If your WhatsApp number gets blocked or your quality rating drops to red, the usual diagnosis is "you sent too many messages." That's rarely the real cause. The real cause is sending to people who never gave you clean, provable consent in the first place, then getting blocked and reported by enough of them that Meta's systems throttle you.
Meta's opt-in rules are not vague. They're written down, they're specific, and they put the entire burden of proof on you, the sender. This is the compliance and policy angle: not how to build an opt-in form (we cover that in our opt-in collection guide) or which widget to use (see the opt-in widget walkthrough), but what actually makes consent valid in Meta's eyes and what gets numbers flagged.
What Meta actually requires: active, affirmative, per-number consent
The WhatsApp Business Messaging Policy is blunt about the baseline. You may only contact people on WhatsApp if two things are true: they have given you their mobile phone number, and you have received opt-in permission confirming they wish to receive subsequent messages or calls from you. Meta makes you "solely responsible for determining the method of opt-in" and for obtaining it in a way that complies with the laws that apply to your communications.
Read that twice. Meta is not going to validate your consent for you. If a complaint lands, the question is whether you can show the person actively agreed.
That word "active" matters. An opt-in has to be an affirmative action the person takes. The following do not count as valid consent:
- A pre-checked checkbox the user has to uncheck to decline.
- "We already have your number from your order, so we'll message you."
- Consent buried in a Terms of Service acceptance with no mention of WhatsApp.
- A phone number scraped, purchased, or imported from another platform.
Two more requirements sit on top of "active." The opt-in must clearly state the name of the business the person is opting in to hear from, and it must make clear the person is opting in to receive communication from that business. Generic language like "subscribe for updates" without naming you fails this.
One point that trips people up: the opt-in does not have to happen inside WhatsApp. You can collect it on any third-party channel — your website, your app, a checkout page, an in-store tablet, an SMS reply, a QR code. Meta dropped the old requirement that opt-in flow through a specific platform. What can't change is the substance: active action, your business name, clear statement that they'll get WhatsApp messages from you.
Single vs. double opt-in: what each is, and when double is worth it
Single opt-in is one affirmative action. The person ticks a box, taps a button, or sends a keyword, and they're on your list.
Double opt-in adds a confirmation step. After the first action, you send a message asking them to confirm (reply YES, tap a button), and only confirmed contacts get added. The classic example: they tick the box on your form, then receive a WhatsApp message saying "Reply YES to confirm you want updates from [Business]."
Here's the part to get right, because it's a common myth. Double opt-in is a best practice, not a Meta requirement. Meta's policy requires valid opt-in. It does not mandate a second confirmation step. Double opt-in is also widely treated as the gold standard for GDPR, but even GDPR doesn't strictly require it — it's the cleanest way to prove consent, not a legal mandate.
So when is double opt-in actually worth the friction it adds?
- You're collecting at scale or from cold-ish sources (lead-gen forms, contests, gated downloads). The extra step filters out fat-fingered numbers and people who didn't realize they were signing up for WhatsApp. That directly protects your block/report rate.
- You operate in the EU/EEA or other strict-consent jurisdictions. The confirmation message is your timestamped proof.
- Your opt-in point is ambiguous — e.g., a single checkbox covering email, SMS, and WhatsApp at once.
When is single opt-in fine? High-intent, low-ambiguity moments: a checkout box that explicitly says "Send my order updates via WhatsApp from [Business]," or a click-to-chat where the person is clearly initiating. If the consent moment is unmistakable and you're logging it properly, single opt-in is compliant.
Decision framework: the more doubt there'd be about whether this specific person knowingly agreed to WhatsApp from you, the more you want double opt-in.
Required disclosure language: the three things every opt-in must state
Every opt-in moment needs to answer three questions for the user, in plain language, before they act:
- Who is messaging them — your actual business name, not a vague brand-adjacent phrase.
- What they'll receive and roughly how often — message type (order updates, promotions, both) and a frequency sense.
- How to opt out — that they can stop anytime, and how.
Copy-paste starting point for a website form checkbox:
☐ Yes, send me order updates and occasional offers from Acme Footwear on WhatsApp (a few messages a month). Reply STOP anytime to unsubscribe.
