India issues strong warning to WhatsApp over new username feature, gives 3 days to respond

In a move to protect 853 million users, Government has demanding the tech giant to halt the rollout of a new "username" feature or face potential regulatory action under the country's stringent technology laws.
New Delhi, India | 2nd July, 2026
India has delivered one of its most assertive regulatory interventions yet in the technology sector. In a sharply worded directive issued to WhatsApp LLC (Meta’s India operations), the government has ordered an immediate pause on the rollout of the platform’s new “usernames” feature within the country. The move, backed by explicit references to the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, signals that privacy-enhancing innovations will not be allowed to proceed if they materially heighten risks of cybercrime.
The Feature That Triggered Alarm
WhatsApp publicly confirmed on 29 June 2026 that it had begun a phased global rollout of usernames. Users can now reserve unique handles (typically 3–35 characters) and, once activated, initiate chats, calls, and group joins by sharing only the username, without ever revealing their mobile number. The recipient’s phone number remains hidden from first-time contacts, and an optional “username key” can be set for additional control. WhatsApp has positioned the change as a major privacy upgrade, eliminating the long-standing requirement to share a phone number with strangers or new business contacts.
While the feature mirrors long-standing capabilities on platforms like Telegram and Instagram, Indian authorities see it as a potential accelerant for existing fraud vectors that already plague the country’s digital ecosystem.
Government’s Core Concerns
The official letter, addressed to WhatsApp’s Chief Compliance Officer, lays out a clear causal chain:
- Increased impersonation and identity spoofing: Bad actors could easily adopt usernames closely resembling those of genuine individuals, public officials, banks, government agencies, or known personalities.
- Facilitation of fraud at scale: Digital arrest scams, investment frauds, phishing, and impersonation attacks, already rampant via WhatsApp, become easier when victims cannot immediately verify a contact via a known phone number.
- Erosion of existing safeguards: Once enabled, the recipient’s phone number is no longer visible on first contact, removing a critical verification layer that law enforcement and users currently rely upon.
The government explicitly states that the feature “may materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks.”
Legal Explanation: Why the Government Sees Clear Grounds for Action
WhatsApp is classified as both an “intermediary” and a “significant social media intermediary” under Section 2(1)(w) of the IT Act read with Rule 2(1)(v) and Rule 2(1)(w) of the IT Rules, 2021. This status comes with heightened obligations.
Section 79 of the IT Act provides the famous “safe harbour”, intermediaries are generally not liable for third-party content if they do not initiate transmission, select the receiver, or modify content, and if they observe due diligence as prescribed. Failure to maintain due diligence strips away this protection.
The IT Rules, 2021 flesh out these obligations in detail:
- Rule 3(1)(b) requires intermediaries to inform users that they must not host, display, or share information that impersonates another person, is patently false or misleading, or deceives or misleads the addressee about the origin of a message.
- Rules 3(2) and 3(4) impose additional due diligence on significant social media intermediaries, including the technical capability to identify the first originator of information when lawfully required by authorities.
- Sections 66C and 66D of the IT Act criminalise identity theft and cheating by personation using a computer resource or communication device. An intermediary that actively facilitates easier personation can be seen as aiding or abetting under Section 79(3)(a), which removes safe-harbour protection when the intermediary conspires, abets, aids, or induces an unlawful act.
The government’s position is straightforward: by designing and deploying a feature that predictably lowers barriers to impersonation and fraud while simultaneously reducing users’ ability to verify contacts, WhatsApp risks breaching its due-diligence obligations. The letter therefore directs Meta to:
- Furnish a detailed explanation, supported by relevant documents, within three days of receipt, showing why regulatory action should not be initiated.
- Immediately refrain from rolling out the usernames feature in India until consultations with the government reach a satisfactory conclusion.
The directive carries the approval of the Competent Authority and explicitly reserves the government’s right to take any further action under applicable laws.
Why This Matters Globally
For an international audience, India’s response highlights a growing divergence in how major jurisdictions approach platform design choices. While the European Union’s Digital Services Act emphasises systemic risk assessments and the United States continues to debate Section 230 reforms, India is demonstrating a willingness to issue pre-emptive, enforceable directives backed by the threat of losing safe-harbour protections.
Meta now faces a familiar dilemma in one of its largest markets: adapt the global product for local compliance (potentially through enhanced username verification, stricter similarity checks against official names, or India-specific safeguards) or risk regulatory escalation, including potential blocking orders or penalties.
Privacy vs. Security: The Inevitable Trade-off
Proponents of the usernames feature rightly argue that hiding phone numbers from strangers reduces spam, stalking, and unsolicited contact, legitimate privacy gains. India’s regulators are not dismissing privacy; they are insisting that any new privacy architecture must not come at the cost of making existing, well-documented scam ecosystems significantly more effective.
The episode reinforces a consistent Indian regulatory philosophy: platforms operating at population scale in India must internalise the country’s unique threat landscape, from sophisticated “digital arrest” rackets to mass impersonation of authorities, rather than impose uniform global features that ignore local realities.
A Template for Emerging Digital Governance?
Whether other countries follow India’s model of rapid, evidence-based intervention against specific feature rollouts remains to be seen. What is already clear is that India has once again shown it will not be a passive recipient of Silicon Valley product decisions. For Meta and other global platforms, the message is unambiguous: in the world’s largest democracy and one of its biggest digital markets, regulatory scrutiny of new features is not optional, and strong, documented safeguards against foreseeable misuse are now a baseline expectation.