GDPR consent requirements for WhatsApp
Valid GDPR consent for WhatsApp marketing must be: free (not conditioned on service access), specific (explicitly referring to WhatsApp), informed (the user knows who contacts them, for what purpose, with what frequency), and documented (with timestamp, collection method and consent request text shown).
Consent must be an explicit affirmative action: a pre-selected checkbox is not valid. The correct format is an un-pre-selected checkbox with text like 'I consent to receiving promotional messages via WhatsApp from [Company Name].'
Consent collection methods
The most common methods for collecting WhatsApp consent: checkbox in registration or checkout form, dedicated WhatsApp list signup page with QR code or wa.me link, opt-in SMS with instructions to reply 'YES' to subscribe, and physical or digital form at point of sale.
For each method, document: date and time of consent, exact text of the consent request shown to the user, collection method, and the channel through which consent was expressed.
Consent for Meta Click-to-WhatsApp ads
When a user clicks on a Click-to-WhatsApp ad and sends the first message, this is considered a signal of interest but not valid marketing consent. Before sending subsequent promotional messages to these contacts, explicit consent must be collected during the first conversation.
Opt-out management
Every WhatsApp marketing message must include clear opt-out instructions, typically in the template footer: 'Reply STOP to stop receiving messages.' When the contact replies STOP, the system must automatically record the opt-out and cease all future promotional sends to that number.
Maintain an updated opt-out list and check it before every send. A system that sends messages to those who have revoked consent exposes the company to regulatory reports and potential fines.
