Is WhatsApp Blast Legal Under the PDP Law? Here’s What Businesses Need to Know

Many companies routinely send WhatsApp blasts to thousands of customers every week. The messages usually contain discount promotions, new product launches, event reminders, or partnership offers. Because the phone numbers come from their own customers, they often think it’s considered “safe.”

However, under the Personal Data Protection Law such as PDP Law or GDPR, the status of being a “customer” does not automatically give companies the right to send promotional messages at any time.

The core issue is not simply whether the company possesses the phone number, but how the number was obtained, for what purpose it was collected, whether there was clear consent, and whether customers were given the right to stop receiving messages.

In many cases, companies are not even aware that marketing activities they have long considered normal may actually violate personal data protection principles.

Is WhatsApp Blast Legal?

Not exactly. WhatsApp blast is not automatically illegal. Many companies use WhatsApp to send promos, payment reminders, transaction notifications, and even customer service information.

However, its legality is not determined by the platform being used, but by how the company obtains and uses the customer data.

If the number is collected lawfully, the customer gives consent to receive communications, and the company provides an opt-out mechanism, then a WhatsApp blast can generally be carried out legally.

Conversely, if messages are sent to numbers obtained without permission, used outside the original purpose of data collection, or continue to be sent even though the recipient objects, such practices can pose a risk of violating personal data protection regulations.

What Regulations Are Relevant to WhatsApp Blast in Indonesia?

WhatsApp Blast, or broadcasting on WhatsApp in Indonesia, is not governed by a single regulation. There are several interrelated layers of rules, both from the perspective of personal data protection and the use of digital communication platforms.

1. Personal Data Protection Law (PDP Law)

The Personal Data Protection Law (Law No. 27 of 2022) is the primary legal framework that must be considered before conducting WhatsApp blasts. Articles related to consent, purpose limitation, and data subject rights are directly relevant to broadcast marketing activities.

• Article 20 on consent: any processing of personal data for marketing purposes must be based on explicit consent from the owner of the phone number.
• Article 16 on purpose limitation: a number collected for shipping purposes is not automatically lawful to use for promotions.
• Articles 9 and 40 on data subject rights: every message recipient has the right to withdraw consent at any time, and this right must be respected.

There are no special exemptions for WhatsApp. Whether the blast is conducted through the API or from a regular phone, the PDP Law still fully applies.

2. GDPR (General Data Protection Regulation)

Globally, WhatsApp blast practices without consent are also a major concern under data protection regulations such as the GDPR in the European Union. This regulation emphasizes that companies may not use personal data for marketing purposes without a clear legal basis, especially consent from the data owner.

In the context of marketing communication, GDPR requires companies to have specific, clear, and provable consent before sending promotional messages to users.

Example: a company sends weekly promotional blasts to customer numbers collected through a registration form, but never specifically asked for permission to send marketing materials. Under the GDPR framework, such practices may be considered personal data processing without a sufficient lawful basis.

Therefore, companies must ensure that customers genuinely consent to receiving promotional communications and are provided with an easy option to unsubscribe (opt-out).

3. WhatsApp’s Own Platform Policies

WhatsApp’s own policies are often overlooked, even though the consequences are immediate (such as getting banned). WhatsApp Business API requires users to:

• Document explicit consent from every recipient before sending marketing template messages.
• Provide a functioning opt-out mechanism.
• Avoid using numbers imported from sources without valid consent.

Violating these policies can result in business number blocking, suspension of WhatsApp Business accounts, or removal of API access. Many mid-sized businesses have lost access to WhatsApp Business API after being reported for sending blasts without clear consent.

These three regulatory layers work simultaneously. Complying with one does not automatically exempt a company from the other two.

Key Factors in Determining the Legality of WhatsApp Blast

The legality of WhatsApp blasts cannot be judged solely by the fact that promotional messages are sent to many numbers at once.

In practice, several aspects become the main determining factors, ranging from the source of customer data, the existence of consent, to whether the use of the data is still aligned with the original purpose of collection.

1. The Numbers: Where Did They Come From?

Under the PDP Law framework, the origin of phone numbers is the most important factor in determining whether a WhatsApp blast can be legally justified.

For example, phone numbers that appear to belong to “customers” may actually have very different legal statuses depending on how the data was obtained.

Numbers Obtained Through Transactions or Forms

Numbers provided by customers when purchasing products, filling out shipping forms, or registering for services generally have a stronger legal position if collected properly.

Customers provide their numbers because they are necessary to process the transaction. However, it is important to remember: consent for transaction purposes is not the same as consent for promotions.

If customers were not informed from the beginning that their numbers would be used for WhatsApp promotions, then using them for marketing blasts may be legally challenged.

