There are three layers of compliance when using WhatsApp Business in LATAM, and it pays to understand them as separate layers that stack: Meta's policies (global, defined by the platform), your country's data protection law (local, defined by the regulator) and the industry standard (unwritten, defined by custom and common sense). This post walks through them in practical language, not as a substitute for legal counsel but to orient the operations owner.
The reason compliance matters isn't just legal. An operation that doesn't comply ends up with the account limited or blocked by Meta, complaints from the local regulator, or customers reporting spam and damaging the brand. Any of the three consequences halts the business. Compliance done right is what enables scale; done wrong it's what breaks scale the moment you try.
Layer 1 — Meta policies (global)
Meta's rules are published in the WhatsApp Business commercial policy and in its messaging policies. What matters operationally:
Approved HSM templates for messages outside the 24-hour window. Starting a conversation with a customer requires an approved template. Without one, you can't make first contact. Details on how to write them and how they get approved live in official WhatsApp Business templates.
Explicit opt-in before the first message. Meta is clear: the customer must have accepted to receive WhatsApp communications before the company initiates contact. Opt-in can be captured on the website, during checkout, at a physical counter, in a signup form. But it must exist and be retrievable.
No buying databases. Any send to contacts without opt-in is a direct violation. Meta penalizes with limits or blocks when it detects the pattern — and detects it fast, because the opt-out ratio is disproportionate.
No mass sends without segmentation. Sending the same message to 5,000 contacts without differentiation is a spam signal for Meta. Segmentation reduces opt-out, improves account quality and enables scaling.
Clear opt-out mechanisms. The customer must be able to stop receiving messages at any time, with explicit instructions. "Reply STOP to stop receiving messages" is the standard. Opt-out must be processed immediately.
Respect template categories. Marketing doesn't masquerade as Utility. Each template declares its real intent. Consequences of mixing are covered in the templates post.
Layer 2 — Per-country data protection laws
Each LATAM country has its framework. The table summarizes the critical points. It doesn't replace consulting local legal counsel, but it orients on what to check first.
| Country | Key law | Authority | Critical operational point | | --------- | -------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ----------------------------------------------- | | Ecuador | LOPDP | Superintendencia de Protección de Datos | Informed consent and limited retention. | | Colombia | Ley 1581 (Habeas Data) | Superintendencia de Industria y Comercio | National Database Registry. | | Chile | Ley 19.628 | Consejo para la Transparencia | Explicit consent and ARCO rights. | | Peru | Ley 29733 | ANPD (MINJUSDH) | Database registration with ANPD. | | Mexico | LFPDPPP | INAI | Mandatory privacy notice. | | Argentina | Ley 25.326 | AAIP | Registration in the National Database Registry. |
Three common principles that appear in almost every law:
Consent. The customer must give explicit authorization for their data to be used for the declared purpose. Consent must be informed: the customer knows what they'll receive, how often, from which company.
Limited purpose. Data collected for one purpose (collections) cannot be used for another (marketing) without new consent.
ARCO rights (Access, Rectification, Cancellation, Opposition). The customer can request to see what data you hold, correct it, delete it, or oppose its use. The company must respond within deadlines defined by each law.
Limited retention. Data isn't kept forever. Each law sets maximum periods based on purpose.
Layer 3 — Industry standard
It's not in any law, but every regulator and every customer expects it.
Business hours. No collections messages at 22:00. The typical LATAM convention is between 8:00 and 20:00 local time. Some operations are more conservative (9:00 to 19:00).
No messages on national holidays. Collecting on December 25 generates spam reports and terrible brand perception. Each country has its calendar; the agent respects it.
Maximum contacts per customer per month. The usual standard is 2-3 messages per month per customer, unless the customer replies and a conversation stays open. Beyond that, it feels like harassment.
Clear language without aggressive tone. Professional collections doesn't use threats, doesn't hint at legal consequences without basis, doesn't pressure emotionally. The right tone is firm but respectful.
