WhatsApp Business Privacy Policy: What to Include

Disclaimer first because this is a legal topic: I am a founder, not a lawyer. This guide reflects what I have done at Mursa with input from a privacy lawyer in India and a GDPR consultant in Germany. It is intended as a practical starting point, not as a substitute for legal advice in your jurisdiction. The specific obligations depend on what data you process, where your customers are, where you are located, and your business's industry — get a lawyer to review before you ship anything binding.

With that out of the way: the reason this guide exists is that most small businesses that use WhatsApp Business have a generic privacy policy on their website (often copy-pasted from a template years ago) that mentions email forms and cookies but says nothing about WhatsApp. A proper whatsapp business privacy policy is different — it specifically addresses message data, consent, and Meta's role as a sub-processor. From a regulatory perspective, the omission is a gap. WhatsApp messages are personal data. Sending and receiving them creates obligations. The policy needs to disclose those obligations specifically.

By the end of this guide you will know what to disclose in your whatsapp business privacy policy, how to ask for opt-in correctly, how to handle a customer who emails saying delete my WhatsApp data, and roughly when you cross the threshold that requires more advanced compliance infrastructure. This covers most consumer-facing businesses; if you are in regulated industries (healthcare, financial services, legal) you have additional obligations not covered here.

What GDPR Requires for WhatsApp Business Processing

Under GDPR (the EU's General Data Protection Regulation, enforced since 2018 and applicable to any business that processes data about EU residents regardless of where the business is located), you have to identify a lawful basis for processing personal data. For WhatsApp Business, the most common lawful bases are: consent (the customer explicitly opted in), legitimate interests (you have a business need that does not override the customer's privacy interests), or contract (the messaging is necessary to fulfill a contract with the customer).

Practically, for outbound business messaging (promotions, marketing, notifications customers did not request), you need explicit consent — opt-in language that the customer must affirmatively accept. For inbound messaging (customer messages you first and you respond), you can typically rely on legitimate interests or contract. Your privacy policy must disclose which basis you rely on for which type of processing, and you must keep records of the consent obtained for outbound.

GDPR also requires disclosure of: what categories of personal data you collect (phone numbers, message content, attached media, time of contact, conversation history), what you use it for (customer support, marketing, order updates, etc.), who you share it with (Meta as the messaging platform, any CRM or task tool that ingests messages, any Business Solution Provider if using the API), how long you retain it, the customer's rights (access, deletion, portability, objection), and how they can exercise those rights. Your whatsapp business privacy policy has to cover all of these specifically.

India's DPDP Act and WhatsApp Business Compliance

India's Digital Personal Data Protection Act of 2023 came into force in stages through 2024-2025 and is now actively enforced as of 2026. It is structurally similar to GDPR but with India-specific differences: it covers processing of personal data of individuals in India (or by data fiduciaries located in India), uses the term Data Fiduciary (similar to GDPR's controller) and Data Principal (similar to data subject), and requires explicit consent for most processing with a few narrow exceptions.

For WhatsApp Business in India, the DPDP requires: a published privacy notice in clear language (Hindi or English at minimum, ideally the customer's preferred language), explicit consent collected through an unambiguous affirmative action (a tick-box that is unchecked by default, not a passive sentence in a footer), a Consent Manager registration if you operate at significant scale (the threshold is being finalized but signals from the Data Protection Board point to consent volume in the millions), and a process for customers to withdraw consent that is as easy as the process for giving it.

If you are classified as a Significant Data Fiduciary (the DPDP equivalent of GDPR's threshold for additional obligations), you must appoint a Data Protection Officer (DPO) based in India, conduct annual data protection impact assessments, and undergo periodic audits. The Significant Data Fiduciary classification depends on volume of data processed, sensitivity of data, risk to data principals, and other factors — most small businesses do not cross this threshold, but it is worth understanding because the criteria are evolving.

