5 Steps to Navigating WhatsApp Compliance
WhatsApp is one of the most popular messaging platforms in the world and has an extensive global reach. But if you’re using it for business purposes, you need to make sure that you’re compliant with international laws and regulations.
As a business, one of the challenges in using WhatsApp, and remaining compliant, is that there isn’t a clear set of rules or best practice to follow. That’s because laws around the world are either new or still being defined. Despite this ambiguity, your business will still be on the hook if a law gets broken.
It’s your responsibility as a marketer or business owner to cover your bases; which also means determining whether the potential legal risks of using WhatsApp are worth reaping the benefits of maintaining a clear line of communication with your audience.
The value of WhatsApp to humanity — and why laws are confusing
WhatsApp Messenger, or more commonly known as WhatsApp, has transformed the way people everywhere communicate — and the app is still at the beginning of its product development journey. It offers a unified platform to make phone calls, send messages, and transfer funds, and it’s also evolving beyond its core messaging capabilities to be used as a commercial hub, especially in mobile-first digital economies.
For these reasons, many businesses consider the platform to be an invaluable marketing staple for reaching audiences, even if the policies for commercial platform use are sometimes unclear.
What began as an alternative to SMS has now become an economic force all of its own, transforming into something that even WhatsApp’s creators might not have imagined after they sold the technology to Facebook.
In India, for instance, the messaging app works with multiple banking partners to better connect the nation’s small business backbone to customers. This is revolutionary from a use case perspective because banking laws around the world are so highly regulated.
And around the globe, WhatsApp is used as a communications platform for the World Health Organization (WHO) to keep communities informed during the pandemic.
The power of WhatsApp, from a human interest standpoint, is immense. (There’s a reason why Facebook purchased the platform for $19B when the company was still in its infancy.) To put it simply, WhatsApp is an invaluable way for reaching people in everyday moments.
Addressing compliance challenges
If you’re looking to use WhatsApp commercially, the biggest challenges you’ll face are the ill-defined compliance landscapes and precedents.
If you communicate with WhatsApp users in 180 different countries, then your marketing and legal teams need to be mindful of what regulations apply to each of these regions. Being unaware of each country’s policy will not protect your business from potential consequences, which includes fines.
Ultimately, your WhatsApp compliance program depends on considerations unique to your business, as well as the type of personal data you collect. The following step-by-step framework will simplify the process, making the WhatsApp compliance maze a bit easier to navigate for your specific business.
Keep in mind that these steps offer guidance only — not prescriptive advice.
Step 1: Define the Terms and Conditions for your WhatsApp chat use case
One of the first steps to take is to ensure that you’re in compliance with WhatsApp’s terms and conditions. These policies exist for your protection — think of a company’s Ts and Cs (aka terms and conditions) as sort of bowling alley bumpers for your business.
You never know what challenges might arise in the future, especially if one of your customers initiates a lawsuit. If you’re not compliant for your business use case, you run the risk of increasing your chances for otherwise avoidable problems.
An easy action item is to read through the WhatsApp security and privacy help center.
It’s especially common for individuals on the platform to make mistakes with respect to WhatsApp’s official policies. A February 2020 report found, for instance, “that almost half (41%) of UK workers admit to using WhatsApp for work purposes despite it being against WhatsApp’s legal terms of service to use it in ways that involve any non-personal use.”
In other words, WhatsApp users are using their personal accounts to communicate with coworkers about work things without realizing that this isn’t compliant. Even though individual WhatsApp users are making the mistake, their employers may still be liable. That’s because the European General Data Protection Regulation (GDPR) establishes provisions for employers of European citizens.
In an interview with PrivSec Report, Ashley Freidlein, CEO and founder of Guild messaging app, acknowledged that, “WhatsApp users are unlikely to be aware the platform isn’t for business use.
However, businesses cannot hide behind ignorance or turn a blind eye. They need to educate their employees around the importance of using platforms designed for professional use that provide the necessary levels of control and regulatory compliance.”
For this reason, an essential step for businesses to take is to define and articulate their own WhatsApp policies and communication best practices, which usually involves re-articulating terms and conditions to your audiences within your brand’s language.
This process may involve creating an opt-in framework, hosting an education session, or making it easy for your messaging app audiences to access official terms and conditions through your WhatsApp chat interface.
Step 2: Know which compliance laws apply to your business
Right off the bat, there are several regulatory, privacy, and compliance frameworks that apply to every business. Keep in mind that technology is moving faster than governments can keep up, and it’s often advantageous for businesses to err on the side of the highest protection. The first area of privacy regulation that you’ll want to consider is GDPR.
1. European General Data Protection Regulation (GDPR)
Implemented in May 2018, this European Union Law applies to all companies that conduct business with European citizens. That means, if your company is based in the United States and you collect data from audiences in Croatia, then you need to adhere to the GDPR. If you don’t , your company may be subject to sanctions and fines. (Learn more about the GDPR here.)
When you collect data from audience members, subscribers, and customers, you are likely the data controller — aka the decision maker for how data gets used. (Learn more about this legal term here.) Wherever the GDPR is applicable, WhatsApp is known as a data processor and acts on behalf of the controller. So if your business uses WhatsApp, it’s important to understand how each data subject’s information is managed. (WhatsApp’s data protection practices are accessible here.) There is also third-party software available for archiving customer data, and software to help you stay on top of rules for record keeping.
