Compliance playbook

GDPR/CCPA + WhatsApp: opt-in, consent and audit (playbook)

GDPR fines reach 4% of global revenue (€20M cap). CCPA can hit $7,500 per intentional violation. But the real problem for an SMB isn't the fine — it's customers complaining to a regulator, attorney-general action, brand damage and a banned WhatsApp number. This playbook is practical: how to collect a valid opt-in, store the proof, process a deletion request and be ready if the ICO, the CNIL or the California AG knocks tomorrow.

May 15, 2026 · 10 min read · MercaBot
⚠️ Disclaimer: this content is informational. It does not replace advice from a lawyer specialized in data protection. If your operation processes meaningful volumes of personal data, hire a DPO or legal counsel.

What GDPR and CCPA say, in one sentence

You can only process a person's personal data (including their WhatsApp number) if you have a lawful basis. For WhatsApp marketing, the typical basis under GDPR is consent (art. 6(1)(a)); under CCPA, marketing to a known consumer requires the ability to opt out at any time (and explicit consent if the consumer is under 16). Without consent, you can't send promotions. A customer who reached out first for support falls under another basis (legitimate interest or contract performance under GDPR; service-related communication under CCPA).

2 scenarios, 2 different rules

🟢 Scenario A: customer messages you first

Customer contacts you via WhatsApp to ask about a product, book or buy. You may:

You may NOT: use that data for follow-up marketing without an additional explicit opt-in.

🟡 Scenario B: you initiate the conversation

You want to send a promotion, reminder, news — any outbound broadcast. You need:

What counts as a VALID opt-in

3 cumulative requirements (GDPR art. 4(11) + 7; analogous under CCPA "right to know"):

  1. Freely given: no coercion. Can't be "consent or no service".
  2. Informed: customer knows who collects, why, for how long.
  3. Unambiguous: explicit affirmative action. A pre-ticked box does NOT count.

3 legitimate ways to collect WhatsApp opt-in

1. Website / checkout form

[ ] I want to receive promotions and news on WhatsApp
    from [Your Company] at the number (XXX) XXX-XXXX.
    I can cancel at any time. See the
    [Privacy Policy].

Store in the database: name, phone, date/time, IP, exact text of the declaration that was accepted.

2. Keyword opt-in inside WhatsApp

A customer who wrote to you first can authorize marketing like this:

Company: "Want to get our weekly deals? Reply YES
          or just ignore this message."

Customer: "YES"

→ Store the customer's full reply + timestamp
  as opt-in proof.

3. Documented in-person opt-in

In a physical store the customer fills in a paper form that includes an "I authorize receiving WhatsApp" field with a signature. You digitize and archive it.

How to store proof (audit-ready)

For every contact on your marketing list you need:

FieldWhat to store
identifierphone in E.164 (+1415...)
consent_textexact text the customer accepted
consent_atISO 8601 timestamp of acceptance
consent_source"website_checkout" / "whatsapp_keyword" / "in_person_form"
consent_ipcustomer IP (if digital)
consent_proof_urlform screenshot / customer message / scan of paper form
opt_out_atif they unsubscribed, when

Data subject rights (GDPR art. 15-22 / CCPA §1798.100-125)

A customer may, at any time, request:

Legal deadline: GDPR — 1 month (extendable to 3). CCPA — 45 days (extendable by 45).

Practical flow to process a request

  1. Intake channel: a dedicated email (privacy@yourcompany.com) or a form in the policy.
  2. Verify the requester's identity (prevents malicious deletion of someone else's number).
  3. Locate all data across systems (main DB, backup, CRM, messaging tool).
  4. Execute per the request (deletion, export, correction).
  5. Confirm completion to the customer.
  6. Log everything in an auditable trail.

Privacy policy — minimum checklist

Your privacy page must clearly explain:

The 5 mistakes regulators flag

  1. Buying contact lists. A purchased WhatsApp list = zero consent = clear violation.
  2. Generic opt-in buried in T&Cs. "I accept the terms" does not cover WhatsApp marketing specifically.
  3. Keeping a contact without opt-in by claiming "they're my customer". Being a customer doesn't authorize marketing — contract performance covers transactional only.
  4. Sharing the base with a partner without a clause. Swapping contacts with another company without specific consent = violation.
  5. No record of when opt-in was given. Regulators ask for proof. "The customer agreed" without timestamp and proof = worse than nothing.

Where Meta and WhatsApp help (and where they don't)

Meta itself requires opt-in for marketing templates (it's part of the quality rating). That forces you to do it right. But:

The two systems complement each other — being good with Meta usually means being OK with GDPR/CCPA. But most SMB operations are missing the documentation.

Compliance checklist — do it today

Automated consent and erasure

MercaBot stores opt-in records (text + timestamp + source) and processes GDPR/CCPA deletion requests in 1 click in the dashboard. Technical compliance solved — you focus on the human side.

Try free →