If you sell to European customers and use WhatsApp to market to them, the legal surface area you operate on is more complex than what email or SMS marketing requires. WhatsApp is owned by Meta, runs on infrastructure that processes data across jurisdictions, and has been the subject of significant GDPR enforcement actions, including a €225 million fine from the Irish Data Protection Commission in 2021 against WhatsApp itself.

This is not a reason to avoid WhatsApp. WhatsApp marketing is fully compatible with GDPR when done correctly, and brands like Takko Fashion, KLM, and SNOCKS have run sophisticated WhatsApp programmes in the EU for years without legal incident. But "done correctly" requires more than the casual opt-in that passes muster for SMS. This post walks through what GDPR actually requires for WhatsApp marketing, what changed in 2026 with the Digital Services Act and the Digital Markets Act, and how to build a programme that survives an audit.

A standard disclaimer: this is not legal advice. For binding counsel on your specific situation, consult a data protection lawyer in your jurisdiction. What follows is a practical, plain-English summary of where the rules sit as of May 2026.

The three-layer compliance stack

WhatsApp marketing in the EU sits inside a three-layer regulatory stack, and you need to satisfy all three.

The first layer is the General Data Protection Regulation (GDPR), which governs the processing of personal data of EU residents regardless of where your business is located. For WhatsApp, the relevant articles cover lawful basis for processing (Article 6), specific consent requirements (Article 7), data subject rights (Articles 15 to 22), and the duty to put a Data Processing Agreement in place with any processor handling EU data on your behalf (Article 28).

The second layer is the ePrivacy Directive, which adds messaging-specific requirements on top of GDPR. ePrivacy generally requires explicit prior consent for unsolicited electronic communications, with a narrow soft opt-in carve-out for existing customer relationships. National implementations vary significantly between member states.

The third layer, sharpened in 2024 and 2026, is the Digital Services Act (DSA) and Digital Markets Act (DMA). The DMA designated WhatsApp as a "gatekeeper" platform in 2023, which triggered interoperability requirements and content moderation obligations. The DSA added risk assessment and transparency requirements for very large online platforms. For most Shopify merchants, the practical impact of DSA and DMA in 2026 is limited but the direction of travel is more compliance, not less.

Which version of WhatsApp is GDPR-compliant for business use

Not all three flavours of WhatsApp are equally compliant. Knowing which one you are using is the first compliance question.

The personal WhatsApp app is not GDPR-compliant for business communication. It uploads contact lists to Meta automatically, processes metadata in ways that have repeatedly drawn regulatory action, and offers no Data Processing Agreement. If your sales team uses personal WhatsApp on their phone to talk to customers about orders, you are exposed.

The free WhatsApp Business app is in a grey area. It does not auto-upload contact lists, but it shares the same underlying infrastructure as personal WhatsApp and lacks meaningful access controls. Some legal experts consider it broadly acceptable for very small businesses; others flag it as risky for any business processing meaningful customer data. The safer reading is that the free Business app is not appropriate for businesses regulated by GDPR if any meaningful customer data flows through it.

The WhatsApp Business Platform (Cloud API), when accessed through a Business Solution Provider that signs a DPA with you, is the version that can be operated GDPR-compliantly. This is the only version with the audit trail, opt-in management, data deletion mechanics, and contractual framework that GDPR requires.

So the foundational answer to "is my WhatsApp marketing GDPR compliant" is: only if you are on the Cloud API, only if your BSP gives you a DPA, and only if your opt-in flow and data handling are correctly built.

What counts as valid GDPR consent for WhatsApp

GDPR Article 7 sets a high bar for consent. It must be freely given, specific, informed, and unambiguous. Consent obtained through a pre-ticked box, a bundled agreement, or a vague reference does not meet the standard. For WhatsApp specifically, the consent must be tied to the channel: a customer who consented to receive your email newsletter has not thereby consented to receive WhatsApp marketing.

The consent collection moment must include three elements. First, an explicit statement of what the user is opting into ("receive marketing messages from [Brand] on WhatsApp"). Second, the identity of the data controller (your brand name, not just "us"). Third, a description of the message types and approximate frequency ("product launches, sale announcements, and re-stocks, roughly two to four messages per month").

Pre-ticked boxes are not allowed. Bundling WhatsApp opt-in with terms of service acceptance is not allowed. A general SMS opt-in does not transfer to WhatsApp. A vague claim that "by submitting this form you agree to receive marketing communications" is not specific enough.

