Consent & GDPR Requirements for Imports
What “GDPR-compliant collection” means (for an import)
For Coco to import existing contacts into WhatsApp marketing, your list must be collected and stored in a way that meets GDPR consent standards (and equivalent privacy standards where applicable). In practice, this means you can show:
Lawful basis: the person gave explicit consent to receive marketing messages on WhatsApp (not just SMS or email).
Transparency at sign-up: the sign-up text clearly explained what they were opting into (marketing), on which channel (WhatsApp), and from which brand.
Proof is retained: you can provide evidence showing who opted in, when, how, and what exactly they saw when consenting.
Consent is unbundled: WhatsApp marketing consent wasn’t hidden inside unrelated terms (e.g., “By signing up you agree to our Terms”). It must be a clear, separate affirmative action.
Easy to withdraw: your process supports opting out (e.g., “STOP”, “unsubscribe”, WhatsApp-native controls). This is especially important post-import, but you should have had a mechanism available at collection time as well. All of these features come out of the box with Coco AI.
GDPR compliance is about your collection process and your audit trail. For imports, Coco’s review focuses on whether the list was collected with clear, explicit WhatsApp marketing permission and whether you can document it.
What proof Coco requires
For imported subscribers, Coco typically needs enough evidence to confirm that each contact (or the segment you’re importing) explicitly opted into WhatsApp marketing. The strongest submissions include both system records and what the user saw at the moment of opt-in.
Minimum proof (what you should be ready to provide)
Opt-in source: where the consent was collected (e.g., website form, checkout, pop-up, landing page, in-store QR, support flow, etc.).
Consent language: the exact copy shown to users that mentions WhatsApp and marketing/promotional messaging.
Timestamp + identifier: a record that ties consent to a specific person (phone number) and the date/time of opt-in.
Region context: whether the list includes EU/UK (GDPR) or mixed regions, and whether the same consent language was used.
Strong proof (recommended for fastest approval)
Screenshot(s) of the opt-in UI: the form/checkout/popup with the full consent text visible.
Provider audit trail export: an export or report showing consent status + opt-in method + timestamp (from your prior provider, forms tool, or CRM).
Double opt-in evidence: logs showing confirmation action (e.g., “confirmed via reply”, “clicked confirm link”, “started chat via click-to-WhatsApp”).
Link to the live sign-up page (or a staging page) so the consent language can be verified.
If your proof only shows “subscribed to SMS” or “marketing consent = true” without explicitly stating WhatsApp, Coco may not be able to approve the import for WhatsApp marketing.
What counts as valid explicit WhatsApp opt-in (marketing)
“Explicit opt-in” means the person took a clear, affirmative action to receive marketing messages on WhatsApp. The opt-in must be specific to WhatsApp—not implied from another channel.
Valid examples
Unchecked checkbox + clear text: “I agree to receive promotional messages on WhatsApp from [Brand].” The user actively checks it.
Dedicated WhatsApp sign-up form: The form clearly states WhatsApp marketing and the user submits it.
Click-to-WhatsApp entry: User clicks a link/ad that opens WhatsApp and starts a conversation, paired with clear disclosure that they’ll receive marketing messages.
QR to WhatsApp with disclosure: The QR landing page states WhatsApp marketing consent before starting the chat.
Confirming message/reply (double opt-in): After initial sign-up, the user confirms via a second step (details below).
Not valid (common reasons imports fail)
Consent for SMS or email only: “Text me offers” or “Subscribe to SMS” does not equal WhatsApp marketing consent.
Pre-checked boxes or consent hidden in Terms & Conditions.
Soft opt-in assumptions: “They’re customers” or “They messaged us once” without explicit marketing permission.
Ambiguous channel wording: “Receive messages” without naming WhatsApp.
Third-party list purchases or “lead lists” where you can’t show the original consent language and audit trail.
If your historical list doesn’t meet the bar for WhatsApp marketing consent, use Coco’s opt-in tools (like shareable links and on-site capture) to rebuild the list with clean proof. This usually protects deliverability and reduces complaint risk.
Double opt-in: what Coco expects (and why)
Double opt-in means there are two separate actions from the user:
Initial opt-in (they submit/agree to WhatsApp marketing).
Confirmation step that verifies intent (they confirm in WhatsApp or via an explicit confirmation action).
Double opt-in isn’t always a legal requirement in every region, but it is a strong best practice for WhatsApp marketing because it:
reduces accidental sign-ups and wrong-number submissions,
improves message engagement and lowers complaint rates,
creates stronger proof if your list is audited or questioned.
What counts as a valid double opt-in confirmation
User replies with a confirmation keyword after being prompted (e.g., “YES”).
User clicks a clear “Confirm” action that is tied to the WhatsApp number and records a timestamp.
User starts a WhatsApp conversation from a clearly disclosed opt-in source (e.g., a link/ad that explicitly states they’re opting into WhatsApp marketing) and then performs a second affirmative step when prompted.
What does not count as double opt-in
A single form submit with no follow-up confirmation.
“Delivered” or “read” message status (that’s not consent).
Auto-enrolling users because they purchased or contacted support.
If you collected consent historically with a single opt-in, Coco may still require additional confirmation (or recommend re-confirmation) depending on list quality, region mix, and the clarity of your original consent language.
Consent language checklist (use this to self-audit)
Your opt-in language should include all of the following:
Channel: it explicitly says “WhatsApp”.
Purpose: marketing/promotional messages (not just “updates”).
Brand identity: the business name the user will recognize.
Frequency/expectations: a reasonable indication (e.g., “recurring messages” or a frequency range if you use one).
Opt-out: instructions or a clear statement that they can opt out any time.
Example (checkbox text):
“I agree to receive recurring promotional messages on WhatsApp from [Brand]. Consent is not a condition of purchase. Reply STOP to opt out.”
Notes: Make sure the checkbox is unchecked by default and that users must take an affirmative action.
Screenshot of the opt-in form/checkout showing the WhatsApp consent language
Export/report showing phone number, opt-in status, and timestamp
Confirmation logs if double opt-in was used (timestamp + method)
Link to the live page (or archived version) where the consent was collected
How Coco reviews compliance (high level)
Coco reviews imports to protect your WhatsApp account quality and reduce the risk of complaints, blocks, and enforcement. The review typically looks for:
Explicit WhatsApp marketing consent (not implied or cross-channel).
Clear, consistent proof that matches the list segment being imported.
Reasonable list quality signals (e.g., recent opt-ins, clear source, confirmation where applicable).
If you cannot produce credible proof of explicit WhatsApp marketing opt-in for the contacts you want to import, do not attempt repeated import retries with the same list. This can increase risk to WhatsApp account quality. Use compliant re-opt-in methods instead.
Related pages in this section
Common compliance failures and remediation steps.
What fields to include and how to format your file.
Capture clean opt-ins and support double opt-in.