Consent Management for WhatsApp Campaigns: A Complete Guide to GDPR Compliance

Why consent is fundamental in WhatsApp campaigns

WhatsApp is the most widely used messaging channel across Europe, with hundreds of millions of active users every day. This extraordinary penetration makes it an incredibly powerful marketing tool, but also a legally sensitive territory. Sending promotional messages without the user's explicit consent is not just bad practice — it is a violation of the General Data Protection Regulation (GDPR) and of WhatsApp's own policies.

Unlike email marketing, where decades of consolidated case law exist, WhatsApp represents a relatively new frontier for businesses. Meta, WhatsApp's parent company, has developed strict rules for the use of its Business API: any company wishing to send marketing messages must demonstrate that it has obtained explicit and documented consent from the recipient, or risk account suspension.

Beyond the risk of fines from data protection authorities — which under GDPR can reach €20 million or 4% of annual global turnover — there is an equally serious reputational risk. Users who receive unsolicited messages on WhatsApp tend to block the number or report it as spam, lowering the business account's quality score and reducing future deliverability.

What constitutes valid consent under GDPR

The GDPR defines consent as a 'freely given, specific, informed and unambiguous indication of the data subject's wishes'. These four qualifiers are not mere formalities: each has precise practical implications for those running WhatsApp campaigns. 'Freely given' means the user must not be forced to provide consent in order to access a service; 'specific' implies that consent must relate to a defined purpose and not vaguely to 'all business communications'.

'Informed' requires that the user knows exactly what they are consenting to, who processes their data, for how long and through which tools. 'Unambiguous' rules out tacit or assumed consent: a pre-ticked checkbox on a form, terms of service accepted en masse, or a simple purchase do not constitute valid consent to receive WhatsApp marketing messages.

An often overlooked element is the documentation of consent. Obtaining it is not enough — you must be able to demonstrate when it was collected, through which channel, what informational text was present at the time, and whether the user was given the ability to withdraw consent as easily as it was granted. This requires businesses to implement robust logging systems integrated with their CRM or with the WhatsApp Business API platform they use.

• Freely given: no conditioning on purchase or access to the service
• Specific: clearly stated purposes (e.g. offers, order updates, newsletters)
• Informed: up-to-date and accessible privacy policy at the point of collection
• Unambiguous: active user action (non-pre-ticked checkbox)
• Documentation: date, time, channel and consent wording saved and retrievable

Simple opt-in vs double opt-in: which to choose for WhatsApp

Simple opt-in requires the user to perform a single action — such as ticking a checkbox on a form or sending a WhatsApp message with a keyword — to agree to receive communications. It is the fastest method with the least friction, but it carries risks: an incorrectly entered number or an accidental click can lead to the collection of non-genuine consents, resulting in high opt-out rates and spam reports.

Double opt-in adds a second confirmation step. After the user has expressed their intention to receive WhatsApp messages, they receive a confirmation message to which they must explicitly respond before being added to the list. This system ensures that the phone number is correct, that the person who entered it has access to that device, and that consent is genuinely intentional. For WhatsApp campaigns, double opt-in is strongly recommended by both Meta and data protection authorities.

From a practical standpoint, double opt-in reduces list size but significantly increases list quality. Users who have actively confirmed their subscription show far higher open, click and conversion rates than those who signed up through simple opt-in. For an ecommerce business investing in WhatsApp campaigns, having a list of 5,000 highly qualified contacts is far more profitable than having 20,000 heterogeneous ones.

• Simple opt-in: fast, low friction, risk of errors and non-genuine consent
• Double opt-in: higher list quality, more robust compliance, smaller but better-performing list
• Recommended for WhatsApp: double opt-in, especially for promotional campaigns
• Useful tools: dedicated landing pages, activation keywords, QR codes with direct links

The main channels for collecting WhatsApp consent

Consent for WhatsApp communications can be collected across multiple touchpoints, each with its own characteristics and best practices. The most common method is adding a dedicated checkbox in website forms — checkout, newsletter sign-up, contact requests — that explicitly asks for consent to receive WhatsApp messages separately from email consent. It is essential that this checkbox is not pre-ticked and that it is accompanied by a link to the privacy policy.

A second highly effective channel is click-to-WhatsApp — ads on Facebook and Instagram that open a WhatsApp conversation directly. In this case, implicit consent arises from the user's action of starting the chat, but it remains best practice to send a welcome message that clarifies the types of communications they will receive and the expected frequency, while immediately offering the option to opt out. This first message should be conceived as an informational consent step, not as a promotion.

Physical stores, events and offline touchpoints represent a third channel that is increasingly being used. QR codes displayed at the till, on receipts or on packaging allow customers to spontaneously subscribe to WhatsApp communications. Here too, the landing page linked to the QR code must present a form with a non-pre-ticked checkbox, clearly explain what the user will receive, and allow sign-up only after an explicit action.

