It all started for WhatsApp.
And on it these guidelines were established taken from META itself.
But the fundamentals described here do not belong only to WhatsApp; from them also derive the other channels of the Meta ecosystem.
For just as consent builds trust, transparency sustains relationships and quality preserves communication, such principles must be observed in every operation carried out through WhatsApp, Instagram, Messenger, Threads and other platforms that share the same essence.
Therefore, although this document was conceived with a focus on WhatsApp Cloud API, its fundamentals should be interpreted as a reference for all Meta channels, whenever applicable.
Because channels may change, but principles remain.
This document establishes mandatory guidelines for operations carried out through WhatsApp Cloud API (Meta). Non-compliance with these rules significantly increases the risk of restrictions, quality reduction, blocks and account bans.
For leads captured by ads, it is mandatory to provide access to the following information:
Privacy Policy
Data Storage Policy
Data Deletion Policy
The policies can be in a single document, as long as they are organized in clearly identified sections.
It is mandatory to have prior consent from the lead obtained outside of WhatsApp.
This consent must be:
Clear
Traceable
Verifiable
⚠ In any audits or requests from Meta, the company must be able to prove that consent was obtained.
The use of databases provided by business partners presents high risk, even when there is:
Formal contracts
Data transfer agreements
Legal documentation between parties
Meta primarily evaluates the relationship between user consent and the company making the contact.
The lead authorized contact from company X
The contact is made by company Y
This scenario can be interpreted negatively by Meta's ecosystem.
⚠ The existence of a contract does not eliminate the risk of penalties.
⚠ It can help in the defense of the case, but does not prevent blocks or restrictions.
To maximize compliance and reduce operational risks, it is recommended to use granular consent by communication category, whether the lead comes from an advertisement or another communication channel
The user should be able to individually choose to receive:
Marketing (promotions, offers and campaigns)
Utility (status, updates and operational information)
All types of communication
Consent:
Cannot be pre-selected
Must be clear and specific
Must allow individual selection by category
Must record audit evidence
Date and time of acceptance
Source of consent (website, form, CRM, landing page, WhatsApp_ctwa_id, etc.)
IP or equivalent identifier, when available
Version of accepted terms
This model allows:
Granular proof of consent
Greater ability to defend in audits
Reduced risk of spam classification
Better support in cases of complaints or review by Meta
⚠ Generic opt-ins, such as "I accept receiving messages", have low evidentiary value and may be insufficient in defense proceedings.
☐ I accept receiving offers, promotions, campaigns and commercial content from the company via WhatsApp.
By selecting this option, you may receive:
Promotions and discounts
Product or service launches
Commercial campaigns
Event invitations and promotional actions
You may request cancellation of these communications at any time.
☐ I accept receiving operational communications and information related to my service via WhatsApp.
By selecting this option, you may receive:
Updates on requests and services
Status of orders, contracts or services
Appointment reminders
Information necessary for the execution of contracted services
These messages are informational and operational in nature.
☐ I accept receiving all types of communication from the company through WhatsApp, including promotional, operational and informational messages.
By selecting this option, you may receive:
Offers and promotions
News and commercial campaigns
Service updates
Information about contracted services
Reminders, notifications and relevant communications
You may request to stop these communications at any time.
The recipient must have a simple and clear way to stop receiving communications.
Whenever possible:
Inform the user that they can stop receiving messages
Provide a simple unsubscribe mechanism
Immediately respect requests to stop contact
It is recommended to include an opt-out instruction in campaigns and promotional sends.
"To stop these communications, reply STOP."
"You are receiving this message because you authorized our contact. To stop receiving new messages, reply EXIT."
Whenever the content allows, include unsubscribe information in the body of the message or in subsequent messages.
"If you no longer wish to receive communications, reply EXIT."
During customer interaction, it is recommended to periodically reinforce that they can cancel communications.
"Remember that you can stop our messages at any time by replying EXIT."
Every marketing template must have an explicit opt-out option.
A person who wants to stop receiving messages tends to use unsubscribe when it is simple and visible. When this option does not exist, the likelihood of blocking or reporting increases significantly.
The adoption of clear unsubscribe mechanisms contributes to:
Reduction of complaints
Reduction of number blocks
Improvement of quality indicators
Demonstration of good faith before Meta audits
Greater compliance with privacy and consent practices
⚠ Ignoring unsubscribe requests or making cancellation difficult significantly increases the risk of complaints and penalties.
It is not recommended to request or share, through WhatsApp, personal data and sensitive data as defined by LGPD, especially when not strictly necessary for the purpose of the service.
Avoid requesting or sharing through:
Text messages
Audio
Videos
Full name of account holder when unnecessary
Full name of parents or guardians
CPF
RG
CNH
Passport
Official documents
Financial data
Biometric data
Sensitive Laboratory Tests
Racial or ethnic information
Religion
Health data
Any information that could have significant impact in case of a data breach
Data collection should occur in environments controlled by the company, preferably through:
WhatsApp native forms (when available)
Secure external services such as:
Typeform
Google Forms
Corporate forms (own)
Internal portals
⚠ If WhatsApp native forms are not used, it is recommended that the collection of personal data or sensitive data be carried out through adequately protected means that comply with LGPD requirements.
The following indicators directly impact the health of the operation and the reputation of the number:
Read rate
Response time
Response rate
Block rate
Report rate
The report rate is one of the main operational risk factors.
High report rates represent high operational risk and may result in automatic restrictions applied by Meta.
When a report occurs, Meta will analyze:
The recent conversation history (Last 5 messages)
The context of the messages exchanged
Possible violations of platform policies
⚠ If violations of Meta's policies or an abnormal volume of negative feedback are identified, the platform may apply automatic restrictions to the operation even before template health degradation becomes visible in monitoring dashboards.
Template health and phone number reputation are continuously evaluated by Meta's systems.
The quality update displayed in administrative dashboards does not necessarily occur in real time, but the platform's protection mechanisms operate continuously.
Meta may consider various factors, including:
Reports
Blocks
Response rates
Read rates
Recipient behavior
Message content (When Reports)
Possible violations of platform policies
The absence of immediate change in the quality displayed for a template does not mean there is no risk.
Even before the visible update of quality indicators, Meta may identify behaviors considered inappropriate or incompatible with its policies.
A template that sends few messages may not show immediate quality change after receiving negative feedback.
However, a high proportion of reports or blocks can trigger automatic analyses and preventive measures by the platform.
Depending on the severity of the case, Meta may:
Reduce sending capacity
Apply temporary limitations
Pause templates
Request operation review
Restrict account functionalities
Block numbers involved in activities considered abusive or in violation of policies
Meta's protection mechanisms may act before quality degradation becomes visible in administrative dashboards.
For this reason, every operation should prioritize adequate consent, message relevance, and constant monitoring of quality indicators.
These guidelines should not be treated merely as best practices.
They are essential requirements for sustainable operations using the WhatsApp Cloud API.
The operation must be structured to:
Ensure valid and verifiable consent
Provide simple opt-out mechanisms
Avoid any perception of spam
Protect personal and sensitive information
Maintain high quality and engagement rates
Non-compliance with these guidelines directly increases the risk of:
Sending restrictions
Quality reduction
Number blocking
Account ban
See how to get your WhatsApp Business Account Display Name approved on the first try, with the help of our helper → https://help.datacrazy.io/pt-br/articles/10670799-diretrizes-nome-de-exibicao-contas-waba
It means that with this your operation will be more protected, however, always and forever, at the mercy of META, after all it's the one who determines, judges and executes within the META universe. With this we minimize the risks so that our operation can flow with fewer or no problems like those presented.
But it's never a guarantee.
