The popularity of WhatsApp has surged in recent years, with the number of users reaching 2.78 billion in 2024.
But although WhatsApp is one of the world’s most popular messaging app, it isn’t always the best option for businesses and customer communication.
Not straight out of the box, at least.
In fact, while many companies have started to adopt WhatsApp as a customer contact channel, without the right precautions, you aren’t protected against GDPR regulations.
This is because WhatsApp is not automatically GDPR compliant.
The good news is, making sure you are compliant doesn’t have to be a headache.
In this article, we'll provide everything you need to know to make your company’s WhatsApp compliant with the GDPR. We'll cover:
- What is the GDPR?
- The best ways to use WhatsApp for your business
- How to ensure your business WhatsApp is GDPR compliant
What is the GDPR?
The General Data Protection Regulation (GDPR) is a set of rules and regulations that governs how organisations can collect and process personal information from citizens within the European Union (EU).
These rules make sure that organisations gain legal consent from their customers to collect their data.
The rules also impose strict policies on how to safeguard and store that data too.
What’s important to note here is that, when it comes to these regulations, it doesn’t matter where an organisation is based.
For example, if your company is based in the US, you must still comply with the GDPR if you serve European or UK customers.
It’s the same whether you’re using WhatsApp or any other communication channel.
Does the GDPR apply to WhatsApp?
The short answer is yes. The longer answer is that it depends on which version of the app you use.
Following Facebook’s takeover of WhatsApp in 2014, the company has taken many steps to safeguard its users' data.
However, WhatsApp was initially intended for personal communication, not B2C communication.
This means that while WhatsApp uses end-to-end encryption, and only processes a certain amount of data for advertising purposes, your business is still at risk of failing to meet GDPR standards.
This is because of the way in which WhatsApp collects personal data.
Let’s take a look at what information they retain and why.
What personal data is WhatsApp collecting?
According to research into the way WhatsApp processes personal information, the company collects a number of data sets from all users on the application. These include:
- Phone number
- Device ID
- Transaction data
- Product interaction
- User identifiers
WhatsApp owner Facebook hasn’t definitively stated that they use this information for targeted advertising.
That said, the use of personal data as an advertising tool is used for monetizing Facebook itself, as well as the company's other businesses, such as Instagram.
Upon agreeing with their policy, these app users are declaring consent to the collection of the above details.
If customers don’t agree to this, they are unable to use the app.
Is WhatsApp safe in 2021?
While some users might find the type of personal information being gathered alarming, the same research linked above reports that the following information is protected by WhatsApp’s end-to-end encryption:
- Private chats
- Private phone calls
- Message or call logs
- Contact information
- Shared location
- WhatsApp group information
It means that your private conversations are safe - even from WhatsApp and Facebook themselves.
However, this doesn’t mean your company’s WhatsApp is GDPR compliant if you’re using the basic app to speak to customers.
What is the best way to use WhatsApp for business?
With more and more businesses using WhatsApp as a customer service channel, the company has now developed new ways for businesses to communicate with their customers safely.
At the time of writing, there are three WhatsApp applications that are currently available for use by individuals and businesses.
It means that, so long as you choose the type of WhatsApp application for your business, you can rest assured that your WhatsApp is GDPR compliant.
Let’s take a look at each in turn.
1. WhatsApp Messenger App
While WhatsApp advises that they’ve made each of their apps ‘GDPR compliant for their intended uses’, that doesn’t mean the standard WhatsApp Messenger App is a safe choice for your company.
This is because the original WhatsApp application was designed for private and personal use only.
As we’ve seen, when signing up to use this version of the app, all users must agree to hand over their personal details.
This version of WhatsApp also requests access to information regarding all of the other contacts in your phonebook too.
In essence, WhatsApp gains data from your entire contact list - including the details of everyone you’ve ever contacted.
It means that, if you’re using this version of the app as a customer contact channel, you are inadvertently sharing your customers' contact details with WhatsApp, as well as other customers.
In terms of GDPR regulations, this isn’t an ideal scenario.
To solve this problem, WhatsApp supplies users with a specific business version of the app.
So, to make sure your business’s WhatsApp is GDPR compliant, stick to one of the following options.
2. WhatsApp Business App
This is the version of WhatsApp that’s marketed towards small to medium businesses, and for GDPR compliance, it’s a far safer option than the standard app.
The reason is simple: unlike the standard version, the WhatsApp Business App does not request access to the users’ contact list.
That said, there is some confusion over whether this option is truly GDPR compliant for small businesses.
While WhatsApp claims that this version is compliant with the GDPR, some legal experts still voice concern.
Either way, on top of this uncertainty, this version of WhatsApp has some other problematic limitations that make it a less than ideal choice.
