Is WhatsApp Business GDPR compliant in the UK?

WhatsApp Business can be used in a GDPR-compliant way, but compliance is your responsibility as the data controller. You need a lawful basis for messaging customers, a privacy policy that covers WhatsApp, proper data retention practices, and processes for handling subject access and erasure requests. WhatsApp's end-to-end encryption helps with security, but it does not make you compliant on its own.

Do I need consent to message customers on WhatsApp?

For marketing messages, yes — you almost always need explicit opt-in consent under both UK GDPR and PECR (the Privacy and Electronic Communications Regulations). For transactional messages like order confirmations or appointment reminders, you may be able to rely on legitimate interest or contractual necessity, but you still need to document your lawful basis.

Does PECR apply to WhatsApp Business messages?

Yes. PECR applies to electronic marketing messages regardless of the platform. WhatsApp messages sent for marketing purposes — promotions, offers, newsletters — are covered by PECR and require prior opt-in consent. Many UK businesses overlook this because they associate PECR with email and SMS, but it applies to any electronic messaging channel.

What happens if a customer makes a subject access request about WhatsApp messages?

You must provide a copy of all personal data you hold about that person, including WhatsApp chat logs, within one calendar month. This means you need a way to search and export WhatsApp conversations. If you use the WhatsApp Business API through a provider like Line, your messages are stored in a searchable inbox, making this much easier than scrolling through the app manually.

How long should I keep WhatsApp Business messages?

UK GDPR requires that you do not keep personal data longer than necessary. There is no single legal retention period — it depends on the purpose. For customer service chats, 12-24 months is a reasonable default. For messages related to contracts or financial transactions, you may need to keep them for 6 years to comply with other regulations. Document your retention periods in a data retention policy.

WhatsApp Business

WhatsApp Business & GDPR: UK Compliance Guide for Small Businesses (2026)

A practical guide to using WhatsApp Business in a GDPR-compliant way for UK SMBs. Covers lawful basis, consent, PECR, data retention, subject access requests, and a complete compliance checklist.

Simon

6 March 2026 · 17 min read

TL;DR — What you need to know

Every WhatsApp Business conversation you have with a customer contains personal data — UK GDPR applies
You need a lawful basis (usually consent or legitimate interest) before messaging anyone
PECR (electronic marketing rules) also applies — marketing messages need explicit opt-in consent
Your privacy policy must mention WhatsApp and explain how you use customer data
You must be able to handle subject access requests and erasure requests for WhatsApp data
Non-compliance risks ICO fines of up to £17.5 million — but for most SMBs, the real risk is complaints and reputational damage

WhatsApp Business is one of the most effective communication channels for UK small businesses. But the moment you start messaging customers, you are processing personal data — and that means UK GDPR applies.

Most small business owners know GDPR exists. Fewer understand how it applies to WhatsApp specifically. And almost nobody thinks about PECR, the electronic marketing regulation that catches out more businesses than any other.

This guide covers everything you need to know to use WhatsApp Business compliantly in the UK. No legal jargon, no unnecessary complexity — just practical steps for real small businesses.

If you are new to WhatsApp Business entirely, start with our complete WhatsApp Business guide for UK SMBs before diving into compliance.

Warning

This article is not legal advice. It is a practical guide based on current ICO guidance and UK GDPR requirements as of 2026. If you process sensitive personal data, operate in regulated industries, or have specific compliance concerns, consult a qualified data protection professional.

This is not a grey area. WhatsApp chat logs are personal data. Every conversation contains at least a phone number (personal data by definition), and most contain names, addresses, order details, preferences, and other identifiable information.

Under UK GDPR, you are the data controller for customer conversations you initiate or manage through WhatsApp Business. That means you are responsible for:

Having a lawful basis for processing that data
Being transparent about what you do with it
Keeping it secure
Respecting customers' rights (access, erasure, portability)
Not keeping it longer than necessary

It does not matter whether you use the free WhatsApp Business App or the WhatsApp Business API. It does not matter if you are a sole trader or a limited company. If you message customers, GDPR applies.

Since Brexit, the UK has its own version of GDPR — the UK General Data Protection Regulation, which sits alongside the Data Protection Act 2018. For practical purposes, the rules are almost identical to the EU version.

