WhatsApp Business API Compliance Guide 2025: GDPR, PDPA, Opt-In Rules
Meta's WhatsApp Business Policy: The Foundation
Before considering local data laws, every business using the WhatsApp Business API must comply with Meta's own Business Policy and Commerce Policy. These are the rules that govern your account's existence on the platform — and Meta can enforce them independently of any national regulator.
The core Meta requirements for WhatsApp Business API usage are:
- Only message users who have opted in to receive messages from your business
- Only send business-relevant messages (no spam, no illegal content)
- Only use Meta-approved message templates for proactive (business-initiated) conversations
- Honour opt-out requests immediately and do not re-message opted-out users
- Maintain a low block rate and spam complaint rate
- Not resell access to the WhatsApp platform
Opt-In Requirements: What Counts as Valid Consent
The single most important compliance requirement is proper opt-in. Meta is explicit: you must obtain opt-in outside of WhatsApp before sending any proactive messages. This means a contact being in your phone book or having messaged you years ago is NOT sufficient.
What Counts as Valid Opt-In
- Website sign-up form: Checkbox stating "I agree to receive WhatsApp messages from [Business Name]" — must be unchecked by default
- In-store sign-up: Physical form with explicit WhatsApp consent checkbox
- SMS opt-in: Customer replies "YES" to an SMS requesting WhatsApp consent
- QR code: Customer scans a QR code that opens a WhatsApp conversation — the act of initiating contact is implicit consent for that conversation
- Click-to-WhatsApp ads: Customer clicks your ad and initiates a WhatsApp conversation — initiating the conversation is implicit consent
- Checkout opt-in: Tick box during purchase process (must be separate from T&C acceptance)
What Does NOT Count as Valid Opt-In
- Having someone's phone number in your contacts
- A customer emailing you or filling a general contact form
- Pre-ticked opt-in boxes
- Purchasing a contact list
- Assuming consent because someone is an existing customer (unless they explicitly opted in to WhatsApp communications)
Opt-In Documentation Best Practice
Store: the opt-in date, the opt-in source (website form, in-store, etc.), the exact language shown, and the contact's identifier. This documentation protects you if Meta audits your account or a regulator requests evidence. In ChatDaddy, you can add custom fields to store opt-in source per contact.
Message Template Rules and Categories
Any proactive message you send via the API (business-initiating a conversation) must use a pre-approved message template. Templates are submitted to Meta for review and must pass both automated and human review before use.
Template Categories
| Category | Use Cases | Conversation Rate | Key Rules |
|---|---|---|---|
| Marketing | Promotions, offers, product launches, newsletters | Highest | Must have opt-in; cannot be deceptive |
| Utility | Order updates, appointment reminders, payment confirmations, account alerts | Medium | Must be relevant to a prior transaction |
| Authentication | OTPs, login verification | Lowest | Must only contain OTP; no additional content |
Template Rejection Reasons
Templates are commonly rejected for:
- Making misleading or exaggerated claims ("GUARANTEED results in 24 hours")
- Content that could be considered threatening, abusive, or harassing
- Requesting personal information without clear purpose
- Mismatched category (marketing content submitted as utility)
- Missing opt-out instructions for marketing templates
- Containing prohibited content (weapons, adult content, etc.)
Responding to User-Initiated Messages
When a user sends you a message first, a 24-hour service window opens. Within this window, you can send free-form messages without using a template — no pre-approval needed. This is why prompting users to message you first (via click-to-WhatsApp ads, QR codes, website widgets) is so valuable: it opens the window for natural conversation.
Regional Data Protection Laws
Requires explicit consent for personal data processing. Data subjects have the right to access, correct, and withdraw consent. Businesses must register as data processors if handling third-party data. Notably, PDPA does not cover data processed entirely outside Malaysia.
Strong consent requirements; notable data breach notification obligation (within 3 days for significant breaches). Added mandatory breach notification and significant fines (up to 10% of annual Singapore turnover or SGD 1M, whichever is higher) in 2021 amendments.
Came into effect October 2024 for full compliance. Requires explicit consent, data subject rights, data protection officer appointment for certain businesses, and cross-border transfer restrictions. Penalties up to IDR 60 billion or 2% of annual revenue.
Requires registration with the National Privacy Commission for companies processing sensitive data. Consent for marketing must be freely given, specific, and informed. Breach notification within 72 hours.
Applies to any business processing data of EU residents, regardless of business location. Lawful basis for marketing = explicit consent. Right to erasure ("right to be forgotten"). Data minimisation principle. Fines up to 4% of global annual turnover.
Federal law effective 2022. Consent required for personal data processing. Data subjects have access, correction, and deletion rights. Applies in mainland UAE; ADGM and DIFC have separate frameworks.
Enforced by the Saudi Data and AI Authority (SDAIA). Consent required for marketing communications. Cross-border transfer restrictions. Fines up to SAR 5 million for violations.
Overseen by the Office of the Data Protection Commissioner (ODPC). Requires consent, data subject rights, and data impact assessments for high-risk processing. Aligns closely with GDPR principles.
Replaced the NDPR framework. Enforced by the Nigeria Data Protection Commission (NDPC). Consent-based marketing, mandatory data protection compliance framework for large processors.
