To get customer consent for WhatsApp marketing campaigns, you need to collect an explicit opt-in from each contact before sending them any promotional messages. This means the customer must actively agree to receive WhatsApp communications from your brand, through a form, checkbox, or direct message, before you send anything. Implied consent or pre-ticked boxes are not sufficient. The opt-in must be informed, specific, and documented.

Sending WhatsApp messages without proper consent is putting your business at risk

WhatsApp enforces its policies through the Meta Business Platform, and accounts that send unsolicited messages face restrictions, temporary bans, or permanent removal from the platform. Beyond platform penalties, sending marketing messages without valid consent in Europe breaches GDPR, which carries fines of up to €20 million or 4% of global annual turnover. The risk is not theoretical. Regulators are increasingly active in pursuing consent violations across digital marketing channels, and WhatsApp is no exception. The fix is straightforward: build a consent collection process before you send a single message, not after.

Treating WhatsApp consent like email consent is holding back your campaigns

Many marketers assume that because a customer gave their mobile number or agreed to email marketing, WhatsApp messages are covered too. They are not. WhatsApp requires channel-specific consent, meaning a customer must explicitly agree to receive messages via WhatsApp, not just to being contacted generally. Campaigns built on this assumption often result in high opt-out rates, customer complaints, and account flags. The fix is to treat WhatsApp as its own channel with its own consent flow, separate from email, SMS, or any other touchpoint.

What is WhatsApp marketing consent and why does it matter?

WhatsApp marketing consent is the explicit permission a customer gives to receive promotional or informational messages from a business via WhatsApp. It matters because WhatsApp’s Business Policy and GDPR both require it. Without valid consent, businesses cannot legally or technically use WhatsApp as a marketing channel in Europe.

Consent is the legal and ethical foundation of any WhatsApp marketing programme. Unlike some other channels where soft opt-ins or legitimate interest can sometimes apply, WhatsApp marketing typically requires a clear, affirmative action from the customer. This protects the customer from unwanted messages and protects your business from regulatory and platform consequences.

Beyond compliance, consent-based WhatsApp marketing simply performs better. Customers who have actively opted in are more likely to engage with your messages, respond to offers, and remain loyal to your brand. Consent is not just a legal checkbox; it is a signal of genuine interest.

What are the legal requirements for WhatsApp marketing consent?

WhatsApp marketing consent must be freely given, specific, informed, and unambiguous under GDPR. The customer must take a clear affirmative action, such as ticking a box or sending a keyword. Pre-ticked boxes, bundled consent, and implied agreement do not meet the standard. You must also keep a record of when and how consent was given.

Under GDPR, consent must be granular. If you plan to use WhatsApp for different types of communication, such as order updates and promotional offers, customers should ideally consent to each separately. Bundling all communication types into a single consent statement can create compliance gaps.

WhatsApp’s own Business Policy adds a further layer. Businesses using the WhatsApp Business API must ensure opt-ins are collected outside the WhatsApp thread itself, typically through a web form, landing page, or in-store process. WhatsApp also requires that customers are clearly told they are consenting to receive messages from your business specifically, not just from WhatsApp in general.

What is a WhatsApp opt-in and how does it work?

A WhatsApp opt-in is the mechanism through which a customer actively agrees to receive WhatsApp messages from your business. It works by presenting the customer with a clear consent request, explaining what they will receive, and requiring them to take a deliberate action to agree, such as submitting a form or sending a specific message.

Opt-ins can be collected through several methods. The customer might tick a dedicated WhatsApp consent box on a sign-up form, send a keyword like “YES” to a WhatsApp number, or scan a QR code that initiates the opt-in flow. In each case, the action must be intentional and the customer must understand what they are agreeing to.

Once the opt-in is collected, your system should log the timestamp, the channel through which consent was given, and the exact consent language shown to the customer. This record is your evidence of compliance if it is ever questioned.

Where can you collect WhatsApp opt-ins from customers?

WhatsApp opt-ins can be collected through your website, email campaigns, in-store sign-ups, checkout processes, social media, and even within a WhatsApp conversation if the customer initiates it. The key requirement is that the opt-in happens outside an unsolicited WhatsApp message.

Common collection points include:

  • Website forms: Add a WhatsApp-specific checkbox to your contact, newsletter, or account registration forms
  • Checkout flow: Offer customers the option to receive order updates and promotions via WhatsApp at the point of purchase
  • Email campaigns: Include a link or button inviting existing email subscribers to also opt in to WhatsApp
  • QR codes: Place QR codes in-store, on packaging, or in printed materials that direct customers to an opt-in landing page
  • Social media: Run campaigns that drive users to a consent-collecting landing page
  • Inbound WhatsApp messages: If a customer contacts you first, you can ask them to opt in during that conversation

Each touchpoint should be designed so that the WhatsApp consent request is clearly visible and not buried in general terms and conditions.

What should a WhatsApp consent message include?

