WhatsApp and GDPR: the basics for businesses

GDPR. We all know it's important for email and web. But it also applies to businesses talking with customers on WhatsApp. Here's what it is and what it means for your WhatsApp channel.

"Is WhatsApp GDPR compliant?"

...a common Google search term in 2024, and for good reason.

Yes, your WhatsApp channel can be GDPR compliant if approached in the right way. Essentially, brands need to get the right opt-ins, ensure easy opt-outs, and handle and store people's information in the right way. 

This article explains the basics of WhatsApp and GPR:

• What is GDPR?

• Who needs to comply with GDPR?

• What businesses do businesses need to do to comply with GDPR?

• What GDPR looks like in practice

• GDPR and WhatsApp marketing: why is it relevant to businesses?

• GDPR and WhatsApp Business app vs WhatsApp Business Platform (API) 

• Can enterprises stay GDPR compliant in WhatsApp Business? 

• WhatsApp and GDPR: a summary

What is GDPR?

The General Data Protection Regulation (GDPR, or "DSVGO" in Germany) is a law that ensures businesses operating in the EU protect consumer data. Even if a business is based outside the EU, they still have a responsibility to comply to GDPR when processing data in the EU.

Introduced in 2018, GDPR aims to ensure that "EU citizens have the right to protection of their personal data" as promised in the the EU Charter of Fundamental Rights.

Official wording by the European Commission: "Regulation (EU) 2016/679 of the European Parliament and of the Council¹, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU."

Who needs to comply to GDPR?

The European Commission states:

"The GDPR applies if:

• Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
• Your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU

Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU."

What businesses need to do to comply to GDPR

GDPR states that companies should use these principles when creating their data privacy policy:

• Be lawful, fair and transparent – use data lawfully and be transparent with people and the businesses you work alongside
• State a clear purpose – be clear about how and why your business collects personal data
• Minimize data – only collect data if you intend to use it for a specific purpose
• Be accurate – ensure the data your business processes is accurate and stored appropriately
• Limit storage – don’t keep data forever, set a period when it’ll be deleted
• Have integrity and confidentiality – store data securely to prevent “accidental loss, destruction or damage”
• Be accountable – establish, record and communicate data protection policies

There are also some concrete requirements, like you may need to hire a "data protection officer," while others are more about correctly wording and designing your communications, data handling and message flows.

For your full responsibilities as a business, see this article on europa.eu.

What GDPR looks like in practice

GDPR – together with the EU ePrivacy Directive and its respective member state laws – is the reason that:

• You're asked to click on cookie popups before entering a website for the first time.
• You tick the "yes I want to receive marketing communications" box when giving your email address to a business (this shouldn't be preticked).
• There's an "Unsubscribe" button in emails  

It's also the reason when you ask a company to view, delete or correct your data, they're legally obliged to do so.

GDPR is there to keep our data safe, businesses operating responsibly and our inboxes safe from spam.

GDPR is an EU law but it's often used by businesses communicating with customers everywhere in the world as good practice. It seen by some as the global gold standard in data protection law.

GDPR is not the same as preventing spam

GDPR is part of preventing spam, but it doesn't stop spam entirely.

It's there to protect customers' personal data and control how you as a businesses contact them. It states that businesses needs to ask for permission clearly first, let people unsubscribe easily and manage customer information safely, responsibly and transparently. Ultimately, it's the business' responsibility to carry out the proper methodology and and put the right controls in place.

For more on WhatsApp and spam, see this article.

GDPR and WhatsApp: why is it relevant to businesses doing WhatsApp marketing?

When businesses open a WhatsApp marketing channel, they start collecting information about customers: phone numbers, names, perhaps information like address, location, purchasing history, names of pets, clothing size and more.

This means that GDPR data protection rules apply here too, just as they do in other communication channels like email and SMS.

Same rules, new channel.

WhatsApp Business app vs platform (API): different approach to GDPR? 

Quick definition first: The WhatsApp Business app is a free app for small business or individuals. The WhatsApp Business API (now WhatsApp Business Platform) is a tech platform for medium to large businesses sending messages to thousands of customers. See more details about both here. The charles software solution sits on top of the API, as a browser-based user interface (UI) enabling businesses to use the functionality of the API, plus analytics and extra features.

Do you approach GDPR compliance differently when using the app or the API?

• The principles remain the same for both: businesses should handle consent in the right way and treat people's data safely and responsibly.
• You can automate more easily in the API: with the WhatsApp Business app you may have to quite a bit of manual work. With the API (WhatsApp Business Platform), you can set up automatic flows that help keep your WhatsApp communications GDPR compliant, store consent information automatically and make data easily available (using a feature like charles' Journeys).

At charles, our WhatsApp marketing platform is built on the WhatsApp Business Platform (API) and we partner with medium to large businesses. As part of our support, we offer advice to companies to operate WhatsApp in a GDPR-compliant way. For more on GDPR compliance in the WhatsApp Business app, see this article from WhatsApp.

Can enterprises stay GDPR compliant in WhatsApp Business? 

Yes, enterprises can be GDPR compliant in WhatsApp if they carry out the right practices. Global enterprises will often have the same GDPR obligations as small to medium businesses (SMBs) when it comes to dealing with EU citizens.

There may of course be extra levels of complexity with a large business, for example with teams in different countries, different people managing different aspects of a channel (marketing, customer service, sales, brand...) and non-EU headquarters.

Enterprises have different and unique needs. Please speak with our Enterprise Sales team to discuss best practices.

WhatsApp and GDPR: a summary

EU businesses need to comply to GDPR data privacy rules by law. If not, they risk big penalties. Businesses outside the EU should also comply to GDPR if processing people's data in the EU.

WhatsApp can be GDPR compliant for businesses if they operate it in the right way (e.g. in the way they seek permissions and handle and store data).

charles offers GDPR advice to help businesses operate a GDPR-compliant WhatsApp channel. 

We hope this was useful for helping you understand the how WhatsApp and GDPR are connected. If you have specific questions, just book a call with us.

Disclaimer: the information in this article is based on our experience and expertise and is not offered as legal or data privacy advice. For full information on your legal obligations under GDPR, please visit the European Commission's official GDPR site.