What’s Up With WhatsApp’s Privacy Policy?
In January, WhatsApp users received a popup outlining that they’d need to agree to the new terms of service. If users refused, their accounts would be unceremoniously suspended on February 8. This has had some interesting fallout:
- Downloads of the Elon Musk and Edward Snowden approved messaging app Signal have skyrocketed.
- Telegram gained more than 25 million new users in just 72 hours.
- WhatsApp postponed the new privacy policy to May 2021.
- Issues stemming from user mistrust in global corporate giants’ handling of their data jumped into the spotlight.
So, what’s up with WhatsApp’s privacy policy?
WhatsApp’s Privacy Policy Update
The change that has caused concern relates to WhatsApp sharing data with its parent company, Facebook. The policy notes that:
“WhatsApp currently shares certain categories of information with Facebook Companies. The information we share with the other Facebook Companies includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent.”
The type of information being shared with Facebook going forward is the major change – and the major cause for concern.
The policy notes that information like user browsing information (including frequency, duration, and interactions), language, mobile network, phone battery level, signal strength, internet service provider, and geographic information like your IP address and time zone may be shared.
You can read the privacy policy here.
WhatsApp’s Response to the Outcry
There has been a flurry of activity from WhatsApp and Facebook executives on Twitter. They’ve been trying to assuage the concerns of angry users by sharing additional information about the actual impact of the changes.
It's important for us to be clear this update describes business communication and does not change WhatsApp’s data sharing practices with Facebook. It does not impact how people communicate privately with friends or family wherever they are in the world.
— Will Cathcart (@wcathcart) January 8, 2021
WhatsApp released an FAQ which details that this change only relates to messages users send to business accounts on WhatsApp. A distinction is made between user to business conversations and inter-user conversations. With the company noting that “the policy update does not affect the privacy of your messages with friends or family in any way.”
There’s also another webpage designed to frame the changes in a more meaningful way. It starts with the words “We want to be clear…” – phrasing that was used in the FAQ document too.
One Key Issue: The Erosion of Trust
While WhatsApp is confident that its distinction between personal and business interactions is sufficient, it’s clear that users don’t feel the same way. European regulators don’t feel the same way either, having fined Facebook $122 million for misleading the EU about its intentions during their investigation of Facebook’s acquisition of WhatsApp. Facebook had previously stated that it “would be unable to establish reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts.”
The crux is that privacy-focused users don’t trust Facebook but Facebook needs to make money from WhatsApp. To do so, it has chosen to monetize business interactions which necessitates the sharing of (and likely selling of) user data.
The reality is that, in doing so, they’ll lose some users but retain most. These changes are a calculated business decision.
Another Key Issue: Unclear Privacy Policies
WhatsApp needing to jump quickly on the offensive demonstrates that their privacy policy is far from clear. The updated policies are incredibly vague. Fallout is inevitable when a company with a poor track record of privacy (Facebook) embeds vague updates into the policy of a service that’s “committed to defending [end-to-end encryption] technology now and into the future”.
Takeaways for Businesses from WhatsApp’s Ill-Conceived Update
Businesses might be concerned that if WhatsApp – with all of Facebook’s resources behind it – can’t make users understand its privacy policies, then what hope is there? There is plenty you can do.
Make it very clear what data you are collecting.
You need to provide a clear, concise description of the data you collect about customers. Use broad headers, like ‘location’, ‘device’ and ‘user information’, then delve into what related data is being collected. This should be readily available on the page users are directed to when they click on your privacy policy. Don’t bury this information on separate pages which require multiple clicks from the user.
WhatsApp’s updated policy did manage this quite well.
Make it very clear how the data is used.
This is where WhatsApp’s policy failed.
This section of your policy needs to outline how you use the data, whether you share the data with any third parties, and whether you sell the data to any third parties.
Give your users choices.
Potentially the biggest mistake WhatsApp made was to require all users to consent to the vague terms within a short timeframe. An opt-out of the business services (and the consequent sharing of data) may have helped alleviate concerns for users. That said, it wouldn’t necessarily serve the business interests of the shareholders.
Whenever you make changes to your policy, let your users know in advance and give them time to digest the changes and ask questions. Be sure to build choice into your privacy culture. Starting with making user rights very clear.
We previously published an article about Woolworth’s privacy policy update. In it, we critiqued the policy and outlined our recommendations. You can read the article here for some practical advice.
Reach Out For Help With Your Privacy Policy
Privacy108 is one of Australia’s leading privacy consultancies for businesses. We’re here to help if you need guidance or assistance developing clear privacy policies.
Our specialist areas include information security, privacy and data protection, telecommunications and technology issues.
Our services include:
- Privacy impact assessments;
- Development and implementation of privacy management programs;
- Privacy compliance programs including GDPR readiness;
- Data breach response and notification;
- Advice on the use of the cloud and other third party service providers;
- Developing an organisational security culture; and
- Training and awareness programs.
Want to receive updates like this in your inbox? Subscribe
Privacy 108
At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.