A WhatsApp consent message must clearly state the business name, the types of messages the customer will receive, how frequently they can expect to hear from you, and how they can opt out. It must appear at the point of opt-in, not in a separate document the customer is unlikely to read.

A well-structured consent statement covers these elements:

  1. Business identity: Make clear which company is sending the messages
  2. Message types: Specify whether messages will include promotions, updates, reminders, or a combination
  3. Frequency: Give a realistic indication of how often you will send messages
  4. Opt-out instructions: Explain how the customer can withdraw consent at any time, for example by replying “STOP”
  5. Data handling: Reference how their data will be used, with a link to your privacy policy

Keep the language plain and direct. Avoid legal jargon that obscures what the customer is actually agreeing to. The goal is that a customer reading it once understands exactly what they are signing up for.

What’s the difference between WhatsApp opt-in and email opt-in?

The core difference is channel specificity and platform policy. An email opt-in gives permission to send emails; it does not extend to WhatsApp. WhatsApp requires its own separate opt-in, and its Business Policy mandates that consent is collected outside an unsolicited WhatsApp message, which email programmes do not require.

Email marketing has more flexibility in how consent is structured. In some jurisdictions and contexts, legitimate interest or soft opt-ins can apply to email. WhatsApp marketing, particularly when using the WhatsApp Business API, requires a clear affirmative opt-in with no room for softer interpretations under GDPR.

There are also practical differences in how opt-outs work. Email typically uses an unsubscribe link embedded in the message. WhatsApp opt-outs are usually handled by reply keywords such as “STOP” or through a menu option within the conversation. Your system needs to handle both mechanisms and update your contact records immediately when a customer withdraws consent through either route.

How do you handle WhatsApp opt-outs and consent withdrawal?

When a customer opts out of WhatsApp marketing, you must stop sending messages immediately and update your records to reflect the withdrawal. Opt-outs are typically triggered by a reply keyword such as “STOP,” a menu option in the conversation, or a direct request. Ignoring an opt-out is a GDPR violation and a breach of WhatsApp’s Business Policy.

Your opt-out process should be automated where possible. When a customer sends a stop keyword, your platform should suppress that contact from future WhatsApp sends without requiring manual intervention. Delays in processing opt-outs, even unintentional ones, can result in sending messages to customers who have withdrawn consent.

Keep a record of opt-outs alongside your opt-in records. If a customer later re-opts in, you need a clear record showing that their previous opt-out was honoured and that the new opt-in was collected properly before messaging resumed. This audit trail is essential for demonstrating compliance.

What mistakes should you avoid when collecting WhatsApp consent?

The most common mistakes when collecting WhatsApp marketing consent are using pre-ticked boxes, bundling WhatsApp consent with general terms, failing to record consent evidence, and continuing to message customers after they have opted out. Each of these creates compliance risk and damages customer trust.

Specific mistakes to avoid:

  • Pre-ticked consent boxes: These do not constitute valid consent under GDPR. The customer must actively select the option
  • Bundled consent: Combining WhatsApp consent with acceptance of terms and conditions or other permissions makes it impossible to demonstrate specific, informed consent
  • Vague consent language: Saying “we may contact you” is not specific enough. Name WhatsApp as the channel and describe the message types
  • No opt-out mechanism: Every WhatsApp marketing programme must include a clear, functional way for customers to stop receiving messages
  • Importing contacts without consent: Uploading a contact list and sending WhatsApp messages without verified opt-ins is a direct policy and legal violation
  • Failing to log consent: Collecting opt-ins without recording when, where, and how consent was given leaves you unable to prove compliance

Building a clean, documented consent process from the start is far less costly than dealing with regulatory complaints or platform restrictions later.

How Spotler helps with WhatsApp marketing consent

Managing WhatsApp consent correctly requires the right tools behind the scenes. We built Spotler to give marketing teams the infrastructure to collect, store, and act on consent data accurately, so you can run WhatsApp campaigns with confidence rather than guesswork.

Here is what Spotler brings to WhatsApp marketing consent management:

  • Integrated opt-in forms: Build and deploy consent-compliant sign-up forms across your website and landing pages, with WhatsApp-specific consent fields that feed directly into your contact database
  • Consent logging: Every opt-in is recorded with a timestamp and source, giving you a clear audit trail you can produce if your consent practices are ever questioned
  • Automated opt-out processing: When a customer sends a stop keyword or withdraws consent, Spotler updates their profile immediately and suppresses them from future WhatsApp sends
  • GDPR-compliant data handling: As an ISO 27001-certified, fully GDPR-compliant platform built in Europe, Spotler is designed to handle customer data the way European regulations require
  • Cross-channel consent management: Manage consent preferences across WhatsApp, email, and other channels from one place, so your records stay consistent and up to date

If you want to build a WhatsApp marketing programme on solid compliance foundations, get in touch with our WhatsApp marketing team to see how Spotler can support your consent management from day one.