LINE Official Account Content Dispatch Best Practices

Why Compliance-Driven Dispatch Matters in 2025

With 3.2 million active LINE Official Accounts sending a combined 2.8 billion push messages per month, regulators in Japan, Taiwan and Thailand now treat chat logs as admissible evidence. A single missing consent record can invalidate an entire campaign dataset. This guide shows how to design templates, cadence and retention workflows that stay audit-ready without throttling reach.

Version Matrix: Where Retention Rules Live

LINE Official Account Manager (Android / iOS / Web)

All compliance toggles reside inside Settings → Data Management → Chat History & Retention. The menu path is identical on Android 12.6.0 and iOS 12.6.0; on the web console (admin-official.line.me) it appears under Account → Compliance Center after you verify your corporate certificate. If the certificate is missing, the entire section is hidden—this is the most common reason support tickets are escalated.

Backend Policy Changes Introduced July 2025

From 1 July 2025 LINE adopted region-specific retention floors: 180 days (Japan), 270 days (Thailand), 3 years (Taiwan financial services). The system now blocks broadcast dispatch if even one recipient segment lacks a verifiable consent timestamp. You can override the block only by moving that audience to an “under request” folder; the campaign then pauses for 24 h to allow manual consent refresh.

Template Engineering: Fields That Auditors Scan First

LINE’s message template inspector flags four items in real time: (1) sender ID consistency, (2) opt-out language match with account locale, (3) variable syntax correctness, (4) external link SSL validity. Build templates inside the Rich Message Builder v3 (web only) and switch on Compliance Preview; the tool renders the message exactly as it will be stored, including invisible unicode tags used for e-discovery hash verification.

经验性观察：即使变量语法仅缺一个竖线，也可能导致整批消息被标记为“不可审计”。在正式发送前，将模板导出为 JSON 并用合规检查脚本扫描，可提前发现此类陷阱。

Example: Retail Flash Sale

A fashion merchant with 410 k friends scheduled a 24 h coupon. By inserting the variable {{coupon_code}} without a fallback value, the inspector logged 12 k warnings. The dispatch was allowed, but the post-campaign export showed “null” entries—enough for Taiwan’s Fair Trade Commission to question personalisation proof. After adding {{coupon_code|"VIP"}} the next audit passed; retention hash matched and no null gaps remained.

Audience Segmentation & Consent Binding

LINE does not store consent text inside the friend profile; instead it maintains a Consent Event Log linked by encrypted friend ID. When you upload a new CSV segment, map the column consent_unix (10-digit UTC) in the uploader wizard; otherwise the system assumes “legacy consent” and applies the shortest regional retention (180 d). A mismatch between CSV consent date and the log triggers an automatic “consent refresh” Rich Menu that is sent to the user before the next broadcast.

Migration from Legacy Lists

Export friends via Friend Manager → Export → Include consent log (web).
Filter rows where consent_origin is “pre-2024”.
Re-obtain consent with a two-tap Rich Menu; store the new timestamp.
Re-upload the CSV checking Overwrite existing consent.

Skipping step 3 leaves the old timestamp intact and may cause lawful-processing gaps if the recipient complains.

Broadcast Cadence: Legal Quiet Hours & Fatigue Guardrails

Japan’s Act on Specified Commercial Transactions mandates a 20:00-08:00 quiet window for promotional messages. LINE hard-codes this for accounts with a Japanese address; you can request an exemption only if you hold a financial services category tag. Taiwan and Thailand currently rely on self-declaration, but the console still shows a red indicator when you breach local night hours. Use Cadence Simulator (Beta → Tools) to preview deliverability; it factors quiet hours, user block rate and historical open score.

When NOT to Send

If your segment’s average open rate dropped below 8 % in the last 14 days, the simulator will recommend suspension. Ignoring the flag raises unsubscribe probability by 3–5× (internal LINE benchmark, Q3 2025).

Data Retention & Deletion Workflows

LINE retains two data classes: (a) message content, (b) engagement events (open, click, share). While you can set content retention as low as 30 days, events are kept for a minimum 180 days to support fraud investigation. Deletion is irreversible and removes records from both the console and the data export API within 24 h. Schedule automated purge under Compliance Center → Retention Rules → Auto Purge; choose Content only or Content + Events. Selecting the latter reduces storage cost but also erases metrics needed for re-targeting.

Rollback After Premature Purge

There is no native rollback; however, if you enabled LINE Data Lake integration (request through LINE Business Support), an encrypted parquet copy is pushed to your AWS bucket nightly. You can re-import friends and events into a new child account, but message content will still be lost unless you archived it externally.

Analytics Alignment for Audit Trails

Downloadable reports now include a compliance_hash column that matches each message with its consent log entry. Merge this key with your CRM to prove lawful basis. The export limit is 1 million rows per request; for larger audiences, use the Incremental Export API with cursor pagination. Each file is GPG-signed; verify with LINE’s public key published at https://official.line.me/certs/gpg.pub.