For a higher-frequency marketing list, be honest about cadence:
☐ I want Acme Footwear to message me on WhatsApp with weekly deals and new drops. Standard message rates may apply. Reply STOP to opt out.
For a double opt-in confirmation message sent in WhatsApp:
Hi! This is Acme Footwear. You asked to get updates from us here. Reply YES to confirm, or ignore this message and we won't message you again. You can reply STOP anytime to unsubscribe.
Notice what each version does: names the business, sets expectations on content and frequency, and states the opt-out. If you'd be embarrassed to show a Meta reviewer the exact words next to your opt-in button, rewrite them.
Collecting per channel: the right mechanic for each, and where each goes wrong
The opt-in moment differs by channel, and each has a specific failure mode.
Website / landing-page form. Mechanic: an unchecked checkbox with the disclosure language above, next to a phone field. Goes wrong when the box is pre-checked, when WhatsApp isn't named (just "updates"), or when the consent text is a link nobody reads. Fix: inline, unchecked, business named, WhatsApp named.
Click-to-WhatsApp (CTWA) ads. This is the biggest misunderstanding in the whole policy. When someone taps your Facebook or Instagram ad and lands in a WhatsApp chat, that tap opens a 24-hour customer-service window and signals consent for that conversation session. It is not ongoing marketing opt-in. You cannot start blasting promotional template messages to that person days later on the strength of the ad click alone. Goes wrong when businesses treat every ad-click as a permanent marketing subscriber. Fix: use the welcome message to explicitly ask for marketing opt-in — "Want deals and updates from us here? Tap Subscribe." — and only then add them to your promotional list.
Click-to-chat links (wa.me). When a person initiates by messaging you first via a wa.me link or QR code, that opens the conversation, but a customer messaging you first is not marketing consent. Inbound contact lets you reply within the service window; it doesn't license future promos. Goes wrong when a "Message us on WhatsApp" button gets treated as list signup. Fix: collect a separate explicit marketing opt-in in the chat before adding them to campaigns.
Checkout. Mechanic: a clearly worded, unchecked WhatsApp consent option at the point of purchase. The strongest moment you have, because intent is high. Goes wrong when the box is bundled into "I agree to the terms" or pre-checked to boost numbers. Fix: a standalone, explicit checkbox naming WhatsApp and your business.
The through-line: a transaction or an inbound message is not marketing consent. Someone buying from you or messaging you first does not equal permission to send promotional broadcasts. Marketing consent is always obtained separately and explicitly.
Record-keeping: what to log and how to prove consent
Because Meta puts the burden of proof on you, an opt-in you can't evidence is an opt-in you don't have. For every contact, log:
- Timestamp — exact date and time of the opt-in action.
- Source / channel — where it happened (checkout page, /signup form, CTWA welcome flow, in-store QR).
- Consent text shown — the exact disclosure wording the person saw and agreed to. If you change your form copy, version it, so you know which wording each contact accepted.
- Identifier — the phone number (and any account/customer ID) the consent attaches to.
A minimal record looks like this:
{
"phone": "+15551234567",
"opted_in_at": "2026-06-12T14:31:08Z",
"source": "checkout_page_v3",
"consent_text": "Yes, send me order updates and occasional offers from Acme Footwear on WhatsApp...",
"consent_type": "single",
"ip": "203.0.113.42"
}
Keep these records for as long as the contact is on your list, plus a retention buffer afterward to cover late complaints (your legal counsel should set the exact window based on your jurisdiction; many businesses keep consent logs for several years). When someone opts out, log that too, with its own timestamp.
Quality rating, opt-out handling, and staying off the throttle list
Meta scores each WhatsApp Business number with a quality rating, surfaced as green (high), yellow (medium), or red (low). The rating is driven largely by how recipients react: blocks and reports push it down, and they're the signals Meta cares about most. A handful of "this is spam" reports from people who don't recognize you does real damage.
The mechanics changed recently and the terminology with it, so be precise. As of late 2025, Meta removed the old "Flagged" status, and a quality drop no longer triggers an automatic, immediate downgrade of your sending limit. Instead a low rating gives you a correction window and, critically, blocks you from scaling up to higher tiers. The policy also states plainly that Meta's systems will limit how much a business can send if its quality tier stays low for a sustained period.
