The most revealing aspect of the 2021 WhatsApp privacy-policy litigation is not what it ultimately said about privacy. It is how the dispute managed to become legally actionable in the first place. This article examines that institutional detour: why a privacy problem had to travel through competition doctrine to attract meaningful scrutiny and remedies, and how the enforcement landscape will shift as the DPDP regime enables privacy harms to be pursued directly using the WhatsApp–Meta episode as the connective thread.

This detour through competition law was not incidental. It was the only available enforcement route that could convert privacy discomfort into regulatory action. This is not the first instance in India or across jurisdictions.

In India, one early example is the series of proceedings pertaining to Google’s Android ecosystem before the Competition Commission of India (“CCI”). Formally, these cases focused on abuse of dominance through tying, pre-installation, and restrictions on device manufacturers. Substantively, however, a central concern was Google’s ability to entrench its data advantage by making its services unavoidable defaults. Yet the case could not be framed as a privacy violation. It had to be framed as foreclosure and leveraging, because only competition law could interrogate default-based coercion at scale and impose penalties under a legal construct. A similar pattern emerged in the CCI’s inquiries into Google’s Play Store policies. While the formal findings addressed self-preferencing and unfair conditions imposed on app developers, the underlying effect was again about control over data flows and user choice.

Across jurisdictions, the WhatsApp litigation reflects a broader pattern in which competition law has been pressed into service to address privacy harms that privacy law was not yet institutionally equipped to handle. From Germany’s Facebook decision to the European Commission’s Google Android cases, and from French unfair-conditions inquiries to digital platform investigations in Australia and the United States, regulators repeatedly relied on competition or consumer protection frameworks to examine coercive consent, forced data aggregation, default-based data collection, and the erosion of meaningful user choice. In each instance, the formal legal hook was dominance, tying, or unfair conduct, but the underlying substantive concern was privacy: users’ inability to control how their data was collected and combined. With technology and excessive data collection, this convergence was not a matter of doctrinal creativity as much as institutional necessity.

What was further left out were the small to mid-tier companies, which are small enough to not attract the principles of “abuse of dominance”, however, big enough to create “privacy concerns”. This mattered as modern privacy harms rarely arise from dramatic breaches alone. They arise from routine design choices: how information is framed, how choices are presented, and what happens when a user tries to say no. Without a regulator capable of interrogating those choices, privacy law remained largely aspirational.

Against this backdrop, competition law offered something privacy law did not: an enforcement-ready institution with investigative powers, penalty authority, and a willingness to examine platform behaviour in structural terms. By framing WhatsApp’s policy update as an abuse of dominance, complainants could access that machinery.

The argument was not that WhatsApp collected data unlawfully in the abstract. It was that WhatsApp imposed unfair conditions on users who lacked meaningful alternatives. The “take it or leave it” update was framed as coercive, not because it offended dignity, but because it exploited market power. This framing allowed the Competition Commission of India to intervene under the Competition Act. It examined WhatsApp’s position in the relevant market, the presence of network effects, switching costs, and user dependence. Privacy entered the analysis indirectly, as a form of non-price harm that dominance allowed the firm to impose.

This was a conceptual stretch, but a productive one. Competition law supplied a vocabulary that privacy law lacked. It allowed regulators to speak about coercion, lack of choice, and forced acceptance in a way that could support sanctions.

The enforcement outcome confirmed both the power and the limits of this approach. The case moved through the appellate system, culminating in decisions by the National Company Law Appellate Tribunal. The Tribunal upheld a substantial monetary penalty, narrowed parts of the remedy, and later clarified that user-choice safeguards applied to all non-WhatsApp purposes, including advertising.

Substantively, the directions resembled privacy regulation. WhatsApp was required to explain what data was shared, with whom, and for what purposes. Users had to be offered clearer choices. Non-essential data sharing could not be bundled invisibly into continued use. Yet doctrinally, everything turned on dominance. The case did not establish a general principle that coercive consent is unlawful. It established that dominant platforms cannot impose such consent. That distinction mattered.