Numbers Collected from Events or Trade Shows

At many business events, visitors are often asked to scan QR codes, fill out guest books, or leave business cards in order to receive catalogs or join giveaways.

Situations like these are often treated as “automatic permission” for long-term marketing follow-ups. In reality, that is not necessarily true.

If the form only states “for event registration purposes,” but the numbers are later used for months of product promotion blasts, there may be a mismatch between the original and actual purposes of data processing.

The less information provided during data collection, the higher the legal risk.

Numbers Purchased from Third Parties or Taken from WhatsApp Groups

This is among the highest-risk categories.

There is no direct relationship between the owner of the number and the company conducting the blast. PDP Law requires consent from the data subject for the initial collection of data. Without that consent, the entire chain of data processing is legally flawed from the start.

Under PDP Law, companies cannot defend themselves by claiming “the data was purchased from a vendor,” “the numbers were publicly available,” or “all competitors do the same thing.”

When companies use personal data for marketing purposes, responsibility still lies with the party processing the data.

Old Numbers Collected Before PDP Law Came Into Effect

Many companies possess databases collected years ago, even before stricter data protection regulations existed. This creates a gray area that frequently occurs in practice.

PDP Law does not apply retroactively, but the management of data collected before the law came into force still needs to be adjusted to comply with the new requirements. Companies were required to complete this adjustment no later than two years after the law was enacted (October 2024).

This means even old databases must be reevaluated:

• whether the old consent is still relevant,
• whether customers were ever given an opt-out option,
• and whether the data usage still aligns with the original collection context.

Old databases do not automatically mean unrestricted usage without reevaluation.

2. Consent: Is It There or Not?

Under PDP Law, consent is not merely an administrative formality. Consent determines whether a company has a lawful basis for using personal data for marketing activities.

The first question that must be answered is: were users informed from the beginning that their numbers would be used for WhatsApp promotions?

If the answer is unclear, then the legal basis for using the data is also weak. Consent must also be given through a clear action, such as ticking a checkbox that specifically states, “I agree to receive promotions via WhatsApp.”

What often happens is the practice of bundled consent. For example: “by registering, you agree to the applicable terms and conditions.”

Inside lengthy terms and conditions, there may be a hidden sentence about marketing. This is not valid consent for WhatsApp blasts. The data subject did not consciously and specifically grant permission for marketing activities.

PDP Law Article 20 paragraph 2 states that consent must be given through an explicit statement or action. This means hidden clauses inside legal documents do not meet this standard.

However, there are exceptions. There are situations where WhatsApp blasts may not require new consent if they meet the principle of compatibility of purpose, meaning the processing purpose still aligns with the original reason for data collection. However, this standard is very strict and rarely fulfilled for promotional activities.

3. Purpose of Processing: Is the Data Usage Still Appropriate?

PDP Law recognizes the principle of purpose limitation, meaning personal data may only be used according to the original purpose communicated at the time of collection. This principle prevents companies from using data beyond the purposes that were initially disclosed.

Example: a customer provides a phone number when purchasing shoes online. The purpose communicated during checkout is “shipping notifications and delivery updates.” Two weeks later, the company sends a WhatsApp blast promoting its latest shoe collection.

Technically, the number was lawfully collected with consent for transactional purposes. However, promotional blasts are marketing activities, which are fundamentally different. Without separate consent for marketing purposes, this action violates the principle of purpose limitation.

The situation would be different if the data collection form explicitly stated two purposes from the beginning: “your number will be used for shipping updates and promotional WhatsApp messages.” In that scenario, both purposes were clearly disclosed and consented to from the start.

Companies often assume that a customer relationship automatically includes permission for marketing. This assumption is incorrect and unsupported under PDP Law.

4. Opt-Out Rights and Company Obligations

Under PDP Law Article 9 regarding data subject rights, individuals have the right to withdraw consent and stop certain types of data processing, including for marketing purposes.

This means every WhatsApp blast must provide a clear and accessible unsubscribe mechanism.

An adequate opt-out mechanism means:

• Unsubscribe instructions written in clear and understandable language
• A process requiring no more than two steps (for example, replying with “STOP”)
• Confirmation that the request has been processed
• Removal of the number from the marketing database within a reasonable timeframe, no later than 14 days

Furthermore, if a data subject requests complete deletion from the database and the company continues storing the number for future blasts, this becomes a serious violation. PDP Law grants individuals the right to erase their personal data without burdensome conditions.

In practice, many companies ignore unsubscribe requests for technical reasons, such as numbers being stored across three different systems, lack of coordination between marketing and IT teams, or the absence of standard procedures. Operational difficulties do not eliminate these legal obligations.

