Is WhatsApp GDPR-compliant? And what can you do to ensure your usage of WhatsApp for your business adheres to what’s been described as one of the toughest and strictest data privacy laws ever implemented?
If you’re a business owner who takes customers’ privacy seriously, then these questions will have crossed your mind at some point.
In this post, we’ll give you the lay of the land of WhatsApp and GDPR.
We’ll touch on all three branches of WhatsApp: the WhatsApp Messenger app, the WhatsApp Business app, and the WhatsApp Business API, and tell you what you can do to ensure your business’s WhatsApp communication is GDPR-compliant.
There’s much to cover, so buckle up.
Disclaimer: WhatsApp and GDPR is a massive topic with legal implications. We can only provide an overview of it and offer compliance suggestions and guidelines. If you have specific questions or need to understand them in-depth, we recommend that you speak to an expert.
Before we dive into how to be GDPR-compliant with WhatsApp, we must first understand what GDPR is.
Now, there’s an 88-page official document detailing everything you need to know about the GDPR. But we’re guessing you’re not here for the legal jargon, so let us lay it out in simple terms for you.
(If you’re already familiar with GDPR, feel free to skip to the next section.)
Here’s a short overview:
Pay particular attention to the fourth point. It states that the GDPR covers anyone living in the EU. This means that as long as your business has dealings with anyone who lives in the EU, you are legally bound by GDPR.
This can be anything from someone living in the EU visiting your website to you sending a WhatsApp message to a customer or prospect who lives in the EU.
Important: This is even if your business is registered outside the EU.
Even more important: Non-compliance can result in penalties of up to 4% of your global annual revenue or €20 million – whichever is higher.
Now that we have that out of the way, let’s look at whether WhatsApp is GDPR-compliant.
To start, we need to first establish that there are big differences between WhatsApp Messenger, the WhatsApp Business app, and the WhatsApp Business API.
WhatsApp recommends that if you’re using a WhatsApp app for business purposes, you should not be using WhatsApp Messenger but WhatsApp Business.
That’s because it caters to different specific needs. As such, WhatsApp has developed each app according to its intended use.
Think about it.
GDPR was enacted to protect the privacy and data rights of customers. This means that data processing for WhatsApp Messenger, which is intended for private use, will look very different from that of WhatsApp Business.
Even WhatsApp themselves can’t make it any clearer:
So, is WhatsApp Messenger GDPR-compliant for business use? There’s no clear answer. But lawyers have voiced skepticism.
The prompt that shows up every time WhatsApp Messenger is installed asking if it can access your contact list is an indication that the WhatsApp Messenger app may not be GDPR-compliant from a business point of view.
In short: Avoid WhatsApp Messenger for business and use WhatsApp Business instead.
(Plus, let’s also not forget that there are just way more amazing WhatsApp marketing tools companies can leverage from their business app.)
Unlike the WhatsApp Messenger app, the WhatsApp Business API does not request access to users’ contact lists.
Messages received are also only stored for 30 days, after which they will be automatically deleted.
If you’re using WhatsApp Business API, you are able to implement a feature that allows you to obtain consent from customers regarding data use and collection before you begin communicating with them.
To better understand GDPR-compliance with the WhatsApp Business API, please contact our team.
Ensure that you have an opt-in system in place for your business’s WhatsApp communications.
Users need to provide explicit consent to receiving messages from you and sharing their personal data with you via WhatsApp.
For example, if customers are required to provide their phone numbers when signing up for an account with you, they need to explicitly state that they’re open to receiving WhatsApp messages from you.
Not only is this a GDPR requirement, but even WhatsApp’s own business policy states so:
You may only contact people on WhatsApp if: (a) they have given you their mobile phone number; and (b) they have agreed to be contacted by you over WhatsApp. Do not confuse, deceive, defraud, mislead, spam, or surprise people with your communications.
Note that if customers take the initiative to message your business on WhatsApp, this can most likely be construed as consent.
Explain what sort of data you collect and what you intend to use them for.
Be as detailed as possible. Every single piece of information needs to be addressed, even if it may seem obvious to you.
Why do you need their names? And since we’re talking about WhatsApp, explain how you intend to use their phone numbers.
We recommend that you include this information right from the beginning, such as in your welcome messages, which you can automate regardless of whether you’re using the WhatsApp Business app or the WhatsApp Business API.
The GDPR states that customers have the right to “be forgotten.”
Already, they have the option to block businesses on the WhatsApp Business app. But this is not enough.
You will need to also provide an easy way for them to request to have their private data purged from your database.
For instance, this can be included in a link in your WhatsApp messages to them or on your website.
More importantly, this must be clearly communicated and any requests received to do so must be processed quickly.
All WhatsApp communication should be carried out over a secure network and device. This is to prevent hackers from breaching your connection and stealing your customers’ private information.
Consider hiring a network security engineer to secure your workplace’s internet connection.
If you have employees who are working from home, go the extra mile and invest some time and money in getting a network security engineer over to their homes to ensure a secure enough network is in place.
On that note, if you’re working with third-party providers that have access to your customers’ data, make sure they’re complying with these guidelines.
Not only do you need to make it clear to customers why and how you’re collecting and using their data, but you also need to keep a record of it for yourself.
These records should be detailed as they should include at least the following information:
This applies not only to your WhatsApp communication but all other channels like email, account signups, and more.
Though this may seem tedious, it’s definitely not unnecessary. And you’ll be grateful the day regulators show up at your door asking to see this information.
If you want a customer to join a WhatsApp group chat you’ve created, always send them a link to do so instead of just inviting them to the group.
That’s because WhatsApp group chat participants have access to the phone numbers of other participants, and simply adding them to the group would mean breaching GDPR guidelines.
By sending them a link, your customers can decide from themselves whether they’re willing to share their phone numbers with other chat participants.
As mentioned earlier, WhatsApp and GDPR compliance is a complex topic for businesses.
As an official WhatsApp Business Solution Provider (BSP), we can only provide basic guidelines and suggestions to help you safeguard your customers’ private data.
If you need more information, get in touch with a legal expert.
WATI is the proud product of the parent company, Clare.AI. Clare.AI is a digital assistant startup offering an innovative online tool that combines the best of machine learning and artificial intelligence to deliver the best award-winning customer communication experiences to its clients. Many multinational enterprises and Fortune 500 companies have placed their trust in Clare.AI.