Back to the blog
POPIA and Compliance5 min read

POPIA Compliance for WhatsApp Marketing: The 2026 Guide

POPIA (Protection of Personal Information Act) governs how you can use WhatsApp for marketing and sales in South Africa. This is the 2026 guide: consent flows, template messages, opt-outs, data retention, and the risks that hit small businesses first.

Murali Naidu.
  • WhatsApp marketing is legal in SA with explicit, documented consent per Section 69 of POPIA and Regulation 6(a).
  • Consent must be informed, voluntary, specific, and express. Pre-ticked boxes and bundled T&Cs do not qualify.
  • The Information Regulator is actively enforcing. Administrative fines reach R10 million per violation.
  • Template messages require pre-approved WhatsApp templates and existing opt-in. Session messages (within 24 hours of inbound contact) have more flexibility.
  • Every marketing message needs a functioning opt-out, honoured within one business day.

WhatsApp and POPIA look like they pull in opposite directions. WhatsApp is instant and informal. POPIA is formal and consent-driven. Most SA marketing managers assume the two can only coexist if WhatsApp stays outside the compliance perimeter.

That assumption is wrong, and it is expensive. POPIA became fully operational on 1 July 2021. The Information Regulator has issued enforcement notices and imposed fines. WhatsApp is an electronic communication channel covered by Section 69. There is no grey area.

The good news: compliance is straightforward. A consent process, a records system, an opt-out mechanism. Most businesses already have the infrastructure. They just have not connected it to WhatsApp yet.

What POPIA says about direct marketing

Section 69(1) prohibits processing personal information for direct marketing via electronic communication (including WhatsApp) without the data subject's consent. Consent cannot be implied, purchased, or assumed from a number given for a different purpose.

R10M
Maximum administrative fine per POPIA violation (Section 107)

Section 69(2) creates a narrow exception for existing customers: you may market similar products to someone who bought from you. A dealership can send service reminders to a buyer. They cannot pivot to financial products on the same consent.

Regulation 6(a) defines the operational standard. Consent must be informed, voluntary, specific, and express.

Meta's WhatsApp Business Policy sits on top of POPIA: explicit opt-in required before any template message. The two frameworks align. Build once to satisfy both.

Session vs template messages

WhatsApp Business API splits messages into two categories.

A session message is any message sent within 24 hours of the contact messaging you first. POPIA Section 69 still applies (no unrelated promotions), but you have flexibility for a real sales conversation.

24hrs
WhatsApp session window after a contact messages you first

A template message is an outbound message you initiate. These require Meta pre-approval, fit into marketing, utility, or authentication categories, and can only go to explicitly opted-in contacts.

Buying a phone number list and loading it into WhatsApp Business API for a broadcast is a Section 69 violation and a direct breach of WhatsApp Business Policy. Meta monitors for this. Your number will be suspended.

The compliant consent flow

Non-compliant pattern
Pre-ticked checkbox. 'By submitting you agree to our T&Cs.' WhatsApp opt-in buried in a 14-page privacy policy. No timestamp. No easy unsubscribe. Purchased list imported into a broadcast.
Compliant pattern
Separate unticked checkbox. 'I agree to receive sales follow-ups on WhatsApp from [Business], including quotes and reminders. Reply STOP to opt out any time.' Timestamp, IP, and form version recorded. First message includes Reply STOP.

Your CRM should capture at minimum: popia_consent_given, whatsapp_opted_in, consent_method, consent_timestamp, and consent_version. Conversio captures all five natively.

Consent language does not need to be a legal document. It needs to be specific, clear, and honest. "I agree to receive sales updates on WhatsApp from Conversio, including pricing and booking reminders" is compliant. "I agree to receive communications" is not.

Opt-out: every message, every time

Section 69(3) requires an opt-out mechanism in every direct marketing communication. "Reply STOP to unsubscribe" is the accepted formulation. Your system must act on it within one business day.

1 day
Maximum time to process an opt-out request under POPIA guidance

Acting on opt-out means three things: stop sending marketing templates to the number, add it to a permanent suppression list, and log the opt-out with a timestamp. The suppression list is usually the missing piece. Businesses honour the immediate opt-out but do not check the list six months later when a new campaign goes out.