The consent must be documented. You need to be able to prove, for any given subscriber, when they consented, what they consented to, what wording they saw, and from which collection point. If your BSP does not store this metadata, you cannot prove consent in an audit, and an undocumented opt-in is treated as no opt-in.

Single opt-in vs double opt-in: what the law actually says

There is significant confusion about whether double opt-in is mandatory under GDPR. The strict legal answer is that double opt-in is not explicitly required by GDPR, but it is widely treated as best practice because it provides documented evidence of consent that single opt-in does not.

A single opt-in flow looks like this: customer ticks an explicit, unbundled WhatsApp marketing consent checkbox at checkout, you log the consent, you can now message them.

A double opt-in flow looks like this: customer ticks the consent checkbox, you send a single confirmation message to their WhatsApp number asking them to reply YES to confirm, only after they reply do you add them to the marketing list.

Double opt-in is the safer path for two reasons. First, it independently verifies the phone number belongs to the person who consented. Without verification, anyone could enter another person's phone number into your form and that person would start receiving marketing messages without ever having consented. Second, double opt-in produces an audit trail that includes the user's affirmative action on WhatsApp itself, which is the strongest possible evidence of channel-specific consent.

The brands we see operating cleanly in the EU all use double opt-in. The brands we see receiving complaints and warnings are usually those that imported a phone list and asked for forgiveness later.

The soft opt-in for existing customers

ePrivacy provides a narrow soft opt-in carve-out: a business may market to an existing customer about similar products to those previously purchased, without explicit prior consent, provided the customer was given a clear opportunity to opt out at the point of collection and in every subsequent message.

The soft opt-in is more limited than people assume. It only applies to existing customers. It only covers similar products. It still requires an opt-out mechanism. And national implementations vary: Germany interprets it narrowly, the UK and Netherlands more liberally.

For WhatsApp, our practical advice is to not rely on the soft opt-in unless your legal counsel has specifically blessed it for your context. The marginal cost of running a proper double opt-in is small. The downside of being wrong about a soft opt-in interpretation is large.

Data Processing Agreements with your BSP

Article 28 of the GDPR requires a Data Processing Agreement in place with any third party processing personal data on your behalf. Your WhatsApp BSP is one of those third parties. If you do not have a DPA with them, you are non-compliant regardless of how good your opt-in flow is.

A DPA must specify the purpose and duration of the processing, the categories of data and data subjects, the security measures the processor will apply, the sub-processors they may use, the geographic locations where data may be processed, and the assistance the processor will provide for data subject rights requests and security incidents.

Three things to specifically check in a BSP DPA: first, where is the data physically processed and stored? EU-hosted data is the simplest case. Data hosted in third countries (Hong Kong, India, the United States outside Privacy Shield successor frameworks) requires Standard Contractual Clauses and may require a Transfer Impact Assessment. Second, who are the sub-processors? Meta itself is a sub-processor for any WhatsApp BSP, and that should be disclosed. Other sub-processors (cloud hosts, analytics providers) should also be listed. Third, what is the data deletion commitment when you terminate the contract? You need explicit assurance that data will be returned or destroyed within a defined period.

EU data residency: why it matters and where the providers actually sit

The location where your WhatsApp data is processed is a meaningful compliance question that most merchants never ask their provider.

WATI is headquartered in Hong Kong. Hong Kong is a third country under GDPR. Data transfers to WATI's infrastructure require Standard Contractual Clauses and arguably a Transfer Impact Assessment that considers Hong Kong's legal regime. Zoko is headquartered in India. Same third-country considerations apply. Dondy is global with no specific EU residency commitment in their public materials. 360dialog is headquartered in Berlin and offers EU data hosting. This is the cleanest story among the major BSPs from a residency standpoint, with the caveat that 360dialog only provides API infrastructure and not a merchant-facing platform.

The safest setup for a regulated EU merchant is a BSP with EU data residency, an EU-resident data protection officer, and a DPA that does not rely on Standard Contractual Clauses to a third country.

The 2026 changes you need to know about

A few specific developments tightened compliance expectations in 2026.

In January 2026, Meta updated the WhatsApp Business Solution Terms to ban general-purpose AI chatbots on the Platform. This has GDPR implications because AI processing of personal data without explicit consent for AI-specific use can constitute additional processing requiring additional consent. Task-bound bots scoped to your business context are easier to defend. Open-ended LLM wrappers are not.

