WhatsApp and GDPR: the basics for businesses

GDPR. We all know it's important for email and web. But it also applies to businesses talking with customers on WhatsApp. Here's what it is and what it means for your WhatsApp channel.

"Is WhatsApp GDPR compliant?"

...a common Google search term in 2024, and for good reason.

We can tell you that your WhatsApp channel will be GDPR compliant if approached in the right way. To help you with that, we'll publish some more info soon. But essentially, brands need to get the right opt-ins, ensure easy opt-outs, and handle and store people's information in the right way. 

For now, we start with the basics of GDPR and WhatsApp. This article will explain:

• What GDPR is
• What your GDPR and data privacy responsibilities are as a company
• How GDPR is relevant for businesses operating a WhatsApp channel
• How it differs between the free WhatsApp Business app and the WhatsApp Business Platform (API) 
• That enterprises can be GDPR compliant in a WhatsApp channel

What is GDPR?

The General Data Protection Regulation (GDPR, or "DSVGO" in Germany) is a law that ensures businesses in the EU protect consumer data. Introduced in 2018, it aims to ensure that "EU citizens have the right to protection of their personal data" as promised in the the EU Charter of Fundamental Rights.

Official wording by the European Commission: "Regulation (EU) 2016/679 of the European Parliament and of the Council¹, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU."

Who needs to comply to GDPR?

The European Commission states that "the GDPR applies if:

• Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
• Your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU

Non-EU based businesses processing EU citizen's data have to appoint a representative in the EU."

What businesses need to do to comply to GDPR

GDPR states that companies should use these principles when creating their data privacy policy:

• Be lawful, fair and transparent – use data lawfully and be transparent with people and the businesses you work alongside
• State a clear purpose – be clear about how and why your business collects personal data
• Minimize data – only collect data if you intend to use it for a specific purpose
• Be accurate – ensure the data your business processes is accurate and stored appropriately
• Limit storage – don’t keep data forever, set a period when it’ll be deleted
• Have integrity and confidentiality – store data securely to prevent “accidental loss, destruction or damage”
• Be accountable – establish, record and communicate data protection policies

There are also some concrete requirements, like you may need to hire a "data protection officer," while others are more about correctly wording and designing your communications, data handling and message flows.

For your full responsibilities as a business, see this article on europa.eu.

What GDPR looks like IRL

🍪 GDPR is the reason that you have to click on cookie popups before entering a website for the first time.

🟩 It's the reason you need to tick the "yes I want to receive marketing communications" box when giving your email address to a business (and this shouldn't be preticked).

✋ And it's the reason there's an "Unsubscribe" button at the bottom of emails.  

It's also the reason when you ask a company to view, delete or correct your data, they're legally obliged to do so.

It may be annoying at times, but GDPR is there to keep our data safe, businesses in check and our inboxes safe from spam.

GDPR is an EU law but it's often used by conscientious businesses communicating with customers outside the EU – and enterprises generally follow it as good practice. This is because it's accepted to be the global gold standard data protection law.

Increasingly, customers across the world expect to be treated with the same respect GDPR ensures by law in the EU.

GDPR is not the same as preventing spam

GDPR is part of preventing spam, but it doesn't stop spam entirely.

It's there to protect your personal data and control how businesses contact you. It states that businesses needs to ask for permission clearly first, let people unsubscribe easily and manage customer information safely, responsibly and transparently.

Once someone has agreed to receiving communications from you, you could theoretically email them every minute of the day. You could send them endless discount offers ALL IN CAPITAL LETTERS. And you could send endless direct mail letters with bad Clipart pictures on them to their homes. (Until they report you or block you.)

It's unlikely you would do this 😅 But that part of preventing spam is up to you as a business.  

For more on WhatsApp and spam, see this article.

Why is GDPR relevant for businesses using WhatsApp?

When businesses open a WhatsApp marketing channel, they start collecting information about customers: phone numbers, names, perhaps information like address, location, purchasing history, names of pets, clothing size and more.

So naturally, GDPR data protection rules are going to apply here too, just as they do in other communication channels like email and SMS.

Same rules, new channel.

WhatsApp Business app vs platform (API): different approach to GDPR? 

Quick definition first: The WhatsApp Business app is a free app for small business or individuals messaging small numbers of people. The WhatsApp Business API (now WhatsApp Business Platform) is a rich-featured tech platform for larger businesses sending messages to 100,000s of people. See more details about both here. The charles software solution sits on top of the API, as an easy-to-use, browser-based user interface (UI) enabling you to use the functionality of the API, plus analytics and extra features.

Do you approach GDPR compliance differently when using the app or the API?

• The principles remain the same for both: you need to handle consent in the right way and treat people's data safely and responsibly.
• You can automate more easily in the API: with the WhatsApp Business app you will have to do a lot of manual work. With the API (WhatsApp Business Platform), you can set up automatic flows that keep your WhatsApp communications GDPR compliant, store consent information automatically and make data easily available (using a feature like charles' Journeys).
• Data storage is safer in the API: customer data should ideally be stored in EU servers to be 100% sure it's been held in a GDPR compliant way. With the API/WhatsApp Business Platform delivered through a solution provider that stores data in the EU, you know you're safe  (unless you use the "on-premises" API and you store your data yourself, outside the EU). At charles, we store all customer data in the EU, in Frankfurt, Germany, so our clients have peace of mind that it's being held in a GDPR compliant way.

At charles, our WhatsApp marketing platform is built on the WhatsApp Business Platform (API) and we partner with medium to large businesses use. For more on GDPR compliance in the WhatsApp Business app, see this article from WhatsApp.

Can enterprises stay GDPR compliant in WhatsApp Business? 

Yes, enterprises can be GDPR compliant in WhatsApp. Global enterprises have the same GDPR obligations as small to medium businesses (SMBs) when it comes to dealing with EU citizens.

But there may be extra levels of complexity, for example with teams in different countries, different people managing different aspects of a channel (marketing, customer service, sales, brand...) and non-EU headquarters.

Enterprises have different and unique needs. We can advise on how to deal with GDPR and WhatsApp in your enterprise in a call, please speak with our Matthias or Pascal from our Enterprise Sales team.

WhatsApp and GDPR: a summary

EU businesses need to comply to GDPR data privacy rules by law. If not, they risk big penalties. As best practice and to build customer trust, businesses outside the EU should also comply to GDPR as the global gold standard data privacy law.

WhatsApp is GDPR compliant for businesses – whether small, medium or enterprise – if they approach it in the right way in terms of the way they seek permissions and handle and store data. 

charles is an EU-based WhatsApp marketing platform provider that pays great attention to GDPR. It has built in GDPR compliance into its software and advises businesses on how to stay GDPR compliant.

It's easier to stay GDPR compliant if you base your WhatsApp channel on the WhatsApp Business Platform (API) – managed by a WhatsApp Business Solution Provider (BSP)/Meta Business Partner in the EU.  

One last thing

Disclaimer: the information in this article is based on our experience and expertise and is not offered as legal or data privacy advice. For full information on your legal obligations under GDPR, please go to the European Commission's official GDPR site.

We hope this was useful for helping you understand the how WhatsApp and GDPR are connected. For more on how to be GDPR compliant, watch this space, we're preparing something with our legal team. If you have specific questions in the meantime, just book a call with us.