By anchoring enforcement to market power, the law created an uneven landscape. Large platforms faced scrutiny. Smaller platforms, or new entrants using similar consent designs, largely did not. Privacy protection became contingent on size, not on conduct.

This dominance dependency created three problems.

First, it made privacy enforcement selective. Harmful consent practices could persist simply because the platform was not dominant enough to trigger competition scrutiny. From a user’s perspective, the experience was identical. From a legal perspective, it was irrelevant.

Second, it distorted regulatory focus. Enforcement energy was spent debating market definition, substitutability, and dominance thresholds rather than examining whether consent design was actually compliant or meaningful. Privacy analysis became secondary, almost incidental.

Third, it created legal uncertainty. Firms were left guessing whether a particular consent design was unlawful per se or only unlawful if combined with market power. That uncertainty favoured aggressive design strategies, especially by firms operating just below dominance thresholds.

These weaknesses were widely recognised, but there was no alternative enforcement architecture to replace the competition-law workaround. Until DPDP. The Digital Personal Data Protection Act fundamentally changes that reality. It ends the long-standing dependency on dominance as a gateway to privacy enforcement.

DPDP Act marks a shift that is subtle but profound. It reframes privacy as a question of process integrity rather than bargaining strength, thereby subjecting privacy regulations to players of any/ every size. Consent is no longer treated as a private contract between unequal parties. It is treated as a regulated act that must meet statutory conditions.

Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. It must be limited to what is necessary for the stated purpose. These are not aspirational standards. They are enforceable requirements.

Notice must be presented in plain language. It must specify what data is collected, why it is collected, how rights can be exercised, and how complaints can be made. Importantly, notice and consent must be accessible in English or any Eighth Schedule language. This embeds accessibility into legality. Withdrawal must be as easy as giving consent. This directly targets dark patterns that rely on friction, confusion, or obscurity. Most significantly, DPDP reverses the burden of proof. If consent is questioned, the data fiduciary must demonstrate that it was obtained lawfully. Silence, inference, or industry custom are not enough.

Much discussion of the DPDP Act focuses on penalty amounts. While the numbers are not trivial, the deeper change lies elsewhere. The DPDP Act transforms privacy compliance from a reputational issue into an evidentiary one. Firms must now be able to prove that their consent architecture works as claimed. Under the old regime, firms could rely on plausible deniability. Under DPDP, uncertainty cuts the other way. If a consent flow cannot be explained clearly, it becomes a liability.

This is what makes DPDP a structural break rather than an incremental reform.

If the DPDP Act had been enforceable during the 2021 update, the WhatsApp litigation would likely have followed a very different path. The primary forum would have been the Data Protection Board, a specialised body empowered to investigate processing practices directly. Appeals would lie to the Appellate Tribunal, defined as the Telecom Disputes Settlement and Appellate Tribunal. Civil courts would be excluded from parallel intervention.

The legal questions would also have changed. Instead of asking whether WhatsApp was dominant, the Board would ask whether consent was genuinely free. Whether non-essential data sharing was bundled. Whether users could understand the notice. Whether withdrawal was realistically accessible. Each of these questions is narrower than a competition inquiry, but collectively they are far more intrusive. They go to the heart of platform design.

None of this renders competition law obsolete. Competition analysis remains essential where privacy harms intersect with structural leverage, foreclosure, or market tipping. Issues like interoperability, data combination across services, and leveraging into adjacent markets are still better addressed through competition tools. What DPDP does is ensure that privacy enforcement does not depend on those tools. It creates a baseline that applies to everyone.

This dual-track system is not redundancy. It is resilience. Competition law addresses structure. DPDP Act addresses design. Together, they cover ground that neither could cover alone. Competition law once asked whether WhatsApp was too big. DPDP asks whether WhatsApp is too coercive. And that question can now be asked of anyone, at any scale, without waiting for dominance to appear. What remains a large uncertainty is the scope and manner of enforcement of the DPDP Act.

About the author: Mitakshara Goyal is the Founder of Svarniti Law Offices.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.