A contentious WhatsApp privacy update, first announced earlier this year, is continuing to cause problems for the Facebook-owned messaging giant. It has been hit with consumer complaints filed by watchdog groups, which say that users are being unfairly pressured into accepting the update with aggressive requests and confusing terms.
The privacy update stipulates that Facebook will now have access to certain types of WhatsApp user data in certain circumstances, a new development for the formerly independent messaging app. The consternation this caused among users earlier this year fueled a mass migration to alternatives with more of a privacy focus, chiefly Signal and Telegram.
WhatsApp privacy update creates multiple headaches for the company
The consumer complaints allege that WhatsApp messages users about accepting the privacy update far too often, and uses confusing and unclear terms to describe the changes to how data is shared with Facebook.
The consumer complaints have been organized by the Brussels-based European Consumer Organisation (BEUC). BEUC Director General Monique Goyens told the press that WhatsApp has been “bombarding” users with pop-up requests to accept the privacy update for months, and that it appears to be making threats of cutting off access to the app if the update is not accepted. When the privacy update rolled out in mid-May, WhatsApp did indicate that the update reminder would become persistent within “weeks” and at that time functionality would be limited (though this would not happen to “all users at the same time”). The functionality limits it listed included inability to access the chat list, to receive incoming calls or notifications, and eventual disabling of the phone number in the app. WhatsApp has pushed these actions back several times since the initial announcement earlier in 2021 due to negative public response.
Accepting the privacy update does cause some new data to be shared with parent company Facebook, but with limits on the circumstances. The BEUC consumer complaints also argue that the exact terms are not made clear to the end user. WhatsApp will not be sharing messages with Facebook, but it will be sharing several pieces of user information: phone number, usage time logs, device identifiers, IP addresses, and other device details that do not involve messages or contacts. WhatsApp originally promised that only businesses using Facebook hosted services (usually in tandem with a WhatsApp account for customer communication) would receive access to device details, and only when a WhatsApp user messages them first.
Consumer rights groups from eight EU countries have organized under the BEUC to file complaints with the EU’s executive Commission and the bloc’s network of consumer authorities.
Consumer complaints becoming more common for Facebook companies
Rather than asserting a General Data Protection Regulation (GDPR) violation, the BEUC is focusing on breach of the EU Directive on Unfair Commercial Practices. The consumer complaints establish that the privacy update reminders violate this directive by putting unfair pressure on users, impairing freedom of choice and failing to use “clear and intelligible language” to describe the changes being made (specifically violating Articles 5 and 6 of the Unfair Commercial Practices Directive).
This is not the first legal issue that the new privacy update has triggered in the EU. When it was first announced in January, WhatsApp received a formal warning from Italy’s data protection agency and a referral to the European Data Protection Board (EDPB) over the opaque language used in the update reminder. The Italian DPA said that it reserved the right to directly intervene “as a matter of urgency” but has not taken further action as of yet. Germany’s DPA followed through with a similar urgency intervention in May, banning Facebook from accessing WhatsApp user data for three months while the matter is reviewed. It is possible that the measure could be made permanent, but it would involve the Irish DPA given that Facebook’s EU headquarters are in Dublin.
Facebook was one of the first to be hit with consumer complaints as the GDPR went active in 2018. Noyb, which would eventually be known for forcing a major reform of EU-US data transfers by taking on Facebook, filed a complaint about the social media giant’s terms of service on the first possible day that is strongly reminiscent of the current WhatsApp case. The company has faced numerous other consumer complaints since, but not all have had unhappy endings. In May, a lawsuit brought by Euroconsumer representing 300,000 Facebook users was settled with Euroconsumer essentially being acquired by the company, leaving the class action members high and dry. There is also a public perception that Facebook benefits from favorable treatment in Ireland, as that country’s DPC has opened multiple probes against the company but takes inordinately long periods of time to investigate and has yet to bring any penalties. In late December Facebook set aside $366 million in anticipation of eventual fines from the Irish DPA, a relatively paltry amount of the $86 billion in revenue it made in 2020.