WhatsApp Privacy Part III - Uncluttering the Misinformation

WhatsApp Privacy Policy Update Part III - Uncluttering the misinformation and an Unbiased View in what has changed

26 Jan, 2021

WhatsApp updated its terms of use and privacy policy, basically to notify its users that they have until February 8 to read and agree to the new terms. Failure to do so would lead to WhatsApp deleting the user’s account.

This move seems to have been misunderstood and even overhyped by commentators with limited expertise. Others with an axe to grind against WhatsApp / Facebook because of mistrust have shared somewhat biased views in view of alternative messaging apps citing them to be less intrusive.

In this article, we hope to give a balanced view from a layman’s perspective of what is happening and explain the specific context on how users will benefit besides sharing the privacy pitfalls to be wary of. Users can then decide the next steps.

In Part II we looked at what has NOT changed. Let’s look at what has changed.

What HAS Changed

As mentioned earlier, what has changed is how merchants using WhatsApp Business to chat with customers can share that data with Facebook. Spurred in no small part by the coronavirus pandemic, Facebook is bringing together all of the tools it has been building for companies to better leverage Facebook and its other companies, (Instagram and WhatsApp) both to advertise themselves, as well as, communicate with and sell to customers.

WhatsApp is offering businesses, especially SMEs, the option to use Facebook's new hosting services that allow them to manage their WhatsApp business account messages easily for their own in-house or customer communications. What this means is that it will be easier for small and medium-sized businesses to have their business pages or groups on Facebook to easily redirect their clients to their WhatsApp business account, and to keep their inventory updated while quickly responding to their clients’ messages. This includes marketing and promoting their services and conducting online transactions where there will be processing of personal information. 

This inter-company sharing of personal data opened up a can of worms where many have speculated about privacy issues arising from sharing such personal information - and no thanks to the mistrust of Facebook and their poor privacy record. In truth, from a functional perspective, this sharing of personal information with other third parties is no different from what is being done on Google or any shopping portals such as Amazon, Lazada, or Shopee.

Understand how WhatsApp is intended to be used in the actual business context instead of speculating

Let’s take a look at the specific context where WhatsApp collects and shares personal data in the business context of the WhatsApp Business app in terms of :

  • Enabling customer service
  • Interacting or discovering a business online
  • Shopping experiences including enabling transactions


Here is a random search of an example of a business promoting its products and services on Facebook:

It is not difficult to imagine that the “Message” button, which is currently using Messenger from Facebook, could have an additional option to WhatsApp the business. This could be useful for many people who don’t have Messenger as their main means of communications and therefore can now WhatsApp to a specific business separately for customer service.


Let’s take a look at another random example of a company that sells its products on Facebook. 

In this example, the same “Message” button is used to enable an e-commerce transaction. Using Facebook’s new hosting services, businesses or business service providers can use the WhatsApp Business API (application program interface) to conduct their e-commerce services. This means that users can easily transact with businesses via the WhatsApp engine.

This is where personal data could be shared with businesses in order to help fulfil the transaction. WhatsApp states that in this context, personal data can be used in targeted advertisements and recommendations. Yet, many people freaked out and self-proclaimed privacy experts suddenly gave their own views on why this is wrong and the many privacy issues arising from this.

For anyone who has done online shopping or bought products, how many times have you responded to recommendations associated with the product you have purchased? Do you recall seeing customised advertisements related to a purchase you made, a website you visited or a product you browsed? These custom messages would not have been possible if your data was not shared with third parties in the first place and your online behaviour being tracked with sophisticated analytics involved.

So, are the privacy concerns valid? Yes. But it's not just Facebook and its group of companies. Every online business and mobile developer are actually doing it with the good intentions of enhancing your customer online experience while monetizing your personal data! It just so happens that Facebook happens to be one of the biggest culprits.


Be Wary of Not Just Facebook but any company you are dealing with online

The fact is that online business entities whom you are communicating or transacting with via WhatsApp (or any mobile app for that matter) can also abuse your personal data. So WhatsApp users, who choose to use WhatsApp in the above business context should also read the privacy policies of the organisations they choose to do business with and do their due diligence.

As businesses can now have access to such personal information, the onus is now on them (and not only Facebook or WhatsApp as they have their own privacy policies) to safeguard the personal data in their possession and put in proper transparent practices to ensure the data is used responsibly and according to their declared purposes.

This is where local data protection laws and the EU General Data Protection Regulation (GDPR) keep such companies in check by ensuring they follow specific rules when collecting, using, disclosing or storing personal data.

As part of our analysis of data protection trends in 2021, we expect to see more privacy breaches along with the usual data breaches. While WhatsApp is secure, there will inevitably be user ignorance where they attach unsecured documents containing personal data in chat groups or sharing such information with the wrong recipient.

The point here is that when it comes to these businesses operating online, the issue is not just only about WhatsApp or Facebook’s privacy practices, but also their own privacy policies as well. And sadly, in Singapore many SMEs are currently not PDPA compliant and therefore, are susceptible to data/privacy breaches. There are now stricter PDPA requirements where businesses must inform the Personal Data Protection Commission (PDPC) within three days if there is a data breach.

So do you move or not move from WhatsApp?

The previous scenarios gave you an objective view of what could happen if you continue to choose WhatsApp after their updated privacy policy kicks in.

Userbase is probably one of the key factors to consider when moving to another platform where there is currently no alternative to WhatsApp.

While the younger generation (who also don’t use Facebook) might migrate to another platform, they may not necessarily delete their WhatsApp account. There is a strong possibility that they would keep it only to maintain communication with their family members.

Again, it is important to point out that many users moved to another platform as a knee jerk reaction to the initial announcements and the lack of information. WhatsApp has already clarified many of the initial privacy concerns and we hope that our examples have better clarified the misunderstanding and misinformation.

Ask the following questions If you are still undecided on whether to move to other platforms:

a) Audience

  • Who are your audience? Friends, family, colleagues, customers, etc.

b) Purpose

  • What is your purpose for using a messaging platform? Connect with friends and family. For work related communications. For customer queries, etc.

c) Features

  • What are the features on each of the platforms that allow