For instance, unlike the WhatsApp Business API discussed below, you aren’t able to plug this version of the app into your existing contact channels.
So, with the WhatsApp Business App, you’ll always have to talk to your customers over your mobile device.
This greatly limits your ability to offer a true omnichannel experience.
Without linking WhatsApp to your other engagement channels, customers are at risk of longer wait times and being bounced around between contact agents.
These issues are two easily avoided digital customer service mistakes.
3. WhatsApp Business API
When aiming to communicate with your customers, this version of the app is by far the most secure way to ensure WhatsApp GDPR compliance.
This is because WhatsApp’s Business Application Programming Interface (API) is only available to third-party WhatsApp Business Solution Providers.
It means WhatsApp has specifically partnered with these companies to ensure a safe and secure use of their app for your business.
It’s how Talkative can provide WhatsApp as part of our customer engagement platform - providing privacy, security, and GDPR compliance whenever you’re talking with your customers online.
The WhatsApp Business API has other advantages too.
Firstly, using a third party solution means you are able to use the application within desktop systems, as opposed to only mobile devices.
With this option, multiple users are also able to access one central account too. It means this solution is far more scalable.
Whatever solution you use to implement the WhatsApp Business API, this option also allows you to explicitly obtain consent from your customers before you begin communicating with them.
Like the business app, this version of WhatsApp does not read the other contact information in your address book.
Coupling this with the consent gained from your customers, it means you’re in complete control of your contact list
It also means you’re able to prove that your customers are happy to have their details processed by you as a business.
Ultimately, this proves that you have a legal basis to use and process your customers' data, as set out by WhatsApp’s guidelines.
It makes this version of the app your easiest step towards ensuring your WhatsApp’s GDPR compliance.
WhatsApp Business API FAQS
Before continuing, let's take a look at some of the most frequently asked questions regarding the GDPR compliant use of WhatsApp through their Business API.
Can I speak to customers who get in touch via WhatsApp?
You can - any customer that initiates a conversation with you is demonstrating the equivalent of consent, under the framework of the GDPR.
This is discussed in more depth in the below section: How to make sure your company’s WhatsApp is GDPR compliant.
Can I send messages to my customers via WhatsApp?
You can - so long as you get their permission in the form of explicit consent.
This can be done using an opt-in message. Again, this is covered in more detail below.
When gathering consent from your customers, just remember that consent must be purpose specific.
To stay in line with the GDPR, you need to be able to prove that you’re only keeping necessary data.
Can any business use the WhatsApp Business API?
Unfortunately not - WhatsApp’s messaging services are prohibited for a number of sectors and industries.
Below is a non-exhaustive list of restricted products and services, with the full list available within WhatsApp’s terms and conditions:
- Tobacco products and accessories
- Weapons, ammunition, explosives
- Adult products and services
- Dating Services
- Gambling services
- Digital subscription services, etc.
Does WhatsApp comply with the GDPR?
At this point in the discussion, you might be wondering what WhatsApp’s own position is in terms of their company’s GDPR compliance.
As the app has access to your contact details, surely they must be GDPR compliant themselves?
This is where some legal finesse comes into play on the company’s part.
Essentially, by making users consent to their data being collected upon their first use of the app, WhatsApp covers themselves from any legal issues.
Simply put, WhatsApp gets around the issue of GDPR compliance by positioning themselves as a ‘data processor’, rather than a ‘data controller’.
Let’s break these terms down with help from the European Commission’s definitions:
- A data controller is the person/organisation that determines ‘the purposes for which and the means by which personal data is processed. So if your company/organisation decides “why” and “how” the personal data should be processed, it is the data controller.’
- A data processor is the person/organisation that ‘processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.’
In essence, if your company wants to use WhatsApp as a communication channel, you become the data controller.
WhatsApp and any business that helps you integrate the application are data processors.
It means the responsibility is on you and your company to make sure that data is ultimately kept safe and secure.
How to make sure your company’s WhatsApp is GDPR compliant
Depending on how you use WhatsApp for business, there’s a number of ways you can make sure that your WhatsApp is GDPR compliant - whether you use the WhatsApp Business App or their API.
What’s most important to remember is your role when using WhatsApp to speak to customers.
As a data controller, you need to make sure you’re following a specific set of GDPR guidelines.
1. Gain customer consent
When it comes to WhatsApp and GDPR compliance, you as a data controller need to gain customer consent from each individual you speak with.
Customer consent can usually be granted in two ways:
- Opt-in Systems
- Customer Contact
With opt-in systems, you can implement a purpose specific opt-in prompt that users must agree to before communicating with you.
