WhatsApp opt-in and opt-out

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 4 min read

Why opt-in matters

Three reasons opt-in is mandatory:

Meta policy. WhatsApp Business rules require opt-in before any business sends a message. Violators lose the WhatsApp Business account.
TRAI rules in India. India's telecom regulator requires consent for any commercial message. Penalties scale by violation count.
GDPR and similar. Most data-protection laws treat WhatsApp messaging as electronic communication requiring consent.

A single complaint can trigger a 24-hour quality-rating drop or full WhatsApp Business account suspension. Capture opt-in cleanly to avoid this.

Four opt-in patterns

Pick the one matching your funnel:

Pattern 1: Checkbox at signup.

[x] Yes, I want to receive WhatsApp updates about my orders and account.

Standard checkout or account-creation flow. About 60 to 75% of B2C users opt in when the checkbox is unchecked-by-default and clearly labeled.

Pattern 2: Inline consent during chat.

Bot: "Want order updates on WhatsApp? Reply YES to opt in." Customer: "YES" Bot: "Got it. We'll send updates to +91 8012345678."

Conversational and natural. Opt-in rates run about 40 to 60% in mid-funnel chats.

Pattern 3: Email confirmation flow.

Customer enters phone in a form.
Email arrives: "Click here to confirm WhatsApp updates."
Click captures opt-in.

Slowest but highest-quality opt-in. About 25 to 40% conversion from form to confirmed opt-in.

Pattern 4: Customer-initiated inbound.

When a customer messages your WhatsApp number first, that's implicit opt-in for a 24-hour reply window. Outside the window still requires explicit opt-in for template-based outreach.

How AskVault stores opt-in

Each opt-in event records:

Phone number (E.164 format).
Channel that captured consent (widget, web form, inbound message).
Timestamp.
Wording shown to the customer.
IP address and user agent (for web-based opt-in).

Stored in the contact record under Contacts > [contact] > WhatsApp Consent. Retained 365 days standard, 6 years on Enterprise.

Useful for proving consent during a Meta audit or a customer complaint.

How AskVault captures opt-in

Three implementations:

Via the collect_lead skill. When the bot collects a phone number, it appends a consent question:

Bot: "Got your number. Want WhatsApp updates? Reply YES or NO."

If YES, opt-in records automatically. If NO or no reply, opt-in skipped.

Via API. For your own opt-in surfaces (your signup form, your checkout):

curl -X POST https://api.askvault.co/v1/contacts/opt-in \
  -H "Authorization: Bearer ak_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "phone": "+918012345678",
    "channel": "whatsapp",
    "source": "signup_form",
    "wording": "Yes, I want WhatsApp updates about my orders",
    "ip": "203.0.113.45"
  }'

Returns the consent record ID.

Via webhook from your system. Configure your auth/signup system to fire a webhook on opt-in events. AskVault subscribes and records.

Opt-out handling

When a customer wants out:

STOP, UNSUBSCRIBE, STOPALL, CANCEL, QUIT, END keywords (case-insensitive) trigger auto-opt-out.
Reply within 30 seconds confirms: "You've been unsubscribed from WhatsApp updates. Reply START to opt back in."
All future outbound to that phone blocked.
Inbound messages still allowed (customer can still ask you something; you can reply within the 24-hour window).

Auto-handling is on by default. Disable under Deploy Hub > WhatsApp > Opt-Out Keywords if you have a custom flow, though we discourage this.

Opt-in revival

If an opted-out customer wants back in:

START or SUBSCRIBE keywords re-enable outbound.
Confirmation message: "Welcome back. We'll send WhatsApp updates again."
A new consent record creates with the re-opt-in timestamp.

About 5 to 10% of opted-out customers eventually re-opt-in.

Compliance audit reports

Export consent records for compliance audits:

Dashboard > Contacts > WhatsApp Consent > Export.
Pick date range.
Download CSV. Includes phone, opt-in timestamp, channel, wording, IP.

Useful when Meta or a regulator requests proof of consent.

