-up consent at first OTP usually covers it under "performance of contract" or "necessary for the service requested". Layer explicit consent on optional flows like marketing SMS.

Can I store OTP plaintext under DPDP?

Storing plaintext OTP is poor practice and likely a DPDP "reasonable security" failure. Always hash. The provider should hash and your servers should never see plaintext.

Industry & Compliance

DPDP Act and OTP Compliance in India

How the Digital Personal Data Protection Act 2023 affects OTP and SMS workflows: consent, purpose limitation, data minimisation, retention, and OTP-specific patterns.

5 May 2026|9 min read

StartMessaging Team

Engineering

The Digital Personal Data Protection Act 2023 (DPDP) reshaped how Indian businesses handle personal data. OTP — being a phone number plus authentication code — is squarely in scope. This guide explains what changes for OTP flows.

Overview of DPDP Act

Lawful basis for processing.
Purpose limitation.
Data minimisation.
Reasonable security safeguards.
User rights (access, correction, erasure).
Breach notification obligations.

Consent for OTP-based authentication is typically captured at sign-up under “performance of contract”. Marketing SMS, on-call notifications, and service-explicit messages need separate consent.

Purpose Limitation

Phone number captured for OTP cannot be repurposed for marketing without separate consent. Document the purpose at collection and honour it.

Data Minimisation

Don’t collect what you don’t need.
OTP requestId is enough — no need to store the plaintext code.
IP / device fingerprint only if required for fraud control.

Retention Rules

OTP logs: as long as needed for the stated purpose, plus statutory minimums (financial flows = 7+ years).
Marketing data: until consent withdrawn.
Phone numbers: bound to the account lifecycle plus statutory retention.

Breach Notification

DPDP requires notification to the Data Protection Board and affected individuals on a personal-data breach. OTP plaintext leakage qualifies.

OTP-Specific Patterns

Hash OTPs server-side, store the hash, never log plaintext.
Capture purpose in the OTP audit row.
Implement right-to-erasure on the phone-number column.
Maintain access-request export pipeline.

FAQ

StartMessaging hashes OTPs by default and provides DLR / audit logs in a DPDP-friendly format.

Industry & Compliance

OTP Data Privacy: DPDP Act Compliance

How India's Digital Personal Data Protection Act affects OTP and SMS implementations. Phone numbers as personal data, consent, retention, and compliance checklist.

StartMessaging Team·9 Feb 202610 min read

Industry & Compliance

TRAI Message Scrubbing in India: PE, Header, Template Failures

How TRAI message scrubbing works in India: the PE, header, and template checks every SMS goes through, common failure codes, and how to debug delivery loss.

StartMessaging Team·6 May 20269 min read

OTP & SMS Security

RBI 2026 Mandatory 2FA Rules: What Indian Apps Must Do

Plain-English summary of RBI's April 2026 mandatory 2FA rules for digital payments, what counts as a valid second factor, and how OTP fits in.

StartMessaging Team·3 May 20269 min read