It helps to know the tiers your sending limit moves through. New portfolios typically start around 250 customer-initiated conversations per day, then step up to 1,000, 10,000, 100,000, and ultimately unlimited as you send quality volume to engaged recipients. Note that these limits are now managed at the business portfolio level, so all numbers in your portfolio share the allowance — one bad number can drag the rest.
To stay healthy:
- Honor STOP and blocks immediately, on or off WhatsApp. The policy requires you to respect every request to opt out, block, or discontinue, including removing the person from your contact list. If someone replies STOP, they come off the list that moment — not next batch.
- Keep frequency disciplined. The fastest way to earn blocks is over-messaging. Match the cadence you promised at opt-in.
- Send to engaged people. Recipients who expect your messages don't report them. Pruning dead contacts protects the live ones.
Common mistakes that get numbers flagged or banned
- Importing a list you didn't opt in. Buying numbers, scraping them, or migrating an email list to WhatsApp without fresh consent. This is the number-one cause of mass blocks.
- Treating a CTWA ad click or an inbound message as a marketing subscription. Session consent is not list consent.
- Pre-checked boxes and bundled consent. "I agree to the terms" cannot carry your WhatsApp opt-in.
- No business name in the opt-in. "Subscribe for updates" with no named sender fails the policy.
- Ignoring STOP. Continuing to message someone who opted out is both a policy violation and a guaranteed report.
- Blasting the whole list at once on day one. Sudden high volume from a new number with no engagement history reads as spam to Meta's systems.
- No consent records. When a complaint comes and you can't show the opt-in, you have no defense.
FAQ
Does Meta require double opt-in for WhatsApp? No. Meta requires valid opt-in — an active, affirmative action that names your business and confirms the person wants WhatsApp messages from you. Double opt-in is a best practice that strengthens your proof of consent, especially under GDPR, but it is not a Meta requirement.
Can I collect WhatsApp opt-in on my website instead of inside WhatsApp? Yes. Opt-in can be collected on any third-party channel — website, app, checkout, in-store, SMS, QR code. It no longer has to happen inside WhatsApp. The requirements (active action, business name, clear statement they'll receive WhatsApp messages from you) stay the same wherever you collect it.
A customer messaged me first. Can I send them marketing messages? Not automatically. An inbound message or a CTWA ad click opens a conversation session, but it is not marketing consent. To send promotional broadcasts later you must obtain a separate, explicit marketing opt-in.
Is the "Flagged" status still a thing? Meta removed the "Flagged" status in late 2025, and a quality-rating drop no longer auto-downgrades your sending limit. But a low (red) quality rating still blocks you from scaling to higher messaging tiers, and sustained low quality will get your sending throttled.
What drives my quality rating down? Mainly recipient blocks and "report spam" actions. The fix is upstream: clean opt-in, honest frequency, and sending only to people who actually expect to hear from you.
How long should I keep opt-in records? For as long as the contact is active, plus a retention buffer for late complaints. Set the exact period with your legal counsel based on your jurisdiction; many businesses retain consent logs for several years.
Collecting and managing opted-in subscribers in Blueticks
Once you have a clean, opted-in list, Blueticks is where you run the campaigns to it. You collect consent on your own channels using the mechanics above, log the proof, and then use Blueticks to message the people who already said yes.
Blueticks doesn't make you compliant or "ban-proof" — that responsibility stays with you as the sender, and no tool can manufacture consent you didn't collect. What it does is let you organize opted-in contacts into audiences and run scheduled or bulk campaigns to them cleanly, so you're not pasting numbers one by one or sending faster than you promised.
The Free plan can run bulk campaigns (the one-message limit applies only to single scheduled messages, not campaigns) and adds a "Powered by blueticks.co" footer to messages. Pro removes the branding and is built for higher-volume, recurring campaigns. Either way, the rule that keeps you safe is the same one Meta cares about: only send to people who actively opted in, honor every STOP, and keep your consent records.
Get started by installing the Blueticks extension, then build the opt-in flow itself with our opt-in collection guide and the opt-in widget walkthrough.
