Sharing personal information

WhatsApp groups and POPIA: the 2021 panic, answered

Purely personal or household activity falls outside the Act entirely — your family group needs no consent message.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
WhatsApp group admins do not need members’ consent for personal groups. Section 6(1)(a) of POPIA excludes processing in the course of a purely personal or household activity — family groups, friends’ groups and social circles fall outside the Act entirely. A business running a customer WhatsApp channel is different: that is commercial processing, and if it involves marketing, section 69’s opt-in regime applies.

On this page

The 2021 panic and the provision that answers it

As POPIA’s grace period ended in mid-2021, a chain message swept South African group chats: admins must get every member’s consent or delete the group. Stokvels drafted “POPIA notices”; family groups voted on consent. All of it answered by one subsection:

The myth

WhatsApp group admins need every member’s consent under POPIA.

What the law actually allows

POPIA does not apply at all to purely personal or household activity. Family, friend and neighbourhood groups fall outside the Act — there is nothing to consent to.

What the Act actually says

“(1) This Act does not apply to the processing of personal information— (a) in the course of a purely personal or household activity;”

Protection of Personal Information Act 4 of 2013, s 6(1)(a)Read it on Dept of JusticePDF

Where the personal/business line runs

The test is the activity, not the app. The braai-planning group, the lift club, the cousins’ group — personal, excluded. The moment the group serves a commercial or organisational activity, the exclusion falls away: a business’s customer-service channel, an estate agency’s buyer list, a body corporate’s official residents’ channel (see body corporates) — all ordinary POPIA processing, needing a ground and the conditions. That is rarely hard: communicating with your own customers or members about the thing they signed up for is contract or legitimate interest. The line that actually bites is marketing.

Business WhatsApp channels and marketing

WhatsApp messages are electronic communication, so marketing through them lives under section 69: consent or the existing-customer exception, identify yourself, and offer an opt-out in every message. The amended Regulations (April 2025) cut both ways here: consent may now be requested via WhatsApp in the prescribed form — once, per section 69(2) — and objections may arrive by WhatsApp too, and must be honoured. Broadcasting specials to a group built from saved customer numbers is exactly the conduct the Regulator’s direct-marketing enforcement now targets.

Frequently asked questions

Do WhatsApp group admins need to send a POPIA consent message?

Not for personal groups. The chain message demanding consent from every member had no statutory basis — purely personal or household activity is excluded from POPIA by section 6(1)(a).

May I add someone to a personal group without asking?

POPIA does not regulate it — the household exclusion applies. Courtesy is another matter, and WhatsApp’s own settings let people control who may add them.

What about school class groups or church groups?

A parents’ social group is personal activity. A group the school itself runs as an official channel is the school’s processing — lawful for school communications on ordinary grounds, but not a marketing list, and children’s information carries its own protections (ss 34–35).

Can my business send marketing on WhatsApp?

WhatsApp marketing is electronic communication under section 69: consent or the existing-customer exception, sender identification, and an opt-out in every message. Since April 2025, consent may itself be requested via WhatsApp — once, in the prescribed form.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Sharing personal information

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub