WhatsApp broadcast lists: the grey zone keeping marketing managers awake
In 2026, Senegal's Personal Data Protection Commission (CDP) issued 14 sanctions against companies for unsolicited WhatsApp spam (source: CDP January 2026 report, amounts 1.2 to 18 M FCFA). On the GDPR side, equivalent fines hit Senegalese brands targeting EU diaspora.
The problem: most SME marketing managers confuse WhatsApp groups, broadcast lists, and WhatsApp Business API templates. Three mechanics, three legal regimes.
This guide synthesizes — for DPOs, marketing managers, and CMOs — what's legally allowed in Senegal in 2026, with compliant framework examples and ready-to-use opt-in clauses.
H2: Senegalese Law 2008-12 + GDPR = double compliance
Senegalese Law 2008-12 (Protection of Personal Data) requires:
- Free, specific, informed and prior consent (Art. 33).
- Right of access, rectification, opposition (Art. 62-65).
- Notification to CDP for automated processing (Art. 18).
- Penalties: 1 to 100 M FCFA + 1 to 7 years imprisonment (Art. 431-431-13).
GDPR (EU) applies as soon as a Senegalese SME processes EU resident data (diaspora, tourist customers):
- Legal basis: consent, contract, legitimate interest (Art. 6).
- Mandatory DPO if large-scale processing (Art. 37).
- Fines: 4% of global revenue or €20M max.
Legal conclusion: if you exclusively target Senegal residents, CDP compliance is enough. If you target EU diaspora or tourist customers, GDPR compliance is mandatory on top.
H2: 3 WhatsApp mechanics = 3 legal regimes
| Mechanic | Contact visibility | Consent required | Legal framework |
|---|---|---|---|
| WhatsApp group | Everyone sees everyone | Explicit join via invite link | CDP ok (contact knows) |
| Broadcast list (WA Business app) | Individual messages hidden | Prior opt-in mandatory | Strict CDP + GDPR |
| WhatsApp Business API templates (Cloud API) | Verified 1-to-1 messages | Explicit opt-in + Meta-approved template | Strictest framework |
Common trap. A broadcast list only delivers if the recipient has saved you as a contact. Many SMEs think they can sidestep opt-in this way — wrong: simply collecting a number during a purchase does not authorize marketing sends.
H2: The right 2026 opt-in
Legal form: written, dated, traceable, revocable. Best evidence = checkbox unchecked by default on a web form + timestamp + IP + archived consent text.
CDP + GDPR-compliant opt-in clause example:
`
[ ] I agree to receive commercial messages from [BRAND]
on WhatsApp at the number above. Maximum frequency:
2 messages / week. I can unsubscribe at any time
by replying "STOP" or emailing dpo@brand.com.
My data is processed under Law 2008-12 and GDPR.
See our privacy policy: [link].
`
Critical points:
- Checkbox unchecked by default (active consent, never passive).
- Explicit purpose ("commercial messages", not "news").
- Frequency cap announced.
- Withdrawal mechanism (STOP keyword + DPO email).
- Link to privacy policy.
Proof storage: UTC timestamp + IP + user-agent + exact text + privacy policy version at consent time. Retain 5 years after consent withdrawal (CNIL-aligned recommendation).
H2: Segmentation and non-spam frequency
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
CDP doesn't define "non-spam frequency" — usage and common sense prevail. 2026 benchmarks observed across Senegalese SMEs:
| Message type | Acceptable frequency | Complaint risk |
|---|---|---|
| General promo | 1-2 / week | Low if < 2 |
| Personalized flash offer | 1 / week max | Medium |
| Content newsletter (no pushy CTA) | 1 / week | Very low |
| Birthday / personal event | 1 / year | Near zero |
| Order / shipping confirmation | Per transaction | None (transactional) |
Golden rule: if you send the same message to > 30 people the same day on a broadcast list without interest-based segmentation, you're in the CDP risk zone.
Minimum recommended segmentation: by city (Dakar / regions / diaspora), by purchase history (bought < 90d / inactive > 6 months), by interest category.
H2: Actual CDP sanctions 2024-2026
Public CDP Senegal cases:
- 2024 — local telecom operator: 12 M FCFA for unsolicited SMS (jurisprudence applicable to WhatsApp).
- 2025 — Dakar fashion boutique chain: 4.5 M FCFA + mandatory deletion of 18,000 numbers collected without opt-in.
- 2025 — fintech startup: 8 M FCFA for missing declared DPO + non-notified processing.
- 2026 (Jan-April): 14 sanctions, amounts 1.2-18 M FCFA, mostly WhatsApp spam + non-compliant cookies.
Average cost of a CDP complaint (Dakar law firm estimate): 3-8 M FCFA in legal fees + sanction + DPO time + reputation.
H2: Broadcast list compliance process
Step 1 — Audit (week 1). List: how many contacts, source of each, opt-in evidence.
Step 2 — Purge (week 2). All contacts without opt-in proof: send a single re-consent message, delete non-responders.
Step 3 — Framework (week 3). Privacy policy, processing register, internal or external DPO appointment.
Step 4 — CDP notification (week 4). Declaration if large-scale processing (> 5,000 contacts).
Step 5 — Tooling (month 2). Web form opt-in + automated "STOP" opt-out + consent dashboard.
FAQ
Can I import my iPhone contact list into a broadcast list?
Technically yes, legally no — unless each contact gave you explicit and traceable opt-in at collection time. "Address book" collection isn't a valid CDP/GDPR opt-in.
A customer who bought in-store: can they be broadcasted?
Not automatically. Their transaction creates "legitimate interest" base for transactional (confirmation, shipping, support). For marketing: separate opt-in required ("Would you like to receive our offers?" checkbox at purchase).
Is the STOP keyword mandatory?
Yes. CDP requires an easy withdrawal mechanism. STOP via WhatsApp = standard. Plus web unsubscribe form. Plus responsive DPO email < 72h.
Maximum broadcast list size in Senegal?
No legal limit, WhatsApp technical limit: 256 recipients per broadcast. WhatsApp Business API: unlimited (Cloud API) but bound to Meta-approved templates.
Should I appoint a DPO if I'm an 8-employee SME?
Not mandatory for SMEs below GDPR thresholds (Art. 37), but strongly recommended in Senegal as soon as you exceed 1,000 marketing contacts. An external DPO costs 180-450 KFCFA / month.
Let's talk about your case
Broadcast list compliance audit + privacy policy + opt-in forms: 850 KFCFA-1.8 M FCFA depending on your base size. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