US State Laws: California's CCPA and the Wider Patchwork

The US has no federal privacy law as of May 2026 (the proposed American Privacy Rights Act remains stalled in Congress). What exists is a patchwork of state laws led by California's CCPA (effective 2020) and its 2023 expansion the CPRA. Twelve other US states have passed similar laws by 2026, including Virginia, Colorado, Connecticut, Utah, Texas, Florida, Washington, Oregon, Montana, Iowa, Delaware, and New Jersey. If you message customers in any of these states, you have obligations.

CCPA specifically requires businesses to disclose what personal information they collect (phone numbers, conversation content, etc.), what they do with it, who they share it with, the customer's right to know what is collected, the right to delete, the right to opt out of sale (CCPA's specific bar), and the right to non-discrimination for exercising privacy rights. For WhatsApp messaging this means your privacy policy needs a section that covers WhatsApp-specific data with clear language.

Practical advice: write one privacy policy that satisfies GDPR (the strictest of these regimes) and you will automatically satisfy DPDP, CCPA, and most state-level US laws. The cost of writing one global policy versus multiple regional policies is lower for almost every small business. The exception is if you have specific business reasons to operate differently in different regions (e.g., a marketing strategy that depends on legitimate-interest processing in the US that GDPR would not allow in Europe).

Copy-Paste WhatsApp Privacy Policy Template

Here is the WhatsApp-specific section I include in Mursa's privacy policy. Adapt the bracketed terms, then have a lawyer review before publishing. Heading: WhatsApp Business Messaging. Paragraph one: When you message us through WhatsApp Business at [+COUNTRY-CODE-NUMBER], we receive your phone number, profile photo (if public), message content, attached media, and timestamps. This information is processed by us to respond to your inquiry and provide the services you request.

Paragraph two: We rely on the following lawful bases for processing your WhatsApp data: (a) your consent, when you have explicitly opted in to receive messages from us (e.g., by submitting our contact form with the WhatsApp consent checkbox); (b) legitimate interests, when you contact us first and we respond; (c) contract, when messaging is necessary to deliver a service you have purchased. You can withdraw consent at any time by messaging us STOP through the same WhatsApp number.

Paragraph three: We share your WhatsApp data with: Meta Platforms (as the operator of WhatsApp, see Meta's privacy policy at facebook.com/privacy/policy), [name of any CRM or task tool that receives WhatsApp data — e.g., Mursa], and [any Business Solution Provider if you use the API — e.g., Twilio]. We do not sell your WhatsApp data to any third party. We retain WhatsApp message content for up to 90 days, after which messages auto-delete; we retain phone numbers and consent records for as long as you remain a customer or as required by law.

Paragraph four: You have the right to (a) request access to the WhatsApp data we hold about you, (b) request deletion of your WhatsApp data, (c) request a copy of your data in a portable format, (d) object to specific processing activities, and (e) lodge a complaint with your local data protection authority. To exercise these rights, email privacy@[YOUR-DOMAIN].com. We respond within 30 days (GDPR/DPDP standard) or 45 days (CCPA standard, may extend to 90 days for complex requests).

The Opt-In Language Meta Specifically Requires

Beyond regulatory requirements, Meta itself has rules for business-initiated WhatsApp messages. If you want to message a customer first (rather than responding to their inquiry), you need their explicit opt-in collected outside WhatsApp, with specific language. Meta's WhatsApp Business Messaging policy requires the consent to: (a) identify your business by name, (b) describe what kind of messages you will send, (c) include the customer's WhatsApp phone number, and (d) be an affirmative action (tick-box unchecked by default, not a passive checkbox or pre-checked one).

Sample consent language that meets Meta's requirements: I agree to receive WhatsApp messages from [BUSINESS NAME] at [PHONE NUMBER FIELD] for [order updates / appointment reminders / promotional offers]. Message and data rates may apply. I can opt out at any time by replying STOP. The customer must actively check the box to consent; the box cannot be pre-checked. Save a record of the consent (timestamp, IP address, form version, exact language shown) for at least 24 months as evidence.

