In January, WhatsApp users received a popup outlining that they’d need to agree to the new terms of service. If users refused, their accounts would be unceremoniously suspended on February 8. This has had some interesting fallout:
So, what’s up with WhatsApp’s privacy policy?
The change that has caused concern relates to WhatsApp sharing data with its parent company, Facebook. The policy notes that:
“WhatsApp currently shares certain categories of information with Facebook Companies. The information we share with the other Facebook Companies includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent.”
The type of information being shared with Facebook going forward is the major change – and the major cause for concern.
The policy notes that information like user browsing information (including frequency, duration, and interactions), language, mobile network, phone battery level, signal strength, internet service provider, and geographic information like your IP address and time zone may be shared.
You can read the privacy policy here.
There has been a flurry of activity from WhatsApp and Facebook executives on Twitter. They’ve been trying to assuage the concerns of angry users by sharing additional information about the actual impact of the changes.
It's important for us to be clear this update describes business communication and does not change WhatsApp’s data sharing practices with Facebook. It does not impact how people communicate privately with friends or family wherever they are in the world.
— Will Cathcart (@wcathcart) January 8, 2021
WhatsApp released an FAQ which details that this change only relates to messages users send to business accounts on WhatsApp. A distinction is made between user to business conversations and inter-user conversations. With the company noting that “the policy update does not affect the privacy of your messages with friends or family in any way.”
There’s also another webpage designed to frame the changes in a more meaningful way. It starts with the words “We want to be clear…” – phrasing that was used in the FAQ document too.
While WhatsApp is confident that its distinction between personal and business interactions is sufficient, it’s clear that users don’t feel the same way. European regulators don’t feel the same way either, having fined Facebook $122 million for misleading the EU about its intentions during their investigation of Facebook’s acquisition of WhatsApp. Facebook had previously stated that it “would be unable to establish reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts.”
The crux is that privacy-focused users don’t trust Facebook but Facebook needs to make money from WhatsApp. To do so, it has chosen to monetize business interactions which necessitates the sharing of (and likely selling of) user data.
The reality is that, in doing so, they’ll lose some users but retain most. These changes are a calculated business decision.
WhatsApp needing to jump quickly on the offensive demonstrates that their privacy policy is far from clear. The updated policies are incredibly vague. Fallout is inevitable when a company with a poor track record of privacy (Facebook) embeds vague updates into the policy of a service that’s “committed to defending [end-to-end encryption] technology now and into the future”.
Businesses might be concerned that if WhatsApp – with all of Facebook’s resources behind it – can’t make users understand its privacy policies, then what hope is there? There is plenty you can do.
You need to provide a clear, concise description of the data you collect about customers. Use broad headers, like ‘location’, ‘device’ and ‘user information’, then delve into what related data is being collected. This should be readily available on the page users are directed to when they click on your privacy policy. Don’t bury this information on separate pages which require multiple clicks from the user.
WhatsApp’s updated policy did manage this quite well.
This is where WhatsApp’s policy failed.
This section of your policy needs to outline how you use the data, whether you share the data with any third parties, and whether you sell the data to any third parties.
Potentially the biggest mistake WhatsApp made was to require all users to consent to the vague terms within a short timeframe. An opt-out of the business services (and the consequent sharing of data) may have helped alleviate concerns for users. That said, it wouldn’t necessarily serve the business interests of the shareholders.
Whenever you make changes to your policy, let your users know in advance and give them time to digest the changes and ask questions. Be sure to build choice into your privacy culture. Starting with making user rights very clear.
We previously published an article about Woolworth’s privacy policy update. In it, we critiqued the policy and outlined our recommendations. You can read the article here for some practical advice.
Privacy 108 is one of Australia’s leading privacy consultancies for businesses. We’re here to help if you need guidance or assistance developing clear privacy policies.
Our specialist areas include information security, privacy and data protection, telecommunications and technology issues.
Our services include:
Oops! We could not locate your form.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
