LGPD WhatsApp Business 2026: Compliance, Opt-in, and Penalties

Key Takeways

LGPD compliance is now a mandatory operational requirement for businesses using WhatsApp Business in Brazil, with ANPD actively enforcing violations and penalties reaching up to R$50 million per infraction.

Brazilian businesses using WhatsApp for marketing, customer support, OTP verification, or conversational commerce must maintain valid legal basis, customer consent records, and auditable data processing workflows.

Explicit opt-in management is essential for WhatsApp marketing campaigns in Brazil, while utility and authentication messages may rely on contractual necessity or legitimate interest depending on the use case.

Businesses must implement data retention policies, customer data deletion workflows, consent logging, and secure data handling practices to remain compliant with LGPD regulations.

Choosing a WhatsApp Business provider with built-in LGPD compliance tooling, consent management, and secure messaging infrastructure significantly reduces legal and operational risk.

The General Data Protection Law (LGPD) is the Brazilian privacy law in effect since 2020, enforced by ANPD (National Data Protection Authority). In 2025, ANPD entered active enforcement phase, with real fines applied against Brazilian businesses using WhatsApp for customer communication without adequate legal basis. In 2026, LGPD compliance for WhatsApp Business is no longer optional - it is documented technical obligation with penalties up to R$50 million per infraction.

This guide covers everything every Brazilian business must do: legal basis, opt-in, data retention, data-subject rights, and minimum technical stack.

What LGPD requires regarding WhatsApp Business

LGPD treats personal data (including WhatsApp number, conversation content, and usage patterns) under six legal bases. For WhatsApp Business use with customers, the two most common are:

Consent (art. 7, I). Data subject explicitly agrees with processing. Preferred basis for marketing and promotional communications.
Contract execution (art. 7, V). Processing necessary to fulfill contract with data subject. Basis for order confirmations, shipping updates, authentication OTPs.

ANPD published specific guidance in 2024-2025 making clear that email consent does not cover WhatsApp. They are different channels and require separate consents.

Five minimum obligations for WhatsApp + LGPD compliance in 2026:

Documented legal basis for each purpose (support, marketing, transactional).
Specific privacy policy mentioning WhatsApp as channel.
Clear opt-in mechanism with auditable record (timestamp, IP, exact consent text).
Clear opt-out mechanism (STOP keyword, cancellation link, manual removal process).
Limited retention and scheduled data disposal.

Legal basis: how to choose

Businesses using WhatsApp communication in Brazil should carefully choose the appropriate legal basis under LGPD depending on the purpose of each message type. Authentication OTPs, account verification, order confirmations, shipping updates, and delivery notifications are typically processed under contract execution because they are necessary for service delivery, account security, and purchase fulfillment. Receipts and payment confirmations may additionally rely on legal obligation due to tax and financial recordkeeping requirements.

For customer satisfaction surveys, businesses may rely on legitimate interest or explicit consent, although using legitimate interest often requires a documented Legitimate Interest Assessment (RIPD) to justify the processing activity. Marketing campaigns, promotional messages, abandoned cart recovery, and customer reactivation campaigns generally require explicit customer consent under LGPD because Brazilian regulators increasingly classify these workflows as direct marketing activities. Maintaining consent records, opt-in logs, and clear unsubscribe mechanisms is essential for reducing compliance risk and operating scalable WhatsApp communication workflows in Brazil.

Opt-in that satisfies LGPD

Valid consent under LGPD must be free, informed, unambiguous and specific.

Free

‍Cannot be conditioned on product/service obtaining.

Informed

‍Text must mention: what will be sent, approximate frequency, how to cancel, link to policy.

Unambiguous

‍Positive and clear action. Checkbox not pre-checked.

Specific

‍For each purpose, one consent. Cannot bundle.

Example of valid opt-in

[ ] I want to receive offers and news via WhatsApp (we can send up to 2 messages per week, you can cancel by replying STOP)

Example of invalid opt-in

[x] I accept terms of use, privacy policy and authorize marketing by email and WhatsApp.

Fails because: pre-checked, bundle of multiple purposes. ANPD considers invalid.

Consent record

For each opt-in, document:

Complete timestamp (date, time, timezone).
Origin IP.
User-agent.
Exact consent text.
Privacy policy version at the time.
Collection channel (web form, app, QR code).
Specific authorized purposes.

ANPD in enforcement can request consolidated report in 15-30 days. A WhatsApp Business API in Brazil maintains LGPD-compatible log for each opt-in.

Opt-out: the mandatory mechanism

Every WhatsApp marketing communication must offer clear cancellation mechanism:

Keyword in free text. Customer replies STOP, END, CANCEL. System recognizes, removes, confirms.
Quick-reply button. Template with No-longer-receive button.
Management link. Link opens panel where customer manages preferences.

Five rules:

Opt-out in EVERY marketing message. Not just initial.
Processing within 24 hours. Customer cannot receive more after 24h.
Clear confirmation. Customer needs to receive confirmation message.
Do not make difficult. Double confirmation, complex login are prohibited.
Keep opt-out record. Save opt-out timestamp for minimum 5 years.