Extend your keyword triggers beyond STOP: UNSUBSCRIBE, OPT OUT, REMOVE ME, plus Afrikaans and isiZulu equivalents. An AI agent handling inbound must be trained to recognise these intents even without the exact keyword.

Data retention

POPIA's purpose limitation: keep personal information only as long as necessary for the purpose it was collected.

90 days
Recommended soft-delete period for inactive leads before hard purge

Practical retention for WhatsApp marketing leads: active leads retained full during the sales process. Cold leads (no engagement in 90 days) soft-deleted from active lists. After a further 30 days, hard purge personal identifiers. Suppression list records retained indefinitely.

Contacts can request their data or ask for it to be deleted (a data access request). Respond within 30 days, either confirming deletion or explaining legal retention (e.g. FICA).

Document retention in your Privacy Notice and be specific. "We retain lead contact information for 90 days of inactivity, after which it is deleted" is defensible. "We retain data as long as necessary" will not satisfy a regulator.

Enforcement in 2026

The Information Regulator has been operational since 2021 and is past its setup phase. It has issued enforcement notices, demanded Information Officer appointments, and pursued complaints. Direct marketing cases form a growing share of its caseload.

Maximum administrative fine: R10M per violation. The reputational cost of a public enforcement notice usually exceeds the financial cost. SMBs are disproportionately exposed because they often lack documented consent practices. A single complaint can reveal systemic non-compliance.

The 10-point audit

  1. Registered Information Officer with the Regulator.
  2. All opt-in collection points have specific, unticked checkboxes.
  3. Pull 20 contacts from your marketing list. Verify timestamped consent for each.
  4. Test opt-out end-to-end. Confirm suppression within 24 hours.
  5. Suppression list consulted before every send.
  6. Existing customer exemptions actually meet the narrow criteria.
  7. Retention policy documented in Privacy Notice and enforced in CRM.
  8. Data access request process documented and tested.
  9. All template messages include working opt-out instructions.
  10. Information Officer has reviewed WhatsApp marketing in the last 12 months.

For the channel case, see why WhatsApp beats email for SA sales. For dealer groups, the car dealership playbook. For AI qualification, the BANT replacement guide. For voice, why AI voice beats IVR.

Frequently asked questions

Do I need to register as a responsible party for WhatsApp marketing?

Yes. If you process personal information in the ordinary course of business (which WhatsApp marketing is), you are a responsible party under POPIA and must register with the Information Regulator. You must also appoint and register an Information Officer.

Can I import my existing customer phone list into WhatsApp Business API?

Only with explicit documented consent. Existing customer status under Section 69(2) gives narrow rights, but WhatsApp Business API requires its own opt-in layer. Send a permission-request template to existing customers before importing them into any workflow.

Is POPIA consent automatic if a customer messages me first?

No. An inbound message opens a 24-hour session for responding to that specific enquiry. It is not consent for ongoing marketing. To add them to a broadcast list, collect explicit opt-in during or after that session.

What must my opt-out message contain?

A clear instruction, typically "Reply STOP to unsubscribe". When triggered, send one confirmation of removal. Log the opt-out with a timestamp. Do not send further marketing to that number.

How long can I retain lead data under POPIA?

Only as long as necessary. A defensible policy: active retention during the sales process, 90-day inactivity window, then hard purge of personally identifiable information. Suppression list records retained indefinitely.

What is the penalty for a POPIA violation in 2026?

Section 107 provides for administrative fines up to R10 million per violation. Criminal liability with imprisonment up to 10 years is available for intentional or negligent breach. The Regulator typically issues enforcement notices first, with fines reserved for systemic non-compliance.

Set up POPIA-compliant WhatsApp marketing with Conversio
Book a demo

About the author: Murali Naidu is the founder of AmbitX.ai and builder of Conversio, a WhatsApp-native CRM for SA sales teams. He writes about WhatsApp compliance, AI-led lead qualification, and the mechanics of building customer pipelines on South African communication infrastructure.

This article is an accurate summary of POPIA requirements as understood in April 2026. It is not legal advice.

Tagged

popia whatsapp marketing compliancepopia direct marketingwhatsapp business api popiapopia consent whatsappinformation regulator south africa direct marketing
More posts