Data Handling and Retention
What Data You're Processing via WhatsApp
When you use the WhatsApp Business API, you process: phone numbers, message content, read receipts, media files shared, contact names, and conversation metadata. All of this is personal data under most privacy laws and must be handled accordingly.
Data Minimisation
Only collect and store data you actually need for your stated purpose. If you're using WhatsApp for appointment reminders, you don't need to store the full conversation history indefinitely — archive or delete after the relevant service period.
Cross-Border Data Transfers
WhatsApp (Meta) infrastructure processes messages through global data centres. Most local laws permit this when Meta has appropriate safeguards (Standard Contractual Clauses for EU, adequacy assessments for other regions). Your obligation is to document this transfer in your privacy policy and data processing agreements.
Retention Periods
- Marketing opt-in records: retain for the duration of the relationship plus 3 years (for dispute resolution)
- Conversation history: 12–24 months typical; longer if required for contractual purposes
- Transaction records: follow your accounting/legal requirements (often 7 years)
- Opt-out records: retain permanently (to prove you honoured the opt-out)
Protecting Your Account Health
Meta rates each WhatsApp Business phone number based on quality signals from user feedback. A high block rate or spam complaint rate moves your number from Green (good) to Yellow (at risk) to Red (restricted). Red-rated numbers face reduced messaging limits and risk permanent suspension.
Maintain Green Quality Rating
- Only message opted-in contacts
- Keep message frequency reasonable — don't message the same contact multiple times per day
- Provide value in every message; avoid pure promotional blasts
- Make it easy to opt out ("Reply STOP to unsubscribe")
- Segment carefully — send relevant messages to relevant audiences
- Monitor your quality dashboard in Meta Business Manager regularly
Responding to Quality Issues
If your rating drops, immediately pause new campaigns and audit your opt-in sources, message content, and send frequency. Do not simply reduce send volume and wait for the rating to recover — investigate the root cause. Review your re-engagement campaign strategy to ensure dormant contacts have been properly segmented out.
WhatsApp Compliance Checklist
Use this checklist before launching any WhatsApp marketing campaign:
- All contacts have explicitly opted in to receive WhatsApp messages
- Opt-in records include: date, source, exact opt-in language
- All outbound templates are Meta-approved
- Every marketing template includes an opt-out instruction
- Opt-out requests are processed within 24 hours
- Privacy policy updated to include WhatsApp data processing
- Data retention policy documented and being followed
- Cross-border data transfer mechanisms in place (if applicable)
- Quality rating is Green in Meta Business Manager
- Team trained on not sending unsolicited messages
- Local data protection law requirements identified and addressed
For businesses using ChatDaddy across multiple markets, the Indonesia compliance requirements (UU PDP) and Saudi Arabia PDPL requirements differ significantly from Malaysian PDPA — ensure your opt-in workflows and privacy policies are jurisdiction-aware.
Stay Compliant and Scale Confidently
ChatDaddy helps you manage opt-in records, message templates, and conversation data — with unlimited contacts on every plan, built for compliant WhatsApp marketing at scale.
Start Free TrialFrequently Asked Questions
Do you need opt-in consent for WhatsApp Business API messages?
Yes. Meta requires explicit opt-in consent before sending any proactive messages via the WhatsApp Business API. Opt-in must be obtained outside of WhatsApp (website form, in-store sign-up, SMS, etc.) and must clearly state that the person is consenting to receive WhatsApp messages from your business specifically.
What happens if you violate WhatsApp messaging policies?
Violations can result in message template rejection, phone number quality rating downgrade (Green → Yellow → Red), reduced messaging limits, temporary suspension, or permanent ban from the WhatsApp Business Platform.
What is WhatsApp's policy on bulk messaging?
WhatsApp permits bulk messaging only to opted-in contacts using pre-approved message templates. Unsolicited bulk messages (spam) violate the Business Policy and can result in immediate account suspension.
Is GDPR applicable to WhatsApp Business API in Southeast Asia?
GDPR applies if you have EU-based contacts or process data in a way that falls under EU jurisdiction. Southeast Asian businesses primarily need to comply with local laws: PDPA (Malaysia/Singapore/Thailand), UU PDP (Indonesia), Data Privacy Act (Philippines). However, following GDPR principles is considered best practice globally.
How long can you store WhatsApp conversation data?
Storage duration depends on your applicable law. GDPR recommends retaining data only as long as necessary for the stated purpose. Most PDPA frameworks in Asia require a retention policy to be documented and followed. Typical business practice: 12–24 months for marketing data, longer for customer service records if required for contractual reasons.
What are WhatsApp message template categories?
WhatsApp message templates are categorised as: Marketing (promotional offers, product announcements), Utility (transactional — order updates, appointment reminders, payment confirmations), and Authentication (OTPs). Each category has different conversation fee rates, with Marketing being the highest.
Can you send WhatsApp messages without the Business API?
Yes, using the WhatsApp Business App (not API). However, the App is limited to one user, has no broadcast list API, and cannot integrate with CRMs or e-commerce systems. For scalable marketing, the Business API is required. ChatDaddy's Coexistence feature lets you use both simultaneously on the same number.