Per-region rules

Specifics by jurisdiction:

India (TRAI).

Consent must be verifiable.
Wording must be clear ("commercial messages on WhatsApp").
Opt-out must be honored within 24 hours.
Penalty: ₹500 per unsolicited message.

EU (GDPR).

Consent must be freely given, specific, informed, unambiguous.
Easy withdrawal mechanism (STOP keyword).
Records retained as long as the relationship plus a buffer for evidence.

US.

TCPA applies to SMS but also some WhatsApp use cases.
Opt-in via a clear and conspicuous statement.
Some states (California, Florida) have stricter rules.

Other markets. Australia (Spam Act), UK (PECR), Canada (CASL), Brazil (LGPD) all have similar consent requirements.

Configure jurisdiction-specific consent wording under Workspace Settings > WhatsApp Consent.

Sample customer journey

End-to-end opt-in flow:

Customer chats with widget asking about delivery. Bot answers.
Customer asks: "Can you update me when my order ships?"
Bot triggers collect_lead to capture phone.
Customer provides phone.
Bot asks: "Want WhatsApp updates on your order? Reply YES or NO."
Customer: YES.
AskVault records opt-in with phone, timestamp, wording.
Order ships next day. Outbound WhatsApp template fires.
Two weeks later, customer texts STOP.
Auto-opt-out within 30 seconds. Confirmation message sent.

Total customer-controlled. Audit-trail-complete.

Webhook events

Subscribe to:

whatsapp.opt_in. Customer opted in.
whatsapp.opt_out. Customer opted out (STOP keyword or manual revocation).
whatsapp.opt_in_revived. Previously opted-out customer rejoined.

Useful for syncing consent state to your CRM.

Planned features (on the roadmap)

Documented for accuracy:

Granular opt-in. Today, opt-in is global per channel. Planned: per-message-category opt-in (transactional yes, marketing no).
Double opt-in. Today, single-step. Planned: configurable double-opt-in (initial YES plus a confirmation click).
Cross-channel opt-in. Today, per-channel. Planned: unified consent across WhatsApp, SMS, email with per-channel toggles.
Auto-renewal of consent. Today, consent doesn't expire. Planned: re-confirmation flow at configurable intervals (e.g., every 24 months) for GDPR strict mode.

Limits

Consent records per workspace. No hard cap.
Auto-handled opt-out keywords. 6 (STOP, UNSUBSCRIBE, STOPALL, CANCEL, QUIT, END).
Opt-out propagation time. Under 30 seconds.
Consent retention. 365 days standard, 6 years Enterprise.

Common pitfalls

Sending templates to opted-out numbers. AskVault blocks these automatically; if you bypass via direct Twilio calls, you risk account suspension. Always route through AskVault.

Opt-in wording too vague. "Get updates" without specifying the channel is insufficient for GDPR. Always say "WhatsApp messages" explicitly.

Pre-checked opt-in checkboxes. Some jurisdictions reject pre-checked consent. Default to unchecked.

Forgetting to capture opt-in source. If audited, "we had consent somewhere" isn't enough. Record the source (form name, page URL).

FAQ

Is implicit opt-in valid when a customer messages first?

For a 24-hour reply window, yes. Outside the window, you need explicit opt-in for template-based outreach.

Can I send a one-off message without opt-in?

No. WhatsApp policy applies to every outbound. Inbound replies within 24 hours of customer message are free-form, no template, no opt-in needed.

What happens if Meta flags my account?

WhatsApp issues a quality-rating drop or full suspension. Resolution requires demonstrating consent records. Save opt-in evidence rigorously.

Can I migrate opt-in state from another platform?

Yes via bulk CSV upload under Contacts > Bulk Import. Include the original opt-in timestamp and source.

Does opt-in transfer if I change my Twilio number?

Yes. Opt-in is keyed to phone-number pair (yours + theirs). Changing your number requires either re-opt-in (cleanest) or a documented migration notice (acceptable in some jurisdictions).

Was this page helpful?