How does consent apply to SMS, WhatsApp, or push channels?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've got a subscriber who opted into your email list. Does that mean you can text them too? Or send them a WhatsApp message? Or fire off a push notification? The short answer is no. Each channel needs its own consent, and in most cases that consent has to be explicit and documented.

Here's why: email, SMS, WhatsApp, and push notifications are treated as separate communication channels under most privacy and consumer protection laws. Consent for one does not carry over to another. If you assume it does, you're likely breaking rules.

SMS

SMS is the most tightly regulated of the three. In the US, the Telephone Consumer Protection Act (TCPA) requires prior express written consent before sending any marketing text. That means a checkbox specifically for SMS, not buried in your general terms, not implied from a purchase, not borrowed from your email opt-in. The consent language must clearly state that the person agrees to receive recurring automated text messages from you. Violations carry fines of $500 to $1,500 per text, so this one's worth getting right.

TCPA also applies to automated calls and ringless voicemails, but SMS is where most brands trip up. If you're using a platform like Twilio or a dedicated SMS tool, they'll often prompt you to capture compliant consent. Don't skip those steps.

WhatsApp

WhatsApp Business has its own consent requirements on top of any local laws. Meta requires that you get explicit opt-in before messaging anyone on the platform, and that opt-in must be obtained outside of WhatsApp itself (on your website, at checkout, etc.). You also have to clearly identify yourself as the sender and tell people what kind of messages they'll receive. WhatsApp can suspend your Business account if you violate this, and they do enforce it.

If you're in the EU, GDPR applies on top of WhatsApp's rules. That means the opt-in needs to be freely given, specific, informed, and unambiguous. A pre-ticked box won't cut it.

Push Notifications

Browser and app push notifications are opt-in by nature since the operating system or browser prompts the user before any messages can be sent. That prompt is your consent mechanism. The key issue is timing and framing. Asking for push permission the second someone lands on your site almost always gets declined. Asking after they've had a reason to say yes (they just completed a purchase, they bookmarked something, they signed up) works much better.

Even with a yes at the OS level, some privacy laws (especially GDPR) require that you document what the user consented to and when. Keep records. And always make it easy to turn notifications off, not just at the OS level but within your own settings too.

The rule across all three channels

Consent must be channel-specific, clearly described, and easy to withdraw. If you're running a multi-channel setup, a single "stay in touch" checkbox doesn't cover you for SMS, WhatsApp, and push all at once. Each channel needs its own opt-in with its own clear description of what the person is agreeing to receive.

And if you're not sure whether your current consent flow covers all the channels you use, our SOS hotline is free and we're happy to take a look with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get channel-specific consent advice

I read this on the Email Almanac about consent for SMS, WhatsApp, and push notification channels. Help me audit my current consent setup across these channels: 1. What consent language or checkboxes do I need for each channel I use? 2. Which regulations apply to my audience locations (TCPA, GDPR, CASL, etc.)? 3. What records do I need to keep to prove consent if challenged? 4. What should I do if I've already been messaging people without proper per-channel consent? --- My details (fill in what applies): - Channels in use: email / SMS / WhatsApp / push / other - SMS or messaging platform: e.g. Twilio, Klaviyo, HubSpot, other - Audience locations: US only / EU / global / specific countries - How consent is currently captured: checkbox at signup / purchase flow / general terms / other - Business type: B2C / B2B / both - Consent records stored: yes / no / partially - Any specific concern or incident: describe

Edit the yellow boxes, then send to the AI of your choice.