Third-Party Bot & Mini-App Considerations

If you connect a third-party chatbot through Messaging API, the bot becomes the data controller for any supplementary data it stores. LINE only guarantees delivery logs. Therefore, map consent in your bot before calling /v2/bot/message/multicast; otherwise the official account console will show “Consent Unknown” and retention drops to 30 days. Use scope chat_message.write only; requesting profile.read without explicit user benefit may breach Taiwan PDPA.

Troubleshooting: Common Dispatch Blocks

Error Code	Meaning	Quick Fix
C_3601	Consent timestamp older than regional floor	Send one-time Rich Menu to refresh consent, then re-create segment.
C_7203	Quiet-hour breach	Reschedule; or apply for financial-services exemption.
C_5600	Template variable missing fallback	Edit in Rich Message Builder, add `\|"default"` to each variable.

Verification & Observable Metrics

After each broadcast, observe:

Consent Coverage (%) in Dashboard → Compliance; aim ≥ 99.5 %.
Export GPG validity: run gpg --verify on the downloaded archive; a bad signature hints tampering or incomplete transfer.
Hash match rate when joining message export with consent log; anything <100 % produces an audit red flag.

These checks can be automated via LINE’s Compliance Check API (open beta). Call GET /v2/compliance/verify with campaign_id; the response includes status=clear or a block reason list.

Applicable / Non-Applicable Scenarios

Best Fit

Financial services that already need 3-year retention and can benefit from built-in Taiwan rule.
Retailers with ≥ 200 k friends who want to replace manual consent spreadsheets.
Government agencies pushing disaster alerts where auditability is statutory.

Avoid If

Your messaging volume < 5 k friends/month—overhead may outweigh storage savings.
You rely on message content for long-term analytics beyond regional retention floor.
You cannot maintain GPG tooling for export verification.

Best-Practice Checklist (Quick Glance)

Always upload consent_unix when importing segments.
Build templates with fallback values; run Compliance Preview.
Enable Auto Purge only after activating external Data Lake backup.
Schedule sends through Cadence Simulator to respect quiet hours.
Download and GPG-verify campaign exports within 7 days; hashes expire after 30 days.

案例研究

案例 A：区域连锁便利店（45 万好友）

做法：将 2019–2023 年累积的会员手机号 CSV 重新映射 consent_unix，对“pre-2024”群体推送两键 Rich Menu 重收同意；同意完成后自动写入 Data Lake。

结果：四周内 Consent Coverage 从 92 % 升至 99.7 %，期间因 C_3601 被挡下的广播由 18 % 降至 0.3 %；年度审计中监管抽样 200 条记录，全部通过哈希校验。

复盘：一次性重收虽牺牲 4 % 好友量（未点同意被系统冻结），但后续六个月平均打开率提升 11 %，疲劳指标下降，证明“质量＞数量”在合规场景同样成立。

案例 B：线上证券平台（8 万好友，台湾）

做法：采用 Taiwan 3 年 retention floor，把“内容+事件”同时锁定 1095 天；通过 Incremental Export API 每月合并至内部 Snowflake，并在 S3 启用 Glacier 以控制成本。

结果：2025 年 Q3 收到台湾金管会抽查，需在 48 h 内提供 2022 年某月推广记录。团队凭 GPG 公钥验证的导出文件及对应 consent_hash 在一小时内完成交付，案例结案无罚。

复盘：提前把合规哈希写进数据仓库宽表，是缩短响应时间的关键；若等到抽查才从控制台手工导出，将面临 100 万行上限与解密延迟双重风险。

监控与回滚 Runbook

异常信号

Consent Coverage 日报下降 >0.5 %
广播状态 API 返回 C_3601/7203 占比突增
GPG 验证连续失败（签名破损）

以上任意一条触发 PagerDuty B 级告警，抄送法务与数据保护官。

定位步骤

在 Dashboard → Compliance 下载最新 Consent Gap 清单。
用 campaign_id 关联消息导出，确认缺口是否集中在同一上传批次。
检查该批次 CSV 的 consent_unix 是否缺失或被 Excel 自动转为科学计数法。

回退指令/路径

立即将对应 segment 移入“under request”文件夹，暂停 24 h。
通过 Rich Menu 重新收集同意；收集完成后手动点击“Resume Campaign”。
若已误删内容且启用 Data Lake，则从 AWS S3 Glacier 复原加密 parquet，并导入到测试账号进行哈希补全（仅事件，内容仍空）。

演练清单（建议季度执行）

模拟 C_3601 大规模爆发，检验 Rich Menu 刷新链路耗时。
随机抽检 1000 条导出记录，自动比对 consent_hash 是否 100 % 匹配。
执行一次完整 Auto Purge 到测试账号，确认 Data Lake 副本完整且可重新导入。

FAQ

Q1：忘记映射 consent_unix 列，上传后能否补救？
结论：可以，但需重新上传并勾选“Overwrite existing consent”。
背景/证据：控制台会在覆盖前对比旧 timestamp，若新列为空则仍被视为 legacy，风险不变。

Q2：quiet-hour 豁免是否会自动继承到子账号？
结论：不会，每个账号需单独提交金融标签证明。
背景/证据：LINE Business Support 在工单回复中明确豁免绑定 entity ID。

