A combination of general negative public sentiment and a legal challenge in the Indian court system has prompted popular messaging app WhatsApp to delay the rollout of its new privacy and data sharing terms. An early January privacy policy update revealed that the app was planning to increase its sharing of user data with parent company Facebook, and that users who did not opt in by February 8 would lose their accounts.
While the plan remains on track, WhatsApp has pushed the rollout date back to May 15. The company announced in a blog post that this was done to give users more time to review the privacy policy update terms.
WhatsApp privacy policy update prompts pushback, mass migration to other apps
WhatsApp users were surprised with a privacy policy update in early January that asked them to opt in to new terms by February 8. Those new terms specified that the app would be sharing more data with Facebook’s advertising network; users that were uncomfortable with the development were essentially told they would have to hit the road as of the deadline.
While the data being shared with Facebook’s targeted advertising system is limited to messages exchanged with merchants that use Facebook’s WhatsApp Business API to manage their customer service portals, the privacy policy announcement was a case study in poor communication with the public and the cumulative effects of breaking promises to users. Already stung by a previous reversal of privacy and data sharing terms in 2016, many WhatsApp users simply heard “more data is being shared with Facebook” and assumed the worst. Millions of users jumped ship for the more privacy-focused Signal and Telegram apps, in part boosted by Twitter endorsements from Elon Musk and Jack Dorsey.
WhatsApp went into full damage control mode, reassuring users that personal messages would continue to be private and encrypted and that Facebook would not be scanning them. The blog post included the following statement: “We’ve heard from so many people how much confusion there is around our recent update. There’s been a lot of misinformation causing concern and we want to help everyone understand our principles and the facts. WhatsApp was built on a simple idea: what you share with your friends and family stays between you. This means we will always protect your personal conversations with end-to-end encryption, so that neither WhatsApp nor Facebook can see these private messages. It’s why we don’t keep logs of who everyone’s messaging or calling. We also can’t see your shared location and we don’t share your contacts with Facebook. With these updates, none of that is changing. Instead, the update includes new options people will have to message a business on WhatsApp, and provides further transparency about how we collect and use data. While not everyone shops with a business on WhatsApp today, we think that more people will choose to do so in the future and it’s important people are aware of these services. This update does not expand our ability to share data with Facebook.”
Facebook will, however, make use of the messages (including any attachment files such as receipt scans or pictures) sent to the businesses on WhatsApp that use its API (estimated to be somewhere north of a thousand worldwide). Users would be notified before messaging one of these businesses. While that is not a major privacy concern on its own, WhatsApp buried the details behind several click-throughs to other pages in its initial announcement.
One factor in the three month delay of the privacy policy update appears to be creating more time to craft a better PR strategy. WhatsApp is also dealing with the fallout of Apple’s new iOS “privacy labels,” which reveal that the app (which built its original reputation on strong user privacy before being acquired by Facebook) may be collecting more personal information than users realize. In the background, Facebook is also contending with a legal challenge headed by the Federal Trade Commission (and supported by the vast majority of the individual state attorneys general) that is threatening to unwind all of its mergers dating back to 2010; WhatsApp might once again become an independent operation should this come to pass, and would likely be restricted in coordinating sharing of personal data with Facebook.
First legal challenge arises in India
While WhatsApp may be able to woo back some of the users it lost with three months of better messaging, not all of its problems related to the privacy policy update are a matter of PR. The company now faces a legal challenge filed in India, its largest individual market, which claims that it breaks the country’s laws regarding surveillance of app users and that it threatens national security.
The national security component of the legal challenge centers on the fact that WhatsApp handles and stores data using Facebook’s data centers and IBM Cloud storage located in California and Washington DC. The legal challenge, which is currently being considered by the Delhi High Court, gained some high-profile support from major figures in business such as Paytm founder Vijay Shekhar Sharma. Sharma tweeted that WhatsApp was enjoying the benefit of a double standard, as users in Europe would not be subject to the terms of the new privacy policy update due to conflict with the General Data Protection Regulation (GDPR).
The legal challenge was filed by the Confederation of All India Traders (CAIT), which represents about 40,000 trade associations located throughout the country. The agency regularly advocates at the highest levels of the Indian government, and made news in 2020 by calling for a boycott of Chinese products in response to the ongoing border tensions between the two countries.
Legal challenges may also be brewing in Turkey, where the app has an 88% penetration level among mobile internet users aged 16-64. The country’s Competition Board has launched an investigation into the app based on the terms of the privacy policy update.