Opt-in & Consent - DigiFist Documentation

WhatsApp’s Business Platform is a permission-based channel. Meta’s Business Messaging Policy requires explicit opt-in before any marketing message reaches a customer: “You may only contact people on WhatsApp if (a) they have given you their mobile phone number; and (b) you have received opt-in permission.” Galantis enforces this at the platform level. Every campaign, automation, and Back-in-Stock notification validates consent before a send is queued — customers without SUBSCRIBED status are excluded automatically. You can’t accidentally message a non-opted-in customer through Galantis.

Sending marketing messages to non-opted-in customers is a Meta policy violation. It drives high block rates, damages your phone number’s quality rating, and can result in throttling or suspension. Manual imports of unconsented “customer lists” are the most common cause of this — see Manual import for the rules.

Galantis tracks consent per customer using the marketing_state field. Every customer has exactly one state at any time:

State	Meaning	Can receive marketing?
`SUBSCRIBED`	Customer has explicitly opted in	✅ Yes
`PENDING`	Consent captured, awaiting confirmation (e.g. double opt-in flow)	❌ No
`NOT_SUBSCRIBED`	No opt-in on record	❌ No
`UNSUBSCRIBED`	Previously opted in, now opted out	❌ No
`UNKNOWN`	No consent information available	❌ No
`INVALID`	Bad or unverifiable data	❌ No
`REDACTED`	GDPR / data deletion applied	❌ No (permanently excluded)

Only SUBSCRIBED customers are eligible for marketing-category sends. Campaigns and automations filter the audience automatically — there’s no manual override.

Utility, authentication, and service messages to existing customers don’t require marketing opt-in but still need the customer to have provided their phone number for a legitimate business reason (e.g. checkout, shipping confirmation). See Templates vs session messages for which message categories require what consent.

Galantis supports four collection methods. Each results in a SUBSCRIBED or PENDING state being recorded with a timestamp and source — the proof of consent you’ll want if Meta or a regulator ever asks.

Shopify checkout
Back-in-Stock widget
Storefront chat widget
Manual import

An opt-in checkbox at checkout. When the customer checks the box and the order completes, Shopify fires the customers/marketing_consent_updated webhook and Galantis records the consent with source: shopify_checkout, the timestamp, and the order ID.Most stores rely on this as their primary capture method. The checkbox text and position are configured in your Shopify checkout settings.

Use plain, specific opt-in language (“I want to receive WhatsApp messages about my orders and offers from [Store]”) rather than a generic “marketing updates.” Specific language drives lower block rates after the first send.

Customers can be imported manually into Galantis with explicit consent confirmation at the time of import — for example, consent that was collected through an in-store sign-up form, a printed flyer with QR code, or a third-party form.

Manual import as SUBSCRIBED requires verifiable proof of opt-in. Importing customers without a valid opt-in record (purchased lists, scraped numbers, “they bought from us so they must want marketing”) is a Meta policy violation and almost always results in phone-number quality damage within days.

Required fields on import: source description, opt-in date, and a brief reference to the consent record (form ID, location, etc.). These are stored alongside the customer for audit purposes.

If Meta investigates a quality issue, or a regulator asks under GDPR / LGPD / CCPA, you’ll need to show how each customer consented. Galantis retains:

Consent source (Shopify checkout, BIS widget, chat widget, manual import)
Timestamp of opt-in
Reference identifier (Shopify order ID, BIS subscription ID, chat thread ID, manual-import reference)
Opt-in language shown to the customer at the time (where applicable, captured automatically for Shopify checkout)

Access this per-customer in Audience → Contacts → [Customer Name] → Consent history. It’s exportable from the same screen for legal or audit responses. Consent validation runs automatically in three places:

Campaigns

The campaign send job filters the final audience to SUBSCRIBED only. Customers in any other state are excluded from the send, even if they appear in a selected list or segment.

Automations

Before an automation’s message action dispatches, Galantis validates the customer’s state. UNSUBSCRIBED and REDACTED customers are skipped and the skip is recorded in the automation’s activity log.

Back-in-Stock

Restock notifications are sent only to subscribers whose state is SUBSCRIBED (or who subscribed specifically via the BIS widget, even without broader marketing opt-in).

Opt-outs

When a customer replies STOP (or a localized equivalent like “PARE”, “ARRÊT”, “STOPPEN”) to any WhatsApp message, Meta and Galantis both immediately mark them as opted-out. Their marketing_state becomes UNSUBSCRIBED. From that moment:

They’re excluded from all campaign sends
They’re skipped in every automation message action
They don’t receive Back-in-Stock notifications, even on active subscriptions

Re-subscription requires a new explicit opt-in event from the customer — re-submitting through the BIS widget, completing checkout with the opt-in box again, or a clearly logged in-store sign-up. Galantis does not allow a manual override from UNSUBSCRIBED back to SUBSCRIBED — this is intentional, to prevent accidental re-engagement of opted-out customers.

Regional regulatory overlays

Meta’s opt-in rule is a global baseline. On top of that, regional regulations add specific requirements:

GDPR (European Union, EEA, UK)

LGPD (Brazil)

Lei Geral de Proteção de Dados follows GDPR closely. Explicit purpose, granular consent, easy withdrawal. Records of consent and purpose must be maintained.

CCPA / CPRA (California, US)

California’s framework focuses on the right to know, delete, and opt out of sale or sharing of personal information. While not strictly a consent regime for marketing in the way GDPR is, California residents can request deletion via Galantis’s standard GDPR flow — see GDPR & data privacy.

Other frameworks

Similar rules apply in many other jurisdictions: PDPA (Singapore, Thailand), POPIA (South Africa), PIPL (China — note WhatsApp itself is restricted there), KVKK (Turkey). When in doubt, the GDPR-aligned approach (explicit, specific, withdrawable opt-in with audit trail) covers most other regimes.

Best practices

Use specific language at the opt-in point — “Receive WhatsApp messages about orders and offers” beats “Receive marketing communications”
Capture separate opt-ins per category where possible (transactional updates vs promotional offers). Meta’s policy explicitly recommends this for lower block rates.
Stay close to the opt-in event: contacts who opt in and receive their first message within 24-48 hours engage at much higher rates than contacts who opt in then hear nothing for weeks
Honor STOP everywhere: never re-engage UNSUBSCRIBED customers through other channels or by re-importing them
Keep the consent log — export it before any major audit or Meta investigation

GDPR & data privacy

How the REDACTED state is applied and what other data rights customers have.

Quality & deliverability

How sending to non-opted-in contacts damages your phone number rating.

Audience — consent & opt-outs

Managing consent at the audience level — bulk export, audit, and consent history.

Meta Messaging Policy

The canonical rulebook.

​Consent states

​How consent is collected

​Proof of consent — keep your audit trail

​Where consent is enforced

Campaigns

Automations

Back-in-Stock

​Opt-outs

​Regional regulatory overlays

​Best practices

GDPR & data privacy

Quality & deliverability

Audience — consent & opt-outs

Meta Messaging Policy

Consent states

How consent is collected

Proof of consent — keep your audit trail

Where consent is enforced

Opt-outs

Regional regulatory overlays

Best practices