Clear sender identification. The customer must know which company is writing. Without identification at the start of the message, it feels like spam and the report comes fast.
Pause after a promise. If the customer promises to pay Friday, no pushing on Wednesday. Respect the deadline and pick up if the payment doesn't come in.
How Pacunex applies the three layers
The AI agent's operation respects all three layers by design.
Layer 1 (Meta). Approved HSM templates before launch. Opt-in recorded for each contact with how and when. Automatic opt-out via keyword response. Mandatory segmentation — the agent doesn't send the same message to the whole base.
Layer 2 (local law). Country-specific rules (Colombia, Chile, Ecuador, Mexico, etc.) are configured at project start. The customer decides their retention policy. ARCO requests are processed with a defined flow.
Layer 3 (industry). Hours and holidays configured per country and respected without exception. Contact cap per customer per month. Tone adjusted to the profile. Automatic pause after promises.
The customer's legal team reviews the configuration before launch. For complex cases (multi-country operation, regulated industry), it's tuned case by case.
Common mistakes that lead to blocking
Purchased databases. The number-one cause. Meta detects the pattern in days. The account is limited or blocked before sending 1,000 messages.
Generic message to every customer without differentiation. If the whole base receives the same text on the same day at the same time, the opt-out ratio spikes and Meta flags the account.
Messages at 21:30 or on Sundays. Customer reports as spam, and Meta penalizes with template quality drops.
Templates with promotional language miscategorized as Utility. When Meta reclassifies, the account ends up with templates that can no longer be used as before.
Ignoring opt-out. If a customer wrote "don't contact me anymore" and receives a message again the next week, they'll report and the account accumulates negative signals.
Failure to respond to ARCO requests. If a customer asks to delete their data and the company doesn't respond, the customer can complain to the local regulator. Sanctions vary by country but are significant.
How to measure compliance
Four metrics every serious operation reviews at least weekly.
Opt-out rate per campaign. If it crosses 2-3%, there's a problem with message, segment or timing. Pause and review.
Spam reports received by the account. Meta reports them in Business Manager. Any rise requires immediate analysis.
Template rejection rate. If new templates get rejected repeatedly, review Meta's updated policies or rewrite with a better pattern.
WhatsApp Business account quality. Meta scores the account as High, Medium or Low. A drop to Medium or Low is an early warning of a serious problem.
What to do if the account is limited
Identify the cause. Meta usually states the reason in the notification. Typical causes: high opt-out, reported content, degraded template.
Pause the affected operation. Don't push the same template or the same campaign. That only worsens the situation.
Reach out to the BSP. The WhatsApp Business API provider (authorized official provider) has a direct channel with Meta and can accelerate resolution.
Adjust and resume gradually. Once the cause is identified and fixed, resume with low volume and ramp progressively.
Recommended internal documentation
Every serious WhatsApp Business operation should keep four internal documents accessible to the team and to the regulator if needed.
Published privacy policy. A document detailing what data is collected, for what purpose, how long it's kept, with whom it's shared, how to exercise ARCO rights. Must be accessible from the company's public website.
Database registry. Registration of the base with the local regulator where required (Colombia, Peru, Argentina require it). The registry details purpose, processors, security measures.
ARCO request response procedure. How the company responds when a customer requests access, rectification, cancellation or opposition. Who is responsible, within what deadline, with what evidence the case closes.
Consent registry. A base where, for each contact, you store how and when opt-in was given. If a request comes in, it must be retrievable in minutes per contact.
Without these four documents, when a regulator request arrives, the company improvises. With them, it responds calmly.
Next steps
If you're setting up your first serious WhatsApp Business operation, let's talk on WhatsApp. We'll share the exact list of what to review before launching, with focus on your country. For the practical aspects of avoiding blocks in campaigns, it's also worth reviewing how to avoid blocks in WhatsApp campaigns and, if your operation is collections, how to automate WhatsApp collections.