Data retention

Businesses using WhatsApp Business API in Brazil should implement structured data retention policies to remain compliant with LGPD and maintain defensible audit records.

Marketing message records are typically recommended to be stored for up to two years after the customer’s last interaction to preserve proof of communication and campaign activity. Transactional messages, including order confirmations, receipts, and account notifications, are commonly retained for five years to align with Brazil’s Consumer Defense Code (CDC) limitation period. Customer consent records should also be maintained for up to five years after consent revocation to provide legal and compliance evidence if disputes arise. Operational send logs are generally retained for around two years to support internal audits, delivery investigations, and platform monitoring. Inactive customer records are often stored for up to three years to support potential customer reactivation campaigns and account recovery workflows while maintaining compliant data management practices.

After retention, data must be anonymized or discarded. Anonymization is not reversible encryption.

Data-subject rights

LGPD guarantees nine rights (art. 18):

Confirmation of processing

‍Response in 15 days.

Access to data

‍Electronic copy in 15 days.

Data correction

‍No cost.

Anonymization, blocking, or elimination

‍In 15 days, except legal obligation.

Portability

‍Structured file for transfer.

Information about sharing

‍List of data receivers.

Information about non-consent

‍Consequences explained beforehand.

Consent revocation

‍Within 24 hours.

Automated decision review

‍Human review of algorithm.

International transfer

Meta WhatsApp servers are outside Brazil. LGPD allows international transfer with requirements (art. 33). For WhatsApp Business operational, transfer generally covered by contract execution with data subject.

Brazilian BSPs (or WhatsApp Marketing Platforms) operate own servers in national territory for storage of logs, consents, and management data. Only message transmission passes through Meta.

Operators and controllers

You are the controller. Your company decides what to send, to whom, for what purpose. Primarily responsible before ANPD.
BSP is operator. Processes data on your behalf per contract. You need operator contract.
Meta is sub-operator. Processes data on behalf of BSP.

Minimum clauses in BSP contract: specific processing purposes, technical security measures, authorized sub-operators, assistance with data-subject rights, incident notification within 24 hours, data elimination or return at contract end.

Security incident

Obligations in case of incident:

Notify ANPD in reasonable time. Up to 72 hours typical; 24 hours in serious cases.
Notify affected data subjects. Clear communication, no technical jargon.
Document internally. Report kept minimum 5 years.
Implement corrections. Audit after 6 months.

Five incident vectors that appear most: agent forgot logout, misconfigured integration exposing API key, bot sending to wrong recipient, ex-employee with panel access, phishing on BSP admin.

Penalties

ANPD can apply graduated penalties (art. 52):

Warning.
Simple fine up to 2 percent of Brazil revenue, limited to R$50 million per infraction.
Daily fine.
Publicization of infraction.
Blocking or elimination of data.
Suspension of database operation.
Prohibition of processing activities.

LGPD WhatsApp Business compliance checklist

Privacy policy published mentions WhatsApp as channel?
Legal basis defined for each purpose?
WhatsApp opt-in separate from other consents?
Each opt-in has record with timestamp, IP, text, policy version?
Every marketing message has opt-out mechanism?
Opt-out processed within 24 hours?
DPO designated and public contact?
Retention policy defined with deadline per data type?
Automatic disposal of expired data implemented?
Documented channel for exercising rights?
Operator contract signed with BSP, with minimum clauses?
Incident response plan documented and tested?
Team training program on LGPD?
RIPD for high-risk processing?
Annual internal LGPD compliance audit?

Businesses answering yes to all 15 have solid defensive posture. Less than 10 is material exposure.

How WhatsAppNow Brazil supports LGPD compliance

WhatsAppNow was designed with LGPD in mind: LGPD-compatible consent log, automated opt-out processing, Brazilian servers, standard operator contract, incident response plan, DPO support.

Frequently asked questions

Can I use WhatsApp for customers who already gave me email?‍

Not automatically. Email consent is separate from WhatsApp consent. Request specific opt-in before starting WhatsApp communication.

What happens if I receive ANPD notification?‍

Respond within deadline (typically 15 days) with documented evidence. Designate DPO or specialized lawyer. If real violation, self-regularization typically reduces penalty.

Can customer request history of everything I sent them?‍

Yes. Access right allows customer to request copy of all personal data processed. Provide within 15 days in structured electronic format.

Do I need DPO if I am small business?‍

Yes. LGPD requires designation regardless of size. For small, can be employee accumulating function or outsourced DPO. Contact must be published on site.

Can I use WhatsApp data to train AI/chatbot?‍

Only with specific legal basis. Model training is different purpose - requires specific consent or legitimate interest with RIPD.

What to do if employee shares customer conversations?‍

Treat as security incident. Investigate, contain, notify ANPD and data subjects if necessary, apply disciplinary measure, implement technical control.

Next steps

Do the 15-item checklist above. Start with three biggest: opt-in with auditable record, automated opt-out, retention policy. Designate DPO formally and publish contact. Review BSP contract. Train marketing and support team. Conduct annual internal audit.

For LGPD-compatible technical infrastructure, our WhatsApp Business API for Brazil Businesses delivers consent log, automated opt-out, Brazilian servers, and standard contract.