This option is certainly worth considering if you intend to offer outbound messaging via this channel.
As per WhatsApp’s guidelines, any opt-ins must ‘(a) clearly state that the person is opting in to receive messages from you over WhatsApp and (b) clearly state your business’ name.’
As these messages need to be purpose specific, you should also tell your customers what types of notifications they will be receiving.
This will help you ensure your WhatsApp is GDPR compliant.
The customer contact option is more applicable in an inbound customer service setting.
Simply put, when a customer gets in touch with you via WhatsApp, the act of initiating the exchange can be construed as consent.
WhatsApp highlights this by allowing two types of messages between businesses and customers:
- Customer initiated ‘session messages’
- Company initiated ‘template messages’
If a customer gets in touch with a session message, you have 24 hours to respond, and an opt-in message isn’t required.
That said, even though customer contact can be understood as a sign of consent, you might want to offer an opt-in system anyway. Doing so is one of the easiest ways to ensure WhatsApp GDPR compliance.
Either way, always make sure that you reference your privacy and data processing policies too.
2. Display privacy & processing policies
This is crucial as a data controller. Not only will it prove your compliance, but it will also make sure your customers are fully up to speed with how you process their data.
This can even be included in your company’s WhatsApp bio, or linked to within your first opt-in message.
Whatever option you choose, always make sure any links to your policies are clearly named as such.
Furthermore, you should always update your users on newer versions of your policy too.
By providing clarity around these privacy policies, you’ll be offering your customers a stronger sense of security, as well as ensuring your own WhatsApp GDPR compliance.
3. Allow customers to opt-out
Whether you have one-off conversations with your customers, or whether they plan to communicate with you many times in the future, some customers will want to opt-out of your WhatsApp messages for good.
Clearly allowing customers to do this is another easy step towards GDPR compliance for WhatsApp. It’s also incredibly easy to put in place.
For example, when a customer receives their initial opt-in message, you can inform them that the keyword ‘STOP’ will cease any further communications.
Don’t forget to include these details in your policies too. It’s another way to save yourself any worries over your company’s WhatsApp GDPR compliance.
4. Provide security
WhatsApp’s end-to-end encryption means that private conversations should remain that way.
However, if your company’s network and devices aren’t secure, your customers’ personal information can still be compromised.
As a data controller, this could prove extremely troublesome. In the event of a breach, you might face a hefty fine.
To make sure that you don’t fall foul of this GDPR risk when using WhatsApp, it’s a good idea to revisit and test your network’s security policies.
You might even want to contract or hire a security specialist.
Another good practice is to seriously consider how long you need to keep your customers’ data.
If you keep it longer than necessary, it’s another way to breach GDPR regulations.
5. Secure WhatsApp Business group chats
Another important point to consider for WhatsApp GDPR compliance is your company’s use of group chats or conversations.
While you might be communicating with customers through the WhatsApp Business App or API, your customers will still be using the commercial version of the application.
It means that, should you invite a customer to a group chat, they’ll be able to see the phone numbers of other participants.
This is an example of how easy it is to break GDPR regulations on WhatsApp.
So, to avoid unwittingly sharing anyone’s information, aim to keep customer communications one on one.
If a group chat is necessary, share a link with your participants’ instead, allowing them to opt-in or out of the conversation.
That way, they’ll be able to decide whether they want to share their data or not.
6. Keep track of your records
As a company using WhatsApp as a contact channel, you have a huge responsibility as a data controller.
In short, it’s up to you to make sure that your customers’ data is stored safely and securely.
To prove that you’re doing so, you need to make records of the following:
- What data you’re collecting and why.
- The names and positions of the employees who have access to customer data.
- Details of any third parties or data processors that have access to such data.
- How long you keep data for and your process for securing and deleting it.
Depending on the size and age of your business, the above processes will vary greatly.
By making sure you’ve got a handle on these processes in the way of organised records, you can make sure you’re covered should any data breaches occur.
You can prove you’ve done your utmost to protect yourself and your customers’ data.
If your business is looking to adopt WhatsApp as a customer-facing contact channel, you can make sure you’re GDPR compliant by taking note of the following four points:
- Make sure you’re using the right application to speak with your customers - whether it’s the WhatsApp Business App or a WhatsApp Business API solution like Talkative.
- Make sure you obtain consent from your customers when engaging them.
- As a data controller, make sure you protect your customers’ data as you would with any other data collected from other contact channels.
- Make sure you keep records of how you’re keeping this data safe.
Doing all of the above will not only keep your customers' data safe, it’ll also make sure your WhatsApp is GDPR compliant.
From there, your customers can contact you safely on one of their favourite channels. It’s a win for everyone involved.