How does consent apply to SMS, WhatsApp, or push channels?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've got a subscriber who opted into your email list. Does that mean you can text them too? Or send them a WhatsApp message? Or fire off a push notification? The short answer is no. Each channel needs its own consent, and in most cases that consent has to be explicit and documented.
Here's why: email, SMS, WhatsApp, and push notifications are treated as separate communication channels under most privacy and consumer protection laws. Consent for one does not carry over to another. If you assume it does, you're likely breaking rules.
SMS
SMS is the most tightly regulated of the three. In the US, the Telephone Consumer Protection Act (TCPA) requires prior express written consent before sending any marketing text. That means a checkbox specifically for SMS, not buried in your general terms, not implied from a purchase, not borrowed from your email opt-in. The consent language must clearly state that the person agrees to receive recurring automated text messages from you. Violations carry fines of $500 to $1,500 per text, so this one's worth getting right.
TCPA also applies to automated calls and ringless voicemails, but SMS is where most brands trip up. If you're using a platform like Twilio or a dedicated SMS tool, they'll often prompt you to capture compliant consent. Don't skip those steps.
WhatsApp Business has its own consent requirements on top of any local laws. Meta requires that you get explicit opt-in before messaging anyone on the platform, and that opt-in must be obtained outside of WhatsApp itself (on your website, at checkout, etc.). You also have to clearly identify yourself as the sender and tell people what kind of messages they'll receive. WhatsApp can suspend your Business account if you violate this, and they do enforce it.
If you're in the EU, GDPR applies on top of WhatsApp's rules. That means the opt-in needs to be freely given, specific, informed, and unambiguous. A pre-ticked box won't cut it.
Push Notifications
Browser and app push notifications are opt-in by nature since the operating system or browser prompts the user before any messages can be sent. That prompt is your consent mechanism. The key issue is timing and framing. Asking for push permission the second someone lands on your site almost always gets declined. Asking after they've had a reason to say yes (they just completed a purchase, they bookmarked something, they signed up) works much better.
Even with a yes at the OS level, some privacy laws (especially GDPR) require that you document what the user consented to and when. Keep records. And always make it easy to turn notifications off, not just at the OS level but within your own settings too.
The rule across all three channels
Consent must be channel-specific, clearly described, and easy to withdraw. If you're running a multi-channel setup, a single "stay in touch" checkbox doesn't cover you for SMS, WhatsApp, and push all at once. Each channel needs its own opt-in with its own clear description of what the person is agreeing to receive.
And if you're not sure whether your current consent flow covers all the channels you use, our SOS hotline is free and we're happy to take a look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.