The key differences that matter for UK SMBs:

The regulator is the ICO (Information Commissioner's Office), not EU data protection authorities
Maximum fines are up to £17.5 million or 4% of annual turnover, whichever is higher
Adequacy decisions — the UK has its own arrangements for international data transfers
Some exemptions are slightly different (e.g., around immigration data), but nothing that affects typical WhatsApp Business use

In practice, if you follow UK GDPR guidance from the ICO, you are compliant. You do not need to worry about EU-specific rules unless you are also serving EU customers directly.

Lawful basis for messaging customers on WhatsApp

Under UK GDPR, you cannot process personal data without a lawful basis. There are six available, but for WhatsApp Business messaging, three are relevant:

The customer has given you clear, affirmative permission to message them on WhatsApp. This is the safest basis for marketing messages and the one the ICO expects in most cases.

Legitimate interest

You have a genuine business reason to contact the customer, the messaging is proportionate, and it does not override their rights and expectations. This can work for transactional messages (appointment reminders, delivery updates) but is harder to justify for marketing.

Contract performance

The messaging is necessary to fulfil a contract with the customer. For example, sending a booking confirmation or providing support for a product they have purchased.

Which basis should you use?

For marketing messages (promotions, offers, newsletters): use consent. Always.

For transactional messages (order updates, appointment reminders): legitimate interest or contract performance usually works.

For customer support (replying to their enquiry): legitimate interest is typically appropriate — they contacted you and expect a response.

Document your chosen basis for each type of message. The ICO may ask to see it.

If you are relying on consent as your lawful basis (which you should be for any marketing), the consent must meet UK GDPR standards. This is where many businesses get it wrong.

Explicit opt-in — the customer takes a clear, positive action (ticks an unticked box, sends you a specific message, fills in a form)
Specific — they consent to WhatsApp messages specifically, not just "communications" in general
Informed — they know what they are signing up for (what messages, how often, from whom)
Freely given — they can say no without losing access to your service
Documented — you have a record of when and how they consented

What does not count

Pre-ticked boxes — never valid under UK GDPR
"By using our service you agree to..." — too vague, not a positive action
Having their number in your phone — just because someone gave you their number does not mean they consented to WhatsApp marketing
They messaged you first — a customer enquiry is not consent to receive promotions
Verbal agreement with no record — you cannot prove it, so it does not count

Opt-in best practices for UK SMBs

Add a WhatsApp opt-in to your booking or contact form

Include a separate, unticked checkbox that reads something like: "I'd like to receive updates and offers via WhatsApp from [Your Business Name]." Keep it separate from any terms and conditions checkbox.

Use a keyword opt-in for in-person customers

Ask customers to send a specific word (e.g., "JOIN") to your WhatsApp Business number. This creates a clear record of consent within the chat itself.

Confirm the opt-in with a welcome message

When someone opts in, send a confirmation message that explains what they will receive, how often, and how to opt out. This reinforces transparency and creates a documented record.

Make opting out easy and instant

Every marketing message should include a way to opt out (e.g., "Reply STOP to unsubscribe"). Process opt-outs immediately — do not send another message after someone unsubscribes.

PECR — the regulation most people forget

Here is the one that catches businesses out. PECR (Privacy and Electronic Communications Regulations 2003) is a separate set of rules that sits alongside GDPR and specifically governs electronic marketing messages.

PECR applies to:

Emails sent for marketing purposes
SMS messages sent for marketing purposes
Any electronic messaging sent for marketing purposes — including WhatsApp

The key PECR rule is simple: you need prior opt-in consent before sending marketing messages via electronic channels. This applies to both individuals and sole traders. For limited companies, the rules are slightly more relaxed (you can sometimes use a "soft opt-in"), but for most SMB customer communication, you need consent.

Why this matters for WhatsApp: Many businesses think PECR only covers email and SMS. It does not. The ICO has made clear that messaging apps fall within scope. If you send promotional WhatsApp messages without opt-in consent, you are breaching PECR — even if you think you have a GDPR lawful basis like legitimate interest.

Warning

PECR overrides GDPR for marketing. Even if you believe legitimate interest justifies your WhatsApp marketing, PECR requires consent for electronic marketing messages. For promotional WhatsApp messages, consent is not optional — it is a legal requirement under PECR.

