Your client asks for a WhatsApp campaign. You prepare the contact list, write the message, upload everything. The next day the account is blocked. Or you get a request from the Data Protection Authority. This happens every day. WhatsApp is not an email newsletter: the rules are stricter, platforms are more attentive, fines are higher.
At Meteora Web, we have been managing bulk WhatsApp campaigns since 2017 — and before hitting send we always check three things: valid consent, correct legal basis, compliance with Meta's policies. Skip even one of these and your marketing investment becomes a compliance cost.
This guide tells you exactly what you need to send WhatsApp compliantly: not abstract legal theory, but concrete actions you can implement now. Let's start with the real problem: you are about to send messages to contacts who may never have authorised you.
What Are the Legal Requirements for Bulk WhatsApp Sending?
The regulatory framework rests on three pillars: GDPR (Regulation EU 2016/679), ePrivacy (Directive 2002/58/EC), and WhatsApp Business Platform Policies. Anyone sending commercial messages via WhatsApp must comply with all of them.
Explicit and Documented Consent
Having a phone number is not enough. You must prove the contact actively chose to receive communications via WhatsApp. Consent must be: freely given, specific, informed, unambiguous. A checkbox on a contact form is only valid if the purpose is clear and separated from others (e.g., “I agree to receive promotions via WhatsApp”).
Sponsored Protocol
Common mistake: collecting numbers from trade fairs or purchased databases and sending messages without ever asking for WhatsApp consent. This is almost always illegal.
Action now: check every contact in your list and verify there is an opt-in record with date, time, channel (e.g., web form, app, SMS reply). If not, do not send.
Legal Basis: Consent or Legitimate Interest?
GDPR offers two paths for direct marketing: consent (Art. 6.1.a) or legitimate interest (Art. 6.1.f). However, ePrivacy requires prior consent for electronic communications with natural persons. In practice, for B2C you must have consent. For B2B, legitimate interest can apply if you demonstrate the business contact expects communications from your sector and you have a genuine connection (e.g., existing customer, quote request). But WhatsApp is stricter than email. Even in B2B, explicit consent is safer.
Right to Object and Erasure
Every message must include an opt-out mechanism. On WhatsApp, the most common solution is replying “STOP” or clicking a link. You must process the request within 24 hours and never send again.
Sponsored Protocol
Operational tip: use the WhatsApp Business API to automatically handle opt-out messages and block future sends. Do not do it manually.
How to Manage Consent in Practice on WhatsApp?
The technical part: how to collect and store proof of consent so it is admissible in court or before the DPA.
Checklist of Valid Consent
- The contact performed a clear action: checked a box, sent a message with “YES”, filled a dedicated form.
- The purpose is specified: “You will receive exclusive offers via WhatsApp”, not just “I accept the privacy policy”.
- We keep a record: database with timestamp, IP (if web), copy of the submitted form.
- The contact's name is linked to the consent (e.g., “John Doe accepted on 10/03/2026 at 14:32 from contact form”).
Technical Implementation (example with WordPress + database)
// Example of recording consent in WordPress
$user_phone = sanitize_text_field( $_POST['phone'] );
$timestamp = current_time( 'mysql' );
$ip = $_SERVER['REMOTE_ADDR'];
global $wpdb;
$wpdb->insert(
$wpdb->prefix . 'wa_consents',
array(
'phone' => $user_phone,
'consent_date' => $timestamp,
'ip' => $ip,
'source' => 'contact-form'
)
);
Session vs Template — Which One Keeps You Compliant?
WhatsApp Business API distinguishes two communication channels: sessions (messages sent within 24h of a user message) and templates (pre-approved messages for marketing, even outside the 24h window).
Sponsored Protocol
Sessions: Safe but Limited
If a user contacts you first (e.g., “I'd like info about...”), you can reply freely within 24 hours. This falls under customer service and doesn't require additional consent if a business relationship already exists. But if no one writes to you, sessions cannot be used to initiate a conversation.
Templates: Marketing at Scale
To send promotional messages to a list of contacts who haven't recently messaged you, you must use templates (models approved by Meta). Every template must be submitted and approved. Moreover, the contact must have given explicit consent to receive marketing messages via WhatsApp (not just generic “accept communications”).
Common mistake: sending promotional messages through sessions pretending the user wrote to you. Meta detects this pattern and blocks the account.
What Do WhatsApp Business Platform Policies Say?
Beyond GDPR, you must follow WhatsApp Business Platform Policy, which prohibits:
- Spam, unsolicited bulk messages.
- Deceptive, offensive, or illegal content.
- Use of unverified or purchased numbers.
- Excessive sending speed (rate limiting).
Violating policies can lead to suspension of your WABA account and all associated numbers. Recovery is difficult.
Sponsored Protocol
Practical recommendation: use a provider like Twilio (which we have integrated in our projects) or MessageBird that handles compliance with Meta and provides well-documented APIs. But remember: the responsibility for consent remains yours.
How to Document Compliance for a Potential Audit?
The Data Protection Authority may ask you to prove how you collected consent, who sent messages, what data you processed. Prepare as follows:
Record of Processing Activities (ROPA)
You must have a register that includes: purpose (WhatsApp marketing), legal basis (consent), data categories (phone number, name), retention periods, security measures.
Proof of Consent
Store in a protected database (not scattered Excel sheets) all consent records: timestamp, source, IP, screenshot of the form or WhatsApp conversation. We use a JSON model in a MySQL database with encrypted backups.
Retention Policy
Keep consent data for the duration of the business relationship plus 12 months after revocation. Then delete or anonymise.
What to Do Now — Your Action Checklist
- Audit your contact list: for every number, check if explicit WhatsApp consent exists. If not, do not send. If uncertain, ask again (e.g., re-opt-in SMS).
- Implement a consent recording system: even a simple database with timestamp, phone, source. If using WordPress, create a custom table (e.g.,
wa_consents) and log every opt-in. - Choose the correct mode (session vs template): for outbound marketing always use approved templates. Never send promotional messages as replies to unsolicited messages.
- Include opt-out in every message: “Reply STOP to unsubscribe” or a link to a landing page. Handle it automatically via API.
- Document everything: keep an up-to-date ROPA and store proof of consent securely.
- Read Meta's policies: check the WhatsApp Business Platform documentation at least monthly — they change.
If all this sounds complex, don't worry. We do this every day for Italian businesses, small and large. We can set up the entire flow — from consent collection to compliant sending — so you focus on the message, not the compliance.
Sponsored Protocol
Zenith ZenApp is the all-in-one platform to run your business — clients, scheduling, deadlines, invoicing and WhatsApp reminders, all from your browser. No installation required.
Discover Zenith ZenApp →