The new WhatsApp privacy policy released this week raised several key questions for data protection experts everywhere (and everyone else really). The new privacy policy sets out the information that WhatsApp shares with Facebook, and makes it clear that this policy is non-negotiable – if you don’t like WhatsApp sharing your data with Facebook, your only option is to close your WhatsApp account and delete your app (making sure to delete your personal information first). 

In effect, the new WhatsApp privacy policy brings WhatsApp’s two billion users under more of Facebook’s control, and opens them up to more of Facebook’s services. The question is whether this will be a steep price for people to pay to continue to keep in touch with family and friends on their favourite chat app.

What does the new WhatsApp privacy policy say?

The section of the new WhatsApp privacy policy that concerns us is How we partner with Facebook to offer integrations across the Facebook Company Products.

What this section of the new WhatsApp privacy policy means is that Facebook are now covering themselves for collecting huge amounts of personal data about users from WhatsApp (which they were probably already collecting). The information that is shared between WhatsApp and Facebook includes your WhatsApp account registration and WhatsApp phone number, the phone numbers in your address book, the WhatsApp groups you have joined, transaction data, mobile device information, the IP address of your phone. 

In other words, nearly all the information you provide to WhatsApp in order to use their services (and a few more too) will be passed through to Facebook. The new WhatsApp privacy policy also reserves the right to ask (or demand) more information in the future as it becomes useful for them.

In turn, Facebook will use this information to “understand how services are used”, “improve services”, “make suggestions for you”, “personalise features and content”, and “show relevant offers and ads across the Facebook Company Products”. In short, find other Facebook services to sell to you based on your information, for example connecting Facebook Pay to pay for transactions on WhatsApp, or chatting with your WhatsApp contacts on Portal (yet another Facebook product).

The concern: Facebook and data protection are not mutually compatible

The data mentioned in the new WhatsApp privacy policy is PII, or personally identifiable 

information. This means that if someone gets hold of that information they can work out who you are pretty quickly, and Facebook’s data protection record makes some interesting reading. 

Just some of the recent Facebook and data protection stories include:

In 2019 they were fined $5bn by the Federal Trade Commission (FTC) and an additional £500,000 in the UK under the old Data Protection Act (pre-GDPR) for their part in the Cambridge Analytica scandal. 

The FTC said in their settlement statement that the fine was levied on Facebook because despite promising users that they have control over how their personal information is shared with third parties, they facilitated the harvesting of information from Facebook to Cambridge Analytica. In this case, a Facebook quiz was used to collect information not just about the people who took the test, but their Facebook friends as well. The way that this information was collected was part of a flaw in Facebook’s infrastructure, which allowed developers to access information without authorisation (and many did). 

In 2018 it was revealed that between 2011 and 2018 Facebook used phone numbers registered by users for two factor authentication to target them for ads. In addition to these phone numbers, the researchers discovered that Facebook was also mining other information about users available on the internet (and not provided directly to Facebook), and using it to target ads.

At the same time as the FTC gave their ruling on Facebook’s involvement with Cambridge Analytica, the US Securities and Exchange Commision (SEC) claimed $100 million in charges against Facebook for making misleading disclosures regarding how it handled user data. And in 2018, a report by the New York Times revealed that Facebook shared access to user data with other large tech firms, including Amazon, Microsoft, Sony, Huawei, Yandex, and more, affecting users all over the world.

The list goes on, showing how Facebook’s quest for user information that can be used to make a profit is constantly evolving and finding new ways to violate users’ privacy.

Facebook and information protection responsibilities

Under regulations such as the GDPR, California Consumer Privacy Act (CCPA), and other nation states (for example the newly non-EU UK), companies of all sizes have responsibilities towards their users when it comes to collecting, storing, transferring, or using their personal information. Failure to take these responsibilities seriously will result in fines of up to €10m, or 2% of global turnover (whichever is higher). While fines don’t seem to stop Facebook, they are a serious deterrent to other companies. 

The new WhatsApp privacy policy shows that once again, Facebook is pushing the boundaries on data privacy, and could well find itself catching the attention of one or more of these regulators. But for now, WhatsApp is one step closer to dying. Long live Facebook.