Blog / Guide

WhatsApp marketing and GDPR: the practical guide to staying compliant

A person’s phone number is personal data, and sending them a promotional message is a form of processing in every respect. That’s why WhatsApp marketing lives inside the GDPR exactly like email marketing — only the channel is more intimate, so the margin for error is narrower. The good news is that getting compliant doesn’t require a legal department: you need a clear legal basis, some order in your documents, and automatic procedures for consent and revocation. This guide translates the obligations into concrete steps.

What the GDPR means applied to WhatsApp

The GDPR is the European regulation on the protection of personal data, and it applies to anyone processing the data of people located in the Union, regardless of where the company is based. When you collect phone numbers to send messages, you’re processing data and must respect its principles: lawfulness (having a valid reason to do it), transparency (saying so clearly), minimization (collecting only what’s needed), storage limitation (not keeping data forever). On WhatsApp these principles don’t change; what changes is only that the message arrives in a personal app, where the user is less tolerant and quicker to report. Compliance, besides avoiding fines that can be steep, also protects the quality of your number.

The legal basis: usually consent

To send marketing communications on WhatsApp, the most solid legal basis is explicit consent: freely given, specific, informed, and unambiguous. Freely given means not conditioned on a service (you can’t require it to complete a purchase); specific means referring to WhatsApp and marketing precisely, not a generic consent; informed means the person knows who will process the data and why; unambiguous means a positive action, never a pre-ticked box. Legitimate interest also exists, but for direct advertising on such a personal channel it’s a fragile and contestable basis: for promotional messages, rely on consent.

Always distinguish a service message from a promotional one. Confirming a shipment or reminding of an appointment the person booked rests on the performance of the contract; sending them an offer requires marketing consent. Keeping the two permissions separate is what lets you defend each individual send.

The privacy notice: what it must say

Before or at the moment you collect the number, the person must be able to read a notice that answers precise questions: who the data controller is, for what purposes you’ll use the data, on what legal basis, for how long you’ll keep it, who it might be shared with (including the sending platform and Meta as the provider of the WhatsApp service), what rights the person has, and how to exercise them. You don’t need a monumental text: you need a clear text, reachable via a link next to the consent collection point. The typical mistake is collecting the number with no link to the notice: consent that way isn’t informed, so it isn’t valid.

Revocation and the rights of the data subject

Consent can be withdrawn as easily as it was given: it’s a right, not a concession. In practice, whoever writes STOP, or uses the cancel button, must be excluded right away from promotional communications. But withdrawing consent is just one of the rights: the person can request access to their data, rectification, erasure, restriction of processing, and objection. You must have a procedure to respond to these requests within reasonable times. Automatic opt-out handling covers the most frequent part; for the other requests you need to know where the data is and how to extract or delete it.

SendApp handles opt-out automatically: whoever writes STOP is excluded from future campaigns with no manual action, and every contact carries the origin and date of consent. It works whether you connect your number via QR code or use Meta’s official API — the dual track, with no markups on the cost of messages.

Data retention: not forever

The GDPR requires not keeping data longer than necessary. Define a retention period consistent with the purpose: as long as the relationship with the contact is active and consent is valid, it makes sense to keep it; when the person unsubscribes or stays inactive for a long time, consider deletion or anonymization. Do, however, keep proof of consent even after revocation, for as long as it’s useful to demonstrate you acted correctly: it’s needed precisely in case of a dispute, when the burden of proving lawfulness falls on you. The practical rule is to write an internal policy — how long I keep what, and why — and apply it regularly, instead of accumulating numbers indefinitely “just in case.”

Who’s responsible: you’re the controller

Even if you use an external platform to send the messages, you are the data controller: you’re the one deciding the purposes and means of processing. The platform acts as a data processor, that is, it processes the data on your behalf, and for this you must sign a dedicated agreement (the so-called DPA, data processing agreement) defining what it can do with the data and with what safeguards. Also check where the data is stored and how the platform handles transfers. Choosing a serious tool on this front doesn’t relieve you of your controller responsibilities, but it significantly reduces the risk.

Best practices for compliant WhatsApp marketing

• Collect explicit, specific consent for WhatsApp marketing, separate from every other tick.
• Always link the privacy notice at the point where you ask for the number.
• Distinguish service and promotional messages: they rest on different legal bases.
• Make revocation immediate and handle opt-out automatically.
• Define and apply a retention period, while keeping proof of consent.
• Sign a data processing agreement with the platform and check where the data is hosted.