GDPR/CCPA + WhatsApp: opt-in, consent and audit (playbook)
GDPR fines reach 4% of global revenue (€20M cap). CCPA can hit $7,500 per intentional violation. But the real problem for an SMB isn't the fine — it's customers complaining to a regulator, attorney-general action, brand damage and a banned WhatsApp number. This playbook is practical: how to collect a valid opt-in, store the proof, process a deletion request and be ready if the ICO, the CNIL or the California AG knocks tomorrow.
⚠️ Disclaimer: this content is informational. It does not replace advice from a lawyer specialized in data protection. If your operation processes meaningful volumes of personal data, hire a DPO or legal counsel.
What GDPR and CCPA say, in one sentence
You can only process a person's personal data (including their WhatsApp number) if you have a lawful basis. For WhatsApp marketing, the typical basis under GDPR is consent (art. 6(1)(a)); under CCPA, marketing to a known consumer requires the ability to opt out at any time (and explicit consent if the consumer is under 16). Without consent, you can't send promotions. A customer who reached out first for support falls under another basis (legitimate interest or contract performance under GDPR; service-related communication under CCPA).
2 scenarios, 2 different rules
🟢 Scenario A: customer messages you first
Customer contacts you via WhatsApp to ask about a product, book or buy. You may:
- Reply to the conversation normally (contract performance + legitimate interest).
- Save data they provided in the chat (name, address, preferences).
- Send related transactional messages (confirmation, order status).
You may NOT: use that data for follow-up marketing without an additional explicit opt-in.
🟡 Scenario B: you initiate the conversation
You want to send a promotion, reminder, news — any outbound broadcast. You need:
- Explicit opt-in (customer checked a specific box authorizing WhatsApp marketing).
- Record of when and how the opt-in was given.
- Easy opt-out (keyword like "STOP" or one-click unsubscribe).
- Public privacy policy explaining what the data is used for.
What counts as a VALID opt-in
3 cumulative requirements (GDPR art. 4(11) + 7; analogous under CCPA "right to know"):
- Freely given: no coercion. Can't be "consent or no service".
- Informed: customer knows who collects, why, for how long.
- Unambiguous: explicit affirmative action. A pre-ticked box does NOT count.
3 legitimate ways to collect WhatsApp opt-in
1. Website / checkout form
[ ] I want to receive promotions and news on WhatsApp
from [Your Company] at the number (XXX) XXX-XXXX.
I can cancel at any time. See the
[Privacy Policy].
Store in the database: name, phone, date/time, IP, exact text of the declaration that was accepted.
2. Keyword opt-in inside WhatsApp
A customer who wrote to you first can authorize marketing like this:
Company: "Want to get our weekly deals? Reply YES
or just ignore this message."
Customer: "YES"
→ Store the customer's full reply + timestamp
as opt-in proof.
3. Documented in-person opt-in
In a physical store the customer fills in a paper form that includes an "I authorize receiving WhatsApp" field with a signature. You digitize and archive it.
How to store proof (audit-ready)
For every contact on your marketing list you need:
| Field | What to store |
|---|---|
| identifier | phone in E.164 (+1415...) |
| consent_text | exact text the customer accepted |
| consent_at | ISO 8601 timestamp of acceptance |
| consent_source | "website_checkout" / "whatsapp_keyword" / "in_person_form" |
| consent_ip | customer IP (if digital) |
| consent_proof_url | form screenshot / customer message / scan of paper form |
| opt_out_at | if they unsubscribed, when |
Data subject rights (GDPR art. 15-22 / CCPA §1798.100-125)
A customer may, at any time, request:
- Confirmation that data processing exists.
- Access to the data.
- Correction of incomplete/incorrect data.
- Erasure (full deletion).
- Portability to another provider.
- Withdrawal of consent.
- Opt-out of "sale" or "sharing" (CCPA-specific).
Legal deadline: GDPR — 1 month (extendable to 3). CCPA — 45 days (extendable by 45).
Practical flow to process a request
- Intake channel: a dedicated email (privacy@yourcompany.com) or a form in the policy.
- Verify the requester's identity (prevents malicious deletion of someone else's number).
- Locate all data across systems (main DB, backup, CRM, messaging tool).
- Execute per the request (deletion, export, correction).
- Confirm completion to the customer.
- Log everything in an auditable trail.
Privacy policy — minimum checklist
Your privacy page must clearly explain:
- Who the controller / business is (legal name, address, DPO/privacy contact email).
- What data is collected (name, phone, messages, IP).
- For what purpose (support, booking, sending promotions, etc.).
- Who it's shared with (Meta, BSP platform like MercaBot, payment processor).
- Retention period.
- How to exercise rights — channel and deadline.
- Lawful basis for each processing activity.
- For CCPA: categories of personal information collected, sold, shared, and a "Do Not Sell or Share My Personal Information" link if applicable.
The 5 mistakes regulators flag
- Buying contact lists. A purchased WhatsApp list = zero consent = clear violation.
- Generic opt-in buried in T&Cs. "I accept the terms" does not cover WhatsApp marketing specifically.
- Keeping a contact without opt-in by claiming "they're my customer". Being a customer doesn't authorize marketing — contract performance covers transactional only.
- Sharing the base with a partner without a clause. Swapping contacts with another company without specific consent = violation.
- No record of when opt-in was given. Regulators ask for proof. "The customer agreed" without timestamp and proof = worse than nothing.
Where Meta and WhatsApp help (and where they don't)
Meta itself requires opt-in for marketing templates (it's part of the quality rating). That forces you to do it right. But:
- Meta checks opt-in qualitatively (report rate, block rate), not documentally.
- GDPR / CCPA authorities check documentally (they need auditable proof).
The two systems complement each other — being good with Meta usually means being OK with GDPR/CCPA. But most SMB operations are missing the documentation.
Compliance checklist — do it today
- ☐ Public privacy policy at /privacy/
- ☐ Signup form with a specific WhatsApp marketing checkbox
- ☐ DB with 7 consent fields per contact (see table above)
- ☐ Email / form to receive data-subject requests
- ☐ Internal process to handle a request within the legal deadline
- ☐ Audit template with an example opt-in proof
- ☐ Team training (no promo without checking status)
- ☐ DPO / privacy contact named (can be a co-founder at SMB scale, but must be named)
Automated consent and erasure
MercaBot stores opt-in records (text + timestamp + source) and processes GDPR/CCPA deletion requests in 1 click in the dashboard. Technical compliance solved — you focus on the human side.
Try free →