Under the Digital Services Act, WhatsApp is now subject to content moderation transparency requirements, and businesses operating on the platform must implement risk management procedures if they qualify as participants on a Very Large Online Platform.

Under the Digital Markets Act, WhatsApp interoperability obligations have rolled out gradually since 2024. Customers may message you through third-party messengers under DMA-compliant interoperability provisions. End-to-end encryption is preserved for personal-to-personal messaging, but the encryption handoff to third-party apps introduces threat models that your data protection policy may need to acknowledge.

The April 2025 US marketing pause also has a GDPR-adjacent implication for EU brands selling to US customers. If you have ever messaged a US +1 number, those interactions are now subject to a different policy regime than your EU sends.

A 12-point GDPR checklist for your WhatsApp programme

Use this as a pre-launch and quarterly audit checklist for your WhatsApp marketing setup.

1. You operate on the WhatsApp Business Platform (Cloud API) through a BSP, not on the personal app or the free Business app, for any meaningful customer communication.

2. You have signed a DPA with your BSP that names sub-processors, specifies data location, and commits to a deletion timeline.

3. Every WhatsApp marketing opt-in is collected through an explicit, unbundled, channel-specific consent action with documented wording.

4. Every consent is logged with timestamp, source, wording shown, and IP address (or equivalent), and the log is exportable.

5. You use double opt-in for new subscribers, with the confirmation message and reply stored as part of the consent record.

6. Every WhatsApp marketing message includes a clear, easy opt-out mechanism in language the recipient understands.

7. Opt-out requests are honoured within 24 hours and the contact is removed from all marketing segments, not just paused.

8. Your privacy policy explicitly references WhatsApp as a marketing channel, names your BSP, and describes data flows.

9. Data subject access requests can be answered for WhatsApp data within 30 days and your BSP supports this.

10. Data subject deletion requests result in actual deletion across your CRM, your BSP platform, and your message archives.

11. Your AI assistant on WhatsApp is task-bound to your business context, has explicit refusal behaviour for off-topic prompts, and does not constitute additional AI processing requiring separate consent.

12. You retain WhatsApp message data only for as long as required by your stated retention policy, which is documented and shorter than indefinite.

If you cannot answer yes to all twelve, you have specific work to do. The most common gaps we see in the EU market are missing DPAs, undocumented opt-in trails, and personal WhatsApp use by sales teams.

Frequently asked questions

Do I need separate consent for WhatsApp marketing if I already have email consent?

Yes. ePrivacy and GDPR treat consent as channel-specific. A user who agreed to your email newsletter has not consented to receive WhatsApp messages.

Can I use a customer's phone number from a Shopify order to send them WhatsApp marketing?

No, not without explicit WhatsApp marketing consent. The phone number was provided for order fulfilment under a different legal basis (contract performance, Article 6(1)(b)).

What is the maximum fine for a WhatsApp GDPR violation?

The general GDPR maximum is the higher of €20 million or 4 percent of global annual turnover. In practice, fines for WhatsApp-related issues for a Shopify-scale business have been in the €5,000 to €500,000 range.

Is WhatsApp end-to-end encryption enough for GDPR?

Encryption helps but does not satisfy GDPR by itself. GDPR requires lawful basis, consent management, data subject rights, audit trails, and DPAs in addition to security measures like encryption.

Can I send WhatsApp marketing to customers in the US under GDPR?

GDPR applies to EU residents. If a customer is in the US, GDPR does not directly apply, but US state laws (CCPA in California, similar laws in Virginia, Colorado, Connecticut, Utah) may apply. Also note that since 1 April 2025, marketing template messages to +1 phone numbers are paused by Meta and do not deliver.

My BSP says they are GDPR-compliant. Does that mean I am compliant?

No. Your BSP being compliant is necessary but not sufficient. You are the data controller and you are responsible for the lawful basis, consent collection, opt-out mechanisms, and data subject rights handling on your end.

Do I need a Data Protection Officer for my Shopify WhatsApp programme?

A DPO is required under GDPR Article 37 if your core activities involve large-scale systematic monitoring of individuals or large-scale processing of special categories of data. Most Shopify stores do not meet this threshold for their WhatsApp programme alone.