The soft opt-in exception

There is one narrow exception. If all of the following apply, you can send marketing messages without fresh consent:

You obtained the customer's contact details in the course of a sale (or negotiations of a sale)
The messages are about similar products or services to what they bought
You gave them the opportunity to opt out at the time you collected their details
You include an opt-out in every message

This "soft opt-in" can apply to WhatsApp, but only if every condition is met. When in doubt, get explicit consent.

Privacy policy requirements — what to include about WhatsApp

Your privacy policy must cover how you use customer data via WhatsApp. Most small business privacy policies say nothing about messaging apps — that is a gap you need to close.

At a minimum, your privacy policy should explain:

That you use WhatsApp Business to communicate with customers
What data you collect through WhatsApp (messages, phone numbers, names, any information shared in conversation)
Your lawful basis for processing this data
Who the data is shared with — this includes Meta/WhatsApp as a data processor
Where the data is stored — WhatsApp stores data on servers outside the UK (important for international transfers)
How long you keep WhatsApp messages
How customers can exercise their rights (access, erasure, etc.)

You do not need a separate WhatsApp privacy policy. Add a section to your existing one. Make sure it is accessible — include a link in your WhatsApp Business profile description and in your automated greeting message.

Data storage and retention — where WhatsApp stores data

Understanding where your WhatsApp data lives is important for compliance.

Where WhatsApp stores data

WhatsApp Business App: Messages are stored on your device and backed up to iCloud (iPhone) or Google Drive (Android). WhatsApp's servers temporarily store undelivered messages but do not retain them permanently. End-to-end encryption means WhatsApp cannot read message content.

WhatsApp Business API: Messages pass through Meta's servers and through your Business Solution Provider (BSP). If you use a platform like Line, your messages are stored in your shared team inbox on the provider's servers — typically cloud-hosted in the UK or EU.

The international transfer issue

Meta is a US company. WhatsApp's infrastructure involves data processing outside the UK. Under UK GDPR, international data transfers need appropriate safeguards — usually Standard Contractual Clauses (SCCs) or reliance on an adequacy decision.

WhatsApp's terms of service include SCCs, which provides a legal mechanism for these transfers. You should note this in your privacy policy and, if asked by a customer, be able to explain the safeguards in place.

How long to keep messages

UK GDPR does not specify exact retention periods — it says you must not keep personal data longer than necessary for the purpose. You need to decide on retention periods and document them.

Practical guidance for UK SMBs:

Customer service conversations: 12-24 months after the last interaction
Sales and contract-related messages: Up to 6 years (to align with the Limitation Act for contractual disputes)
Marketing opt-in records: Keep for as long as you are sending them messages, plus 12 months after they unsubscribe (to prove you had consent)
Casual enquiries that went nowhere: Delete after 6-12 months

Set a reminder to review and delete old conversations regularly. If you use the WhatsApp Business API through a provider like Line, check whether your provider offers automated data retention policies.

Subject access requests — when a customer asks for their data

Under UK GDPR, any individual has the right to request a copy of all personal data you hold about them. This is called a Subject Access Request (SAR), and you must respond within one calendar month.

What you need to provide

If a customer makes a SAR, you must give them:

A copy of all WhatsApp messages you have exchanged with them
Any notes or labels you have applied to their conversation
Details of who in your team has accessed their messages
Information about how long you will keep their data
Their right to complain to the ICO if they are unhappy

The practical challenge

With the WhatsApp Business App, there is no easy export function. You would need to scroll through conversations and manually compile the data — time-consuming and error-prone.

With the WhatsApp Business API through a provider like Line, your messages are stored in a searchable inbox. You can search by contact, export conversation histories, and respond to SARs much more efficiently.

Prepare before you receive a SAR

Do not wait until a customer makes a request. Work out your SAR process now — who handles it, how you search for data, how you compile and deliver it. A one-month deadline sounds generous until you are trying to export data from three different systems.

Right to erasure — deleting WhatsApp conversations on request

Customers also have the right to erasure (the "right to be forgotten"). If a customer asks you to delete their WhatsApp data, you must do so unless you have a legal obligation to retain it.

When you must delete

The customer withdraws consent and you have no other lawful basis
The data is no longer necessary for its original purpose
The customer objects to processing based on legitimate interest, and you have no overriding grounds

When you can refuse

You are legally required to keep the records (e.g., financial regulations)
The data is needed for establishing, exercising, or defending legal claims
There is an overriding public interest

How to delete WhatsApp messages

On the WhatsApp Business App, you can delete individual messages or entire conversations. Remember to also delete any backups (iCloud or Google Drive) that contain the data.

