Good news first: WhatsApp Business can be used in compliance with various data protection laws, such as the GDPR in the EU. The prerequisite is that the WhatsApp API is used and that it is integrated in a data-compliant way into the respective messaging platform or internally developed tools. However, using the classic WhatsApp app or the WhatsApp Business app can be problematic in some countries. For example, in the EU, as both apps are not considered GDPR-compliant.
In our article you will learn about:
- What WhatsApp Business is
- Why the WhatsApp app and WhatsApp Business app may not be data compliant
- How to use WhatsApp Business in compliance with the GDPR
What is WhatsApp Business?
With over 2 billion users, WhatsApp is one of the three most popular apps worldwide. In some countries, such as India and Brazil, WhatsApp has a market share of more than 90% among messaging apps. In most countries, WhatsApp has almost as many users as email is almost as high, so it makes sense that businesses would want to use it more for communication.
There are three ways to use the messenger.
- The classic WhatsApp app
- The WhatsApp Business app
- The WhatsApp Business API (also known as the WhatsApp Business Platform)
However, only the WhatsApp Business API is universally recommended for business users, as the ready-made apps are not considered compliant with all data protection laws. This is because WhatsApp also collects data in the Business app that requires the user's explicit consent to process.
The WhatsApp Business API is an interface for programmers to access the WhatsApp Business platform. Alternatively, businesses can use messaging platforms such as Superchat that have already integrated the API.
The API allows you to send messages via WhatsApp without WhatsApp processing personal data or storing messages on its own servers. GDPR-compliant use therefore does not depend on WhatsApp, but on the company that integrates the API.
Why might the WhatsApp app and WhatsApp Business app not be data-compliant?
Despite end-to-end encryption, the classic WhatsApp app and the WhatsApp Business app, for example, are not GDPR compliant and should therefore not be used for corporate communications.
There are 4 things that may conflict with data protection laws:.
- WhatsApp processes metadata that may be relevant to GDPR.
- WhatsApp has access to contact data by default.
- WhatsApp stores backups unencrypted by default.
- WhatsApp caches messages that could not be delivered on its own servers.
The processing of metadata is particularly relevant from a GDPR perspective, as this cannot be prevented by companies. However, backups can be encrypted in the app settings.
Access to private contact data can be prevented either by preventing the app from accessing your contacts in general, or by using the business app on a separate device where only business-related contacts are stored.
**What data does WhatsApp collect from its users?
Important: WhatsApp does not have direct access to the content of conversations. Since 2016, all chats are generally end-to-end encrypted. This means that WhatsApp cannot process the content of messages in any way and does not share any data with other meta-companies such as Facebook or Instagram.
However, so-called metadata is collected and stored during the transmission of conversations. This applies to both the WhatsApp app and the WhatsApp Business app.
Simply put, metadata is data about data. It includes information such as
- Location
- Time of day
- Profile pictures
- Profile names
- Profile descriptions
- Device names
- Contacts
While metadata may not at first glance reveal any clear information about the content of conversations, such information can be used to create a relatively clear profile of a user.
Under to the GDPR, the processing of such personal (meta) data is only possible with the explicit consent of the user.
In practice, such processing is often governed by a data processing agreement (DPA). The data processing contract defines the relationship between the client (your company) and the contractor (WhatsApp).
The commercial and unlawful processing of data by the contractor or WhatsApp is restricted by such a legal agreement. Only in this way is the use of personal data within the framework of the GDPR possible.
However, the personal WhatsApp app does not offer the option to enter into a DPA.
In theory, you would therefore need to obtain a declaration of consent from each of your customers and prospects in order to use WhatsApp in a business context.
How to use WhatsApp Business in a data compliant way
Whether the WhatsApp app or the WhatsApp Business app can be used in a data-compliant way depends on the legal situation in each country. In the EU, its compliance with GDPR is at least questionable, even if all the necessary precautions are taken.
This is mainly due to WhatsApp's processing of metadata. WhatsApp offers a data processing agreement for the WhatsApp Business app [but this is currently considered insufficient] (https://www.datenschutzkanzlei.de/ist-whatsapp-in-unternehmen-mit-der-dsgvo-vereinbar/).
However, if you are still considering using the business app in the EU, you should ensure that
- WhatsApp business contacts and personal contacts are kept separate](hhttps://www.superchat.com/blog/manage-whatsapp-business-contacts)
- End-to-end encryption is enabled for backups.
- If possible, obtain consent from your contacts by other means.
The WhatsApp Business API - a data compliant alternative
The WhatsApp Business API is currently the only way to use WhatsApp in a GDPR compliant way. As the GDPR is considered to be particularly strict, GDPR compliant solutions are usually also data compliant in other countries.
By using the API, the issue of privacy is no longer the sole responsibility of WhatsApp and Meta. The legal responsibility lies with the API and messaging solution providers. In other words, the companies that connect to the API and, in the case of the WhatsApp Business API, the company that provides the API.
In order to take full advantage of the API and use WhatsApp in a 100% privacy compliant manner, specific software applications need to be developed on top of the API.
Solution providers build business messaging platforms on top of the WhatsApp Business API. In the case of GDPR, the use of the WhatsApp Business API can be compliant here, as the choice of server locations, software development and the design of legal provisions are the responsibility of the respective providers.
Superchat, for example, works with the Berlin-based company 360Dialog and offers:
- Servers located in Germany.
- Specific AV contracts.
- No unauthorised access to contacts by the messaging apps.
- Standard end-to-end encryption of all data, conversations and backups.
For more information, ask for our free data protection report on WhatsApp.
WhatsApp Business in marketing - opt-in only
To send marketing campaigns such as newsletters via WhatsApp, users need to opt-in. This is a basic requirement for using this feature at all.
Sending a newsletter via WhatsApp without an opt-in is not only required by data protection laws such as GDPR, but is also against WhatsApp's own policies. Violations may result in account suspension and, in the worst case, legal action.
In order for a contact's consent to meet WhatsApp's or Meta's requirements, the following conditions must be met:
-
It must be made clear that the person agrees to receive the messages.
-
The company name must be clearly visible.
-
Companies must comply with applicable law (GDPR).
-
There must be clear information on how to unsubscribe.
-
You can get opt-ins in a number of ways. For example, via links/buttons directly on your website, via flyers/QR codes or in the WhatsApp chat itself.
If the WhatsApp conversation is not marketing related, a standard consent notice will suffice. For example, a customer contacts the company via the website and the company then refers to the applicable data protection rules and the use of WhatsApp Business via, for example, Superchat.
Superchat's messaging platform
Superchat is a messaging solution provider and supports over 3,000 customers. In addition to the GDPR-compliant use of WhatsApp, Superchat's messaging platform offers many additional features:
- Universal Inbox
- Webchat
- Automations
- WhatsApp newsletter
- Review Management
- Team Chat
- Mobile App
- Integrate WhatsApp with CRM, marketing automation and eCommerce tools via Zapier and Make
