GDPR and WhatsApp Marketing: What Opt-In Looks Like and What Gets You Blocked

WhatsApp marketing without a GDPR-compliant opt-in is not just a regulatory risk — it is a channel risk. Meta actively enforces against non-consensual messaging on its platform, and a business whose contacts frequently block or report messages will find its WhatsApp number quality-rated down, messaging tiers reduced, and eventually the number suspended. The regulatory penalty and the platform penalty arrive from different directions but at the same destination.

Getting the opt-in right protects the channel. This is what it looks like in practice.

What GDPR Requires for WhatsApp Marketing

GDPR’s consent standard (Article 7, informed by Recital 32) requires that consent be:

Freely given: The customer must not face any disadvantage for refusing to consent. Conditioning a discount, service access, or account opening on WhatsApp marketing consent is not freely given consent. The consent must be genuinely optional.

Specific: The consent must identify the specific channel (WhatsApp), the specific type of messages (promotional offers, product updates, etc.), and ideally the approximate frequency. A blanket “marketing communications” consent that does not name WhatsApp is not sufficient for WhatsApp messages.

Informed: The customer must understand what they are consenting to before they tick the box. This means the opt-in mechanism must be accompanied by a clear, plain-language description — not a reference to a 40-page privacy policy.

Unambiguous: Consent must be expressed by a clear affirmative action — a checkbox that the customer actively ticks. A pre-ticked checkbox, an “I agree to all communications” embedded in terms, or opt-out language (“we’ll send you messages unless you tell us not to”) does not meet the standard.

Where to Collect WhatsApp Opt-In

The most effective collection points depend on the business type, but the principle is consistent: collect consent at the moment of highest engagement, when the customer is most likely to see value in receiving messages.

E-commerce checkout: “Add your WhatsApp number to receive order updates and exclusive offers.” Present as an optional field. Do not make WhatsApp opt-in a prerequisite for completing the purchase.

Loyalty programme enrolment: “Join our WhatsApp list to receive member-only offers and early access to sales.” The loyalty value proposition makes the WhatsApp consent feel beneficial rather than burdensome.

In-store QR code: A QR code at point of sale, on receipts, or on product packaging that leads to a landing page with a WhatsApp opt-in. This captures contacts from customers who do not transact online.

Meta Lead Forms: The form can include a WhatsApp opt-in checkbox alongside standard contact fields. Since the customer is already on a Meta platform, the transition to WhatsApp feels natural.

Post-purchase confirmation page: “Would you like WhatsApp updates for your order and future purchases? [Yes, add me] [No thanks].”

The Opt-Out Obligation

Every WhatsApp marketing message must include a clear, simple opt-out mechanism. In practice: “Reply STOP to unsubscribe” or a one-tap opt-out button using WhatsApp’s interactive button feature.

When a contact opts out, they must be removed from all WhatsApp marketing lists immediately. The opt-out must be recorded in the CRM with a timestamp. Sending further marketing messages after an opt-out is both a GDPR violation and a Meta policy violation.

Record-Keeping for GDPR Accountability

Article 5(2) GDPR requires that businesses be able to demonstrate compliance on request. For WhatsApp marketing, this means maintaining:

• A record of each contact’s opt-in: when it was given, via which touchpoint, and the exact wording of the consent request at that time
• Opt-out records: when the opt-out was received and when the contact was removed from marketing lists
• Message logs: what was sent to each contact, when, and via which template

A CRM that logs all of this automatically — rather than relying on manual record-keeping — is the practical infrastructure required to operate WhatsApp marketing compliantly at any meaningful scale.

For how template messages work and how they are approved, see WhatsApp Template Messages: What Gets Approved, What Gets Rejected, and How to Write Them. For the full WhatsApp Business API setup that makes this compliance infrastructure possible, see WhatsApp Business API vs. WhatsApp Business App: Which One Do You Actually Need?.