Without proper opt-in, sending business-initiated WhatsApp messages is both a Meta policy violation (your number can be banned) and a regulatory violation (you can be fined). I have seen multiple small businesses get their WhatsApp numbers banned within a week of starting outbound marketing without proper opt-in. The consequences are immediate, the recovery is hard (Meta does not appeal-friendly), and the cost of doing it right is small.

Data Subject Request Workflow: Handling Delete My Data

When a customer emails saying delete my WhatsApp data, you have a regulatory clock starting (30 days under GDPR/DPDP, 45 days under CCPA). You need a process. Here is the seven-step workflow I use at Mursa. Step 1: receive the request in a tracked inbox (we use a privacy@ email address that flags into our task system). Step 2: verify the requester's identity — they must prove they are who they say they are, typically by matching the phone number they want deleted against a known prior message.

Step 3: locate all data. Search your CRM, task tool, internal docs, and any other place where WhatsApp data may have been copied. Do not forget backups and archives — they count. Step 4: delete or anonymize all instances. For WhatsApp itself, you cannot delete the customer's local message history on their phone (that is theirs), but you can delete the conversation from your WhatsApp Business app and from any system that synced it. Step 5: confirm completion in writing to the requester within the regulatory window.

Step 6: log the request and your response in a permanent record (the regulator may ask for this if there is ever a complaint). Step 7: improve your process based on what was hard about this request. If a particular system was missed in step 3, fix it for next time. The first DSR you handle will be slow; the tenth will take ten minutes. Build the muscle before you need it under regulatory pressure.

When You Need a Data Protection Officer

Most small businesses do not need a formal Data Protection Officer (DPO). Under GDPR, a DPO is required if you are (a) a public authority, (b) a business whose core activities involve systematic large-scale monitoring of individuals, or (c) processing special categories of data (health, biometrics, criminal records) at scale. A small business using WhatsApp for customer service typically does not cross these thresholds.

Under India's DPDP, a DPO is required if you are classified as a Significant Data Fiduciary, with criteria that include volume of data processed, sensitivity, risk to data principals, and economic impact. Most small and mid-sized businesses are not Significant Data Fiduciaries, but the criteria are evolving — check your jurisdiction's current rules. CCPA does not have a DPO requirement but does require similar accountability roles for businesses processing large volumes of personal data.

If you are not required to have a DPO, you should still have a named privacy contact internally — someone on your team who owns the privacy@ inbox, handles DSRs, reviews the privacy policy annually, and is the go-to person for vendor due diligence. At Mursa this is me. As we grow, it will transition to a dedicated role. The point is that privacy obligations need an owner; otherwise they fall through the cracks until a regulator notices.

Where Mursa Fits: Privacy Policy as Operational Reality

A privacy policy that says messages auto-delete after 90 days needs the operational reality of messages actually being deleted after 90 days. This is where most policies and reality drift apart — the policy says one thing, but messages pile up in WhatsApp, in your CRM, in your team's task system, indefinitely. Mursa makes WhatsApp message data part of a structured workflow with explicit retention controls. When you [forward a WhatsApp message](/solutions/stop-losing-tasks-in-slack) into Mursa as a task, you can set the task to auto-archive after a defined period, matching what your privacy policy promises customers.

This alignment between policy and reality is what regulators look for if they ever investigate. A policy that says 90 days plus actual auto-deletion at 90 days is defensible. A policy that says 90 days plus messages found in archives from three years ago is a fine waiting to happen. Build the tools to match your policy, not the other way around.

A real whatsapp business privacy policy is not a marketing exercise. It is a regulatory obligation, a customer trust signal, and an operational discipline that compounds over time. Get the policy written (with a lawyer's review), the opt-in collected correctly, the DSR workflow operational, and the tools aligned with what you promise. The combined effort is one full week of work spread over a quarter. The avoided risk — fines, customer complaints, regulatory inquiries, reputational damage — is many times that. Most small businesses are operating with privacy practices that worked in 2019. Update to 2026 standards and sleep better.