How to manage opt-out in WhatsApp campaigns

Managing opt-out is just as important as managing opt-in. The GDPR guarantees users the right to withdraw consent at any time and as easily as it was given. For WhatsApp campaigns, this translates into an obligation to include in every promotional message a clear instruction on how to unsubscribe, typically a keyword such as 'STOP', 'CANCEL' or 'UNSUBSCRIBE'.

When a user sends the opt-out keyword, the system must process the request immediately and automatically. It is not acceptable — legally or ethically — to continue sending messages even for just 24 to 48 hours after a cancellation request. Professional WhatsApp Business API platforms like Kuba Labs handle this process automatically, updating the contact's profile in real time and preventing further promotional communications from being sent.

An often overlooked aspect is the distinction between transactional and marketing messages. Even after an opt-out from promotional communications, a business can and must continue to send strictly transactional messages, such as order confirmations, shipping updates or responses to support requests. It is important that consent management systems track this distinction, so that essential communications are not blocked alongside promotional ones.

• Always include an opt-out keyword in every promotional message
• Process cancellation requests in real time, without delays
• Maintain the distinction between marketing opt-out and full opt-out
• Update the CRM and the API platform simultaneously with the opt-out
• Do not contact opted-out users even to 'confirm the cancellation'

Consent storage and traceability: technical requirements

Collecting consent is not enough — it must be stored in a structured and accessible way so it can be demonstrated during audits or disputes. The storage system must record at minimum: the user's unique identifier (phone number in hashed or pseudonymised form), the exact date and time of consent, the channel through which it was collected (web form, QR code, click-to-WhatsApp), the exact text of the information notice present at the time of consent, and the action performed by the user.

From a technical perspective, these data must be retained for the entire duration of the relationship with the customer and for a reasonable period afterwards — generally five years, in line with GDPR sanction limitation periods. The consent database must be protected with the same security standards applied to personal data: encryption at rest and in transit, access limited to authorised users, access logs and regular backup procedures.

Professional WhatsApp Business API platforms integrate consent management systems that automate much of these technical requirements. Kuba Labs, for example, maintains a complete log of opt-ins and opt-outs for every contact, exportable in CSV format for audits or integrations with corporate DMPs and CRMs. This automation reduces the risk of human error and ensures compliance even as interaction volumes grow rapidly.

Compliant message templates for consent collection

The first message sent to a new WhatsApp contact — often called a welcome message or onboarding message — is the most critical moment for compliance. It must identify the sender, explain why the contact received that message (i.e. what action they took to subscribe), describe the types of communications they will receive and the expected frequency, and offer an immediate way out. An effective template might read: 'Hi [Name], welcome to [Brand]'s WhatsApp communications. You requested to receive updates on exclusive offers and news. Reply STOP to unsubscribe at any time. Privacy policy: [link]'.

For subsequent promotional communications, every message must contain a clear identification of the sender, a reference to the purpose of the communication and an opt-out reminder. It is not necessary to repeat the full information notice in every message, but the footer with 'Reply STOP to unsubscribe' must always be present. Meta verifies this requirement during the approval process for HSM (Highly Structured Messages) templates and may reject templates that do not include it.

A common mistake is conflating service messages with promotional ones. A message informing a customer that their parcel has arrived is transactional and does not require an opt-out footer; the same message including a discount code for the next purchase becomes a mixed message and must comply with all rules for promotional messages. When using hybrid templates, it is always safer to apply the more restrictive rules to avoid disputes.

Managing consent at scale: automation and CRM integration

When WhatsApp campaigns scale to thousands or tens of thousands of contacts, manual consent management becomes both impossible and risky. Automation is the only viable answer: opt-in and opt-out flows must be handled by systems that update in real time and synchronise across all business platforms — CRM, ecommerce platform, email marketing, customer service systems. A contact who opts out on WhatsApp should be updated in the central CRM as well, so that no other channel can erroneously trigger a WhatsApp communication in the future.

API integrations between the WhatsApp Business platform and the corporate CRM allow the creation of dynamic segments that account for consent status. For example, it is possible to set up automations that send campaigns only to contacts with active consent, automatically exclude anyone who opted out in the past 24 hours, and send a re-engagement message after a period of inactivity — only if consent is still valid and has not lapsed due to prolonged inactivity.

Kuba Labs offers a consent management system natively integrated into the platform, allowing businesses to monitor the status of every contact in real time, view the complete history of opt-ins and opt-outs, export data for compliance reporting and configure automations based on consent status. This approach reduces legal risk, improves list quality and increases the ROI of WhatsApp campaigns by eliminating waste on unresponsive or non-consenting contacts.

• Sync consent status across WhatsApp API, CRM and ecommerce platform
• Use dynamic segments that automatically exclude contacts without active consent
• Set alerts for expiring consents or unusual spikes in opt-outs
• Regularly export consent logs for compliance reporting
• Integrate consent management into new customer onboarding flows