Young adults on the couch using smartphones showing privacy policy update for WhatsApp

WhatsApp Clarifies New Privacy Policy Update, Says That Data Sharing With Facebook Will Be Limited To Communication With Businesses

A recent privacy policy update from WhatsApp appeared to be forcing users to either agree to sharing of personal data with Facebook and its various other subsidiary companies, or stop using the messaging app by February 8. In response to a storm of criticism, WhatsApp has issued a clarification specifying exactly what types of user data will be shared.

The company also appeared to be responding indirectly to the new privacy “nutrition labels” that are required by Apple, breaking down its specific levels of access to personal data in an attempt to reassure a userbase that bought into it as the “security-focused” alternative to Facebook Messenger.

WhatsApp privacy policy update indicates data sharing is limited to business messaging

A new “privacy and security” FAQ on WhatsApp’s website addressed the privacy policy update, opening by stressing that neither it nor Facebook scans messages or anything shared in groups. The new page also claims that user contacts will not be shared with Facebook, and that neither company can see user locations. WhatsApp is also not logging call and message contacts, and will continue to allow users to set messages to disappear and to download personal data.

The company issued the following statement on Twitter: “We want to address some rumors and be 100% clear we continue to protect your private messages with end-to-end encryption … We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data.”

Most of this was already known to the public, and seemed to be reiterated to calm concerns created by the tandem of the new iOS privacy labels and the announcement of the privacy policy update together in the past week. What is new to this FAQ is the statement that WhatsApp will only be sharing user data related to business messaging with Facebook.

WhatsApp says that this data sharing will only apply to businesses on the app that are using hosting services provided by Facebook, and that it will provide users with a notification of this prior to messaging the business. Users that engage in WhatsApp conversations with these businesses may have the contents of their chats, including uploaded files such as purchase receipts, shared with Facebook for use in its personalized advertising services.

This new aspect of the privacy policy update applies to businesses using the WhatsApp Business API hosted by Facebook, which is a customer service system used to handle questions about products and matters such as product returns. WhatsApp Business API is not heavily used at present, with only about 1,000 businesses worldwide signed up for it at the end of 2019. These messages are end-to-end encrypted as are all other messages sent through WhatsApp, but Facebook (and possibly its other subsidiaries such as Instagram) will be able to access the contents.

This sharing of data ultimately seems to be aimed at feeding the personalized advertising ecosystem already present on Instagram and Facebook. Businesses that purchase personalized ads do not get access to any of the personal information or identities of users, but instead place bids on certain demographics that they would like the ads delivered to.

Poor communications and PR of privacy policy update

Assuming that WhatsApp holds to the clarifications it has just made, it would seem the privacy policy update was a case of very poor communications and PR. The vague wording made many believe that personal data was going to be shared freely with Facebook, prompting a mass exodus of users to Signal and Telegram (both of which have onboarded millions of new users since the announcement was made). It would appear that nothing will change for WhatsApp users in terms of data sharing after February 8, save communications they have with businesses that are marked as using Facebook’s business API service for the app. However, the new iOS privacy labels reveal that WhatsApp has been collecting a wider range of data than users may have been expecting given that the company’s branding has always been about privacy first and foremost.

Though this information has been available via WhatsApp’s website long prior to the new privacy policy update, the iOS privacy label provides an at-a-glance summary of what the app collects that may have surprised some users. WhatsApp presently collects user phone numbers, data about transactions with businesses using the WhatsApp Business API, IP addresses, mobile device identifiers and diagnostic information among other items. This information could be shared with Facebook via business partners going forward.

Facebook Messenger and WhatsApp dominate the instant messaging market in the Western world, but the mishandling of this privacy policy update may have opened up the playing field for competitors that are better able to trade on their privacy track record. Both Signal and Telegram are independent companies; Signal was formed by the team that developed messaging encryption for Facebook (before an acrimonious split), while Telegram is primarily funded by a Russian social media billionaire who is thus far keeping it detached from any other services. Both services have stated that they plan to rely on donations as a funding model going forward, and Signal is additionally registered as a non-profit organization making it eligible for grant money.