Depending on your business model, you may need to maintain communication records, while also adhering to the “right to be forgotten” — or when an individual requests to have their personal data erased. (Learn more about this right here.)
Depending on your industry, countries of operation, use case, and other criteria, you may benefit from undergoing a data protection impact assessment (DPIA), which is a process for minimizing the data protection risks of a project.
For some projects, a DPIA is mandatory. The United Kingdom’s Information Commissioner’s Office recommends conducting a DPIA if your organization is processing personal data. (Learn more about DPIAs here.)
For additional information, refer to the resource, “Using WhatsApp in Compliance with GDPR.” Though when in doubt; work with an attorney.
Despite what’s been previously mentioned, there’s still some debate as to whether it’s possible to be fully GDPR compliant while using WhatsApp. It’s also important to remember that the GDPR is in the beginning stages of developing a proper evaluation for its legal systems. Not to mention, Facebook — WhatsApp’s parent company — devotes extensive legal resources to navigating GDPR compliance.
2. California Consumer Privacy Act (CCPA)
In 2018, California passed legislation that gives people more control over their personal data, resulting in one of the most advanced privacy frameworks to exist in the United States. While it is not as extensive or thorough as the GDPR, it establishes the following rights:
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt out of the sale of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
(Learn more about the CCPA from the California Attorney General here.)
Similar to the GDPR, the California Consumer Privacy Act will likely undergo an evolution to become more robust in its protections for California residents. Subscribing to updates or working with an attorney will help you stay on top of these changes.
3. Health Insurance Portability and Accountability Act (HIPAA)
Although WhatsApp data is encrypted, it is not HIPAA compliant. That means if you operate a health care practice in the United States, you cannot share personal health information (PHI) over WhatsApp.
Learn more about WhatsApp’s encryption policies here, especially if your organization is health care adjacent — which includes supporting natural disaster relief efforts or working with at-risk populations where WhatsApp is the preferred chat app.
Every business is subject to different privacy, legal, and regulatory considerations. This is a good time to loop in your company’s legal counsel for an information digest if you haven’t done so already. Anticipating issues before they have a chance to happen can save your business from costly problems down the road.
Step 3: Ensure safety, stability, and moderation
Despite the value that WhatsApp chats bring to people’s lives, there are also major problems. For one, your audiences may be vulnerable to security breaches. Another problem is fake news, especially in regards to conspiracy theories and disinformation.
As a brand or business owner, you may be liable for any harm that occurs or is instigated on platforms you host. Now more than ever, problems in the digital world are spilling over into real life — in some cases resulting in real world violence. Therefore, it’s important to create community moderation guidelines to ensure communication does not devolve into negative messaging that could get your company (or customers) in trouble. For instance, Canada has strict hate speech laws that apply protections to at-risk or vulnerable groups.
Step 4: Take precautionary steps
There’s currently no timeframe for well-defined WhatsApp compliance protocols, but there are certain tactical best practices you should consider incorporating into your business in the immediate term.
- Before you use WhatsApp to message customers, double check that there are no legal exclusions for your industry or business type. For instance, if your business deals with personally identifiable information (PII), you may not be able to use WhatsApp to communicate with your audiences.
- Make sure that your WhatsApp messaging policies are clearly defined on your website in your terms and conditions. This information should communicate exactly how you plan to reach your subscribers through different marketing and outreach channels.
- Ensure that your opt-in and data management practices are outlined and defined. At the point of opt in, your subscribers need to give clear, documented consent to be contacted through the chat app. And just because they’ve consented to be contacted does not mean that they want to be communicated with through WhatsApp.
- Avoid using WhatsApp group chats unless you have express permission from every participant. For privacy reasons, some individuals may not want to have their contact information exposed in a message with potential strangers. Though WhatsApp group chat may be ideal for group projects, like personal training.
- Keep records of all WhatsApp conversations related to your brand and business. Social media is a platform that tends to attract harassment and bad behavior. One way that your business can get ahead of this problem is to maintain backups and records, which should include all text messages, files, chats, and deletions. Records can also be helpful in the event of an audit.
- Carefully vet any third-party service you integrate with your WhatsApp outreach strategy. Evaluate their privacy, security, and data retention policies to ensure compliance.
- Follow Facebook’s 24-hour rule. If a subscriber hasn’t interacted with your business in a meaningful way in the past 24 hours, you are NOT allowed to message them — though there are three exceptions to this rule.
- Keep in mind that WhatsApp is still a legal gray area for businesses, and the responsibility is on you to ensure that you are up to date with relevant and applicable laws.
WhatsApp is a powerful tool that can help you communicate with people around the world. Before you use it for your business, however, make sure that you don’t open the door to risk. Getting ahead of compliance challenges, even when the law isn’t well-defined, means understanding why these laws exist in the first place — to protect the privacy and dignity of people.
The most important rule of thumb to remember is that compliance laws around the world are changing faster than our minds can comprehend. Understanding the human intent behind these laws, to protect individual privacy, is a valuable first step to covering your WhatsApp compliancy bases.
If you’re interested in learning about chatbot technology, across social media platforms, get started with a ManyChat free trial.
This information is provided for educational purposes only and should not be relied upon as legal advice. Please always consult your own attorney before engaging in WhatsApp marketing.