On the WhatsApp Business API, contact your provider to understand how deletion works in their system. Ensure that deleted data is also removed from any backups or linked systems (CRM, helpdesk, etc.).

Always confirm deletion in writing. Send the customer a brief message or email confirming that their data has been erased and from which systems.

What Meta does with your business data

This is the question every business owner should ask: what does Meta (WhatsApp's parent company) do with the data from your business conversations?

Key points from WhatsApp's business terms:

End-to-end encryption means Meta cannot read the content of messages on the standard WhatsApp Business App
For the Business API, messages are decrypted at the BSP level — Meta processes message metadata but content is handled by your provider
Meta uses some business data for improving and supporting WhatsApp's services
Meta's privacy policy allows data use for advertising across its platforms — though business message content is not used for ad targeting
WhatsApp shares certain data with other Meta companies (Facebook, Instagram)

You cannot control what Meta does with data on its own platform. What you can control is how transparent you are with your customers about it. Mention in your privacy policy that WhatsApp is operated by Meta and link to WhatsApp's own privacy policy for full details.

Here is your compliance checklist. Work through each point and document your answers:

Identify your lawful basis for each type of WhatsApp message (marketing, transactional, support) and record it
Get valid opt-in consent before sending any marketing messages — use unticked checkboxes, keyword opt-ins, or signup forms
Update your privacy policy to include a section on WhatsApp Business — cover data collected, lawful basis, storage, retention, and rights
Add a privacy policy link to your WhatsApp Business profile description
Set up an opt-out mechanism — include "Reply STOP" or similar in every marketing message and process opt-outs immediately
Define data retention periods for different types of WhatsApp conversations and review regularly
Create a SAR process — know how you will search, compile, and deliver WhatsApp data if a customer requests it
Create an erasure process — know how to delete a customer's WhatsApp data from all systems including backups
Keep a record of consent — store when, how, and what each customer consented to, in a way you can retrieve later
Review WhatsApp's own terms — read WhatsApp's business terms of service and privacy policy so you understand what Meta does with data
Train your team — if anyone else sends WhatsApp messages on your behalf, make sure they understand these rules
Audit annually — review your WhatsApp compliance at least once a year, or whenever WhatsApp changes its terms

Common mistakes that lead to ICO complaints

These are the errors the ICO sees most often — and the ones most likely to result in a customer complaint:

The single most common complaint. A customer gives you their number for a booking, and you start sending them WhatsApp promotions. That is not consent. That is a PECR breach.

No opt-out mechanism

Every marketing message must include a way to unsubscribe. If a customer has to argue with you to stop receiving messages, expect a complaint.

Ignoring subject access requests

You have one month. If you ignore a SAR or tell the customer "we don't have that data" when you clearly do, the ICO will take it seriously.

Using WhatsApp groups carelessly

If you add customers to a WhatsApp group, every member can see every other member's phone number. That is disclosing personal data without consent — a clear GDPR breach. Use broadcast lists instead, which send messages individually.

No privacy policy — or one that does not mention WhatsApp

The ICO expects businesses to be transparent. If your privacy policy says nothing about WhatsApp, you are not meeting your transparency obligations.

Keeping messages indefinitely

"We might need it someday" is not a valid retention justification. If you cannot explain why you are keeping a two-year-old WhatsApp conversation, delete it.

Warning

WhatsApp groups expose phone numbers. Never add customers to a WhatsApp group unless every member has consented to their number being shared with the others. For marketing and announcements, always use broadcast lists — they send messages individually and recipients cannot see each other.

Using WhatsApp compliantly with Line

If this all feels overwhelming, the good news is that using WhatsApp through a proper business platform makes compliance significantly easier.

With Line, your WhatsApp messages go through the Business API and are stored in a shared team inbox with full message history. That gives you:

Searchable message archives — respond to subject access requests quickly
Centralised data management — delete customer data from one place, not scattered across personal devices
Consent tracking — manage opt-ins and opt-outs systematically
Team access controls — audit who accessed which conversations
A dedicated UK business number — keep your personal number and personal WhatsApp completely separate

You still need to do the compliance work — writing your privacy policy, defining retention periods, training your team. But the underlying infrastructure makes it far more manageable than trying to stay compliant on the free WhatsApp Business App alone.