Q3：Auto Purge 选“Content + Events”后，再开新 campaign 会缺少受众画像吗？
结论：会，点击与分享事件被删后将无法建立 Look-alike。
背景/证据：官方文档指出事件是“相似人群”核心输入，删除即清零。

Q4：consent 刷新 Rich Menu 可以自定义文案吗？
结论：目前仅支持系统模板，换行与emoji可改，法律核心文本不可删。
背景/证据：在 Labs 环境测试，删除关键句会触发 400 Bad Request。

Q5：导出超过 100 万行如何处理？
结论：使用 Incremental Export API 的 cursor 分页，单次上限仍为 100 万，需循环拉取。
背景/证据：官方示例代码（Python）显示 has_next_page 判断逻辑。

Q6：Data Lake 的 parquet 是否包含用户明文聊天？
结论：不包含，仅事件及加密 friend ID。
背景/证据：parquet schema 文件未定义 message_content 字段。

Q7：GPG 公钥多久轮换？
结论：每年 9 月更新，旧钥维持 90 天宽限期。
背景/证据：官方 certs 页面提供有效起止时间与指纹。

Q8：可以只对日本用户应用 180 天，其他区域保留更长吗？
结论：不行，以账号注册地为准，统一适用该地区 floor。
背景/证据：后台 Retention Rules 仅提供单选，不支持分人群策略。

Q9：Mini-App 内收集的同意能否写回 Official Account？
结论：需通过 Messaging API 回传 consent 事件，否则视为未知。
背景/证据：官方账号控制台只认 Consent Event Log，不接受外部 CSV 回写。

Q10：合规哈希会暴露用户身份吗？
结论：不会，哈希为 message_id + consent_id + 盐值，不可逆。
背景/证据：LINE 技术白皮书指出盐值由 HSM 生成，每账号每日轮换。

术语表

Consent Event Log：官方账号后台维护的同意事件时序链，首次出现在“Audience Segmentation & Consent Binding”。
Retention Floor：法规要求的最低保存期限，首次出现在“Backend Policy Changes”。
Compliance Preview：Rich Message Builder 的实时合规检查模式，首次出现在“Template Engineering”。
Compliance_hash：用于关联消息与同意记录的校验值，首次出现在“Analytics Alignment”。
Quiet Hours：法律禁止推送的夜间时段，首次出现在“Broadcast Cadence”。
Cadence Simulator：控制台内置的发送时机模拟器，首次出现在同节。
Legacy Consent：2024 年前收集且未补录时间戳的同意，首次出现在“Migration from Legacy Lists”。
Data Lake Integration：每晚自动导出加密副本到 AWS 的功能，首次出现在“Rollback After Premature Purge”。
GPG-signed Export：用 GPG 签名的防篡改导出包，首次出现在“Analytics Alignment”。
Rich Menu：底部弹出的图文菜单，常用于重收同意，首次出现在“Migration”。
Incremental Export API：支持游标分页的大批量导出接口，首次出现在同节。
Under Request Folder：临时存放同意缺失受众的隔离区，首次出现在“Backend Policy Changes”。
Financial Services Tag：可申请夜间推送豁免的行业标签，首次出现在“Broadcast Cadence”。
Zero-knowledge Consent Storage：未来计划中的明文免导出方案，首次出现在“Future Roadmap”。
Look-alike：基于事件数据扩展相似人群的功能，首次出现在 FAQ Q3。

风险与边界

当前不支持分国家/地区混用多套 retention 规则，若业务跨区需注册多账号。
Auto Purge 后无任何原生回滚，若无外部备份，消息内容将永久丢失。
第三方 bot 若未回传 consent，官方账号侧 retention 自动降至 30 天，可能导致审计断层。
GPG 验证工具链需本地维护，Windows 环境缺少现成 GUI，新手易误信“签名无效”假阳性。
豁免 quiet hours 仅限金融标签，且审批周期 5–7 个工作日，临时活动无法应急。

替代方案：若无法满足以上限制，可考虑使用短链接+落地页收集 consent，并将关键数据写入可审计的 CRM，但推送渠道需转移到 SMS 或 Email，放弃 LINE 的高触达优势。

未来趋势/版本预期

LINE 已预告 2026 上半年将“合法基础”标记（consent/contract/legal_obligation 等）全区域强制化，届时控制台会新增 Lawful Basis 列，缺失将直接阻断发送。同时，零知识存储一旦上线，明文时间戳将从导出文件移除，企业需提前自建可搜索的加密索引，否则面对监管抽查只能提供哈希，无法展示原文，举证难度反而增加。建议从现在起把 consent 文本与 friend ID 的映射保存在自家密钥管理的加密库，并定期与 compliance_hash 交叉校验，才能在更严苛的法规 wave 中保持“既快又合规”的推送能力。

总结：把每条推送都当成潜在呈堂证供，模板先防呆、 consent 可回溯、删除先备份、导出即验证。坚持这四步，LINE 官方账号既能维持 90 %+ 的到达率，也能在监管灯下全身而退。