WhatsApp Business API vs. Manual Blast: Is There a Legal Difference?

Operationally, WhatsApp Business API differs from manual blasting using a regular phone. Legally, however, this difference does not change personal data protection obligations. What changes is the chain of responsibility.

When companies use WhatsApp Business API through third-party providers (such as WATI, BSPs, or other official Meta providers), two entities are involved in data processing: the company as the data controller and the service provider as the data processor.

PDP Law requires a Data Processing Agreement (DPA) between the two parties.

Critical questions that must be answered include:

• Where is customer data stored by the provider?
• Does the data leave Indonesian jurisdiction?
• How does the provider handle data deletion requests?
• Does the provider have adequate data security certifications?
• Who is responsible if a data breach occurs?

Within the Business API ecosystem, companies are responsible not only for the messages being sent, but also for the entire data management chain behind them.

For manual blasting from regular phone numbers, the chain of responsibility is shorter, but the risks are different. WhatsApp may block accounts conducting mass broadcasts without consent, and all data remains entirely under the company’s control, including the risk of leakage from lost or stolen devices.

What remains unchanged in both scenarios is the obligation to obtain consent, provide opt-out options, and limit processing purposes. These responsibilities remain attached to the company as the data controller.

Examples of Safe vs. Risky WhatsApp Blast Usage

Below are three concrete scenarios commonly encountered in practice, along with their legal conclusions.

Safe Scenario: E-Commerce with Separate Opt-In

Store A collects customer numbers through two separate channels. During checkout, there is an unchecked checkbox stating: “Send me promotions and offers via WhatsApp.”

Customers must tick the box manually. Every WhatsApp blast includes the sentence: “Reply STOP to unsubscribe.” The database is separated between customers who agreed to receive promotions and those who did not.

Conclusion: LEGALLY SAFE. There is explicit consent given voluntarily, an opt-out mechanism exists, and the data is properly separated.

Gray Area Scenario: Using Numbers from Events

Store B collects 500 numbers from a culinary exhibition. Visitors leave their numbers to receive free recipes via email. Six months later, Store B starts sending WhatsApp blasts promoting new products without explaining where the numbers came from.

Conclusion: A GRAY AREA with high risk. The original purpose (receiving recipes) differs from marketing purposes. There was no consent for WhatsApp blasts. The risk of violating purpose limitation is very real if recipients object.

Problematic Scenario: Purchased Third-Party Database

Store C purchases a database of 10,000 numbers from a provider claiming the numbers are “ready for promotion.” There is no documentation proving consent from the owners of the numbers. The origins of the numbers are unclear. Store C immediately sends blasts without including a clear opt-out mechanism.

Conclusion: CLEARLY PROBLEMATIC. There is no consent, no documentation, and no direct relationship with the data subjects. This potentially violates multiple PDP Law provisions simultaneously and creates risks of administrative sanctions and fines.

What Should Your Business Do Now?

Many companies only start thinking about compliance after their numbers are blocked, customers complain, or legal threats arise.

In reality, there are several basic steps that can be implemented immediately without major system changes.

• Audit your database sources.
  Separate numbers based on their origins: transactional numbers with marketing consent, transactional numbers without marketing consent, event-based numbers, and third-party purchased databases. Databases from problematic sources should immediately stop being used for blasts.
• Review all number collection forms.
  Is there a checkbox for WhatsApp blast consent that is not pre-checked? Does the wording specifically mention “WhatsApp” and “promotions”? If not, the forms should be revised before further use.
• Add opt-out instructions to every blast template.
  The sentence “Reply STOP if you no longer wish to receive messages” should become mandatory. Ensure there is an internal procedure for processing STOP requests within a maximum of 14 days.
• Document all consent records.
  Store proof of when and how each number gave consent. This documentation will become the primary defense if questions arise from authorities or customer lawsuits.
• Reevaluate the use of third-party providers.
  If using WhatsApp Business API, ensure there is a signed Data Processing Agreement. Ask the provider about data storage locations and deletion procedures in accordance with user requests.

Conclusion

WhatsApp blasts to customer databases do not automatically violate PDP Law, but the risk of violation becomes very high if the origins of the numbers are unclear, consent is not explicit, or the processing purpose deviates from the original reason for data collection.

The most common and serious mistake many companies make is assuming that a past transaction automatically grants unlimited permission for future promotions, while also ignoring opt-out rights for operational convenience.

Companies that want to continue WhatsApp blast practices legally should immediately take three minimum actions: audit database sources, improve consent mechanisms at every data collection point, and ensure every message provides a functioning unsubscribe option.

Without these measures, marketing activities that appear ordinary can become unnecessary legal exposure.

FAQ: WhatsApp Blast and Its Legality in Indonesia