TheSocial WhatsApp Business API Policy
A comprehensive guide on compliance, messaging standards, opt-in procedures, and technical requirements for integrations on TheSocial dashboard.
Search Policy Directory
Policy Chapters
Compliance Evaluator
Evaluate template compliant eligibility before drafting rules or submitting to Meta reviews.
WhatsApp API Compliance & Core Guidelines
Welcome to TheSocial WhatsApp Business API Policy resource center. WhatsApp operates a highly protected, opt-in ecosystem to guard its users against marketing fatigue, fraud, and spam. Businesses utilizing TheSocial to interact with users must comply with these guidelines.
By integrating TheSocial WhatsApp Business console or utilising webhook endpoints, you agree to adhere to the core policies described below. Compliance violations are monitored automatically by both Meta's review algorithms and TheSocial's proactive gateway safeguards.
Meta Account Verification
Prior to launching broadcasting campaigns, your business must complete Meta Business Manager Verification and possess a verified billing method.
External Resources
1. User Opt-In & Explicit Consent
Under Meta policies, you must obtain explicit user consent before initiating chats outside the 24-hour customer support window.
Sending outbound messages on WhatsApp requires clear and unambiguous consent (opt-in) from the recipient. This is a core requirement of Meta's WhatsApp Business Policy. Without verified opt-in, your phone number faces high report rates and immediate suspension.
Compliance Criteria for Opt-In
- Must explicitly state that the user is agreeing to receive messages from your business on WhatsApp.
- Must clearly state the business name that the user is opting into.
- Cannot combine WhatsApp consent with general Terms of Service or email newsletter signups (must be a separate checkbox or button).
- You must keep records of the opt-in (such as timestamp, IP address, or written form) for audit requests.
Approved Opt-In Channels
You can gather opt-in through your website (checkbox in forms), a QR code, an interactive voice response (IVR) system, a direct WhatsApp message initiated by the customer, or in-person physical sign-ups.
2. Prohibited Industries & Content
WhatsApp enforces zero-tolerance restrictions on specific industries. Operating in these verticals will lead to API termination.
Meta's WhatsApp Commerce Policy governs what products and services can be traded or promoted. Many business sectors are entirely banned from using the WhatsApp Business API.
Banned Verticals (Zero-Tolerance)
Businesses offering the following cannot use the WhatsApp Business API under any circumstances:
- Weapons, firearms, and ammunition
- Adult services, pornography, and dating apps
- Tobacco, e-cigarettes, and related paraphernalia
- Illegal drugs, prescription medication, and unsafe supplements
- Real-money gambling, sports books, and betting services
- Alcohol sales and manufacturing
Restricted Verticals (Pre-Approval)
The following sectors are subject to strict regulations and require supplementary compliance documentation:
- Cryptocurrency & Web3: Prohibited from running direct token promotion; allowed only for transactional updates with strict pre-approvals.
- Financial Services: Must be licensed and undergo additional verification checks.
- Healthcare & Pharmacy: Banned from selling clinical drugs; patient notifications are allowed for licensed healthcare clinics.
3. Message Template Regulations
Outbound business-initiated chats must use templates pre-approved by Meta. Formatting errors or spam-like phrasing trigger rejections.
All proactive outreach messages must be formatted as **Message Templates** and approved by Meta's automated screening system before execution. Templates are categorized into three distinct buckets:
Transaction Updates
For sending order receipts, account alerts, shipping tracking, or service updates. High approval rates.
One-Time Passcodes
For secure login verification codes (OTPs) and account recoveries. Strict structural templates required.
Promotional Messages
Offers, news, cart reminders, or feedback forms. Audited strictly for spam. Subject to higher pricing.
// Example of a Correctly Formatted Template:
"Hi {{1}}, your reservation at {{2}} is confirmed for {{3}}. To cancel or reschedule, tap below."
4. Opt-Out & User Controls
Users must be given an immediate, frictionless method to stop receiving your messages directly from the WhatsApp UI.
Unlike SMS or email, WhatsApp users can block or report a business with a single click. To protect your phone number's health rating, you must provide explicit opt-out pathways.
Required Opt-Out Implementation
We strongly recommend attaching a "Stop Outreach" or "Opt-Out" quick-reply button at the bottom of all marketing templates. This prevents users from selecting "Report Spam" to stop messages.
Your webhooks must capture incoming keywords like STOP, UNSUBSCRIBE, or CANCEL. TheSocial handles keyword-triggered suppression lists automatically to ensure instant compliance.
5. Quality Ratings & Messaging Tiers
Your daily messaging capacity escalates or decreases automatically based on user engagement metrics and reports.
Meta limits the number of unique user conversations a business phone number can initiate per day. Your tier level dynamically scales based on message volume and quality scores.
| Tier | Daily Limit | Escalation Requirements |
|---|---|---|
| Tier 1 (Sandbox) | 1,000 unique customers | Auto-upgrade when sending 2x the limit within 7 days with Green quality. |
| Tier 2 | 10,000 unique customers | Achieved after consistent high-quality volume over Tier 1. |
| Tier 3 | 100,000 unique customers | Designed for massive, high-compliance enterprise broadcasting. |
| Tier 4 | Unlimited customers | Subject to continuous audits and enterprise partner review. |
Understanding Quality Ratings
Meta tracks reports and flags. Ratings are color-coded:
6. Data Privacy & Technical Security
Guidelines on API key storage, webhook token rotation, and end-to-end encryption standards.
TheSocial routes traffic over SSL and complies with global customer data protection laws. As an API integrator, you must adhere to strict security protocols to prevent token hijacking and data leakage.
All messages traveling from TheSocial to the WhatsApp servers are encrypted. Never log or store raw payloads containing credit cards or medical details on unencrypted databases.
Verify signature payloads on incoming webhooks to ensure they originate from TheSocial. Always rotate application tokens every 90 days or immediately upon key disclosure.