Can I message people who haven't messaged me first on WhatsApp?

Yes, but with conditions. Using the official WhatsApp Business API, you can send outbound messages (using approved message templates) to contacts who have opted in to receive messages from your business. You cannot send unsolicited messages to random numbers — this violates WhatsApp's Business Policy and risks account suspension.

Is cold WhatsApp messaging to consumers allowed?

No. WhatsApp's Business Policy prohibits sending unsolicited promotional messages to consumers who have not opted in. Cold messaging consumers is both a policy violation and potentially illegal under GDPR (EU), CCPA (California), and similar regulations. For B2B cold outreach to business contacts, the rules are more flexible but vary by jurisdiction.

How do I collect a WhatsApp opt-in legally?

A valid WhatsApp opt-in requires clear, specific consent. Acceptable methods include: a checkbox on your website clearly stating 'I agree to receive WhatsApp messages from [Business]', a WhatsApp opt-in landing page, a keyword opt-in (contact sends a keyword to your number), or a Click-to-WhatsApp ad with a clear consent statement. Implied consent (sharing your number in any context) is not sufficient.

What is WhatsApp's spam policy?

WhatsApp defines spam as any message sent without recipient consent, at excessive frequency, with misleading information, or with the purpose of deceiving or harassing recipients. Accounts that generate spam reports above WhatsApp's threshold receive quality rating drops, message sending restrictions, or permanent bans. WhatsApp's spam detection combines automated pattern analysis and user reporting.

Is WhatsApp Bulk Messaging Legal? Everything Businesses Need to Know

WhatsApp bulk messaging is entirely legal — when done correctly through the official WhatsApp Business API with proper opt-in consent. The legal risk comes not from the act of bulk messaging itself, but from how you send: without consent, using unofficial tools, or in violation of data protection laws.

Quick answer: Yes, WhatsApp bulk messaging is legal when you use the official Cloud API, message only opted-in contacts, use approved message templates for outbound campaigns, and comply with relevant data protection laws (GDPR, CCPA, etc.). It is illegal when messaging consumers without consent, using unofficial tools, or violating Meta's Business Policy.

WhatsApp's Official Business Policy on Bulk Messaging

Meta's WhatsApp Business Policy explicitly permits businesses to send bulk messages to customers — with conditions. The key rules are:

Consent is mandatory — contacts must have opted in to receive messages from your specific business
Approved templates required — all outbound business-initiated messages must use templates approved by Meta
Opt-out must be respected — when a contact asks to stop receiving messages, you must immediately honour that request
Content must be legitimate — no spam, misleading claims, phishing, or policy-violating content
Message relevance — messages must be relevant to the relationship you have with the contact

Businesses that follow these five rules have complete legal and policy cover for bulk messaging — even at very high volumes.

What Makes Bulk Messaging Legal vs Illegal

Legal Bulk Messaging ✅

Sending a promotional campaign to customers who opted in via your website
Sending order updates and shipping notifications to customers who purchased
Sending appointment reminders to patients/clients who booked with you
Sending renewal reminders to subscribers of your service
B2B outreach to business contacts in a professional context

Illegal or Policy-Violating Bulk Messaging ❌

Sending promotional messages to purchased or scraped contact lists
Using unofficial WhatsApp automation tools that violate Meta's Terms of Service
Sending without consent to consumers under GDPR jurisdiction
Continuing to message contacts who have asked to unsubscribe
Sending misleading, deceptive, or scam content

The General Data Protection Regulation (GDPR) applies to any business processing personal data of individuals in the EU — regardless of where the business is located. Phone numbers are personal data under GDPR.

Key GDPR requirements for WhatsApp marketing:

Lawful basis: The most appropriate lawful basis for marketing messages is explicit consent under Article 6(1)(a). This means collecting a clear, specific, and documented agreement from each contact to receive your WhatsApp messages.

Right to erasure: Contacts can request that you delete their data at any time. Your WhatsAble contact database allows you to delete individual contact records on request.

Data minimisation: Only collect and store the data you actually need for your messaging purposes.

Data processor agreements: When using a platform like WhatsAble to store and process contact data, ensure there is a Data Processing Agreement (DPA) in place. WhatsAble's Terms of Service include a DPA.

Cross-border data transfers: If your platform is headquartered outside the EU (e.g., US), the data transfer must comply with GDPR's cross-border transfer rules.

An opt-in for WhatsApp marketing must be:

Active — the contact must take a deliberate action (tick a box, send a keyword) — pre-ticked boxes are not valid
Specific — consent must be for WhatsApp messages specifically, not just general contact
Informed — the contact must know what they are consenting to (what messages, how often, from whom)
Documented — you must have a record of when and how consent was given

Compliant opt-in examples:

Website form with checkbox: "☐ I agree to receive WhatsApp marketing messages from Business Name. I understand I can unsubscribe at any time."
Click-to-WhatsApp ad with consent language in the ad copy
Keyword opt-in: Tell customers to send "JOIN" to your WhatsApp number to subscribe
In-person or phone opt-in with documented consent recorded

What Happens If You Violate WhatsApp's Policies

WhatsApp enforces its Business Policy with increasing severity:

Quality rating drop — early warning sign. Sending restrictions may be applied.
Message sending limit — WhatsApp restricts how many messages you can send per day
Template rejection — problematic templates are rejected or removed
Account restriction — you cannot send outbound messages, only respond to incoming
Account ban — permanent removal of your business number from WhatsApp

Account bans are difficult to reverse. Your best protection is prevention through policy compliance.

How Official Cloud API Keeps You Compliant

WhatsApp designed the Cloud API with compliance built in:

Template approval process — Meta reviews every template before it can be used for outbound messaging, ensuring content meets policy standards
Quality rating system — real-time feedback on your account health
Opt-out handling — the API supports official opt-out mechanisms
Messaging limits — rate limiting prevents accidental spam-level sending

Unofficial tools (QR-based automation that bypasses the API) have none of these safeguards. They can send any content to any number at any volume — which is precisely why they violate the Terms of Service and risk bans.

How WhatsAble's Compliance Features Work

WhatsAble is built for compliant bulk messaging:

Cloud API integration — all campaigns route through official Meta infrastructure
Template management — submit, track approval, and manage all templates from one dashboard
Opt-out automation — STOP keyword automatically tags contacts as unsubscribed and removes them from future campaigns
Consent tracking — record opt-in source and date for each contact
GDPR deletion tool — delete individual contact data on request
Quality rating monitoring — alerts when your account health changes

See WhatsAble's compliance features and pricing →

Start compliant WhatsApp campaigns with WhatsAble →