If your brand is exploring business messaging – think RBM, WhatsApp Business, or any rich business messaging platform that lets you engage with customers via rich, branded messages – here’s something that can make or break your onboarding experience:

Your Privacy Policy.

Yep, that seemingly dusty document in your website footer might be the one thing standing between you and a smooth rich business messaging campaign launch.

Let’s unpack why.

Why Phone Number Collection Isn’t Just a Footnote

If you’re collecting phone numbers to send business messages like order updates, appointment reminders or marketing campaigns, you’re processing personal data. That brings data privacy laws like POPIA (in South Africa), GDPR (in the EU), CCPA (in California, USA) and Google or Meta platform-specific terms into play.

For business messaging using mobile phone numbers you’re required to be transparent about:

• what data you collect,
• why you collect it,
• how it will be used and stored and,
• who it may be shared with.

Wait, but I’ve already Included SMS in my Privacy Policy?

That is not good enough. You need to explicitly mention SMS and RCS or WhatsApp as the mobile channels you want to communicate with your customers.

Most companies do mention they collect personal information, including phone numbers, in their privacy policy or terms of service. But when it comes to RCS Business Messaging and WhatsApp for Business, vague doesn’t cut it. Upstream provider, like Google – who, FYI, are key players in the RCS Business Messaging ecosystem, will review your privacy policy before they approve the setup of your brand agent. Meta will similarly check your terms of service and privacy policy when verifying your business to use WhatsApp for business communications. If it’s unclear about how you collect and use mobile phone numbers, or if explicit, informed, written consent isn’t clearly spelled out, then your application will get delayed, or even denied.

RCS Business Messaging isn’t just SMS with a new label – it’s an entirely different channel with stricter compliance standards.

So, what exactly are they looking for?

Your privacy policy needs to clearly state that you collect mobile phone numbers, that are to be used specifically for business messaging (not just general “communications”), and that users have given written, informed, explicit consent.

It should also explain how users can opt-out (for example, by replying “STOP” or adjusting their preferences) and confirm that you keep records of all opt-ins and opt-outs. These records could be required for audits.

Even if you collect consent through a website or at a physical point of sale, each collection point must be transparent. People should know exactly what they’re signing up for when they give you their mobile phone number, with no confusing small print or pre-checked boxes.

Yes, it might feel like a bit of legal housekeeping – but it’s also about building customer trust. People want to know how their data is used these days, and so do the messaging channel providers that enable you to engage with your customers.

The bottom line?

Your privacy policy needs to do more than exist as a compliance requirement. It should clearly align with your business messaging strategy. If you’re serious about RCS Business Messaging or using the WhatsApp Business API service, then your privacy policy must reflect how, why and for what business purposes you are collecting a customer’s mobile phone number.

Take a moment to review your privacy policy, update the language where needed, and make sure it’s clear, compliant, and campaign-ready. A few small tweaks now can save you a lot of time (and frustration) as your business gets verified for rich business messaging.

Need help with fine-tuning your privacy policy to meet the required compliance standard? Chat with one of our agents – they’ll walk you through exactly what needs to be in there, no legalese required.

For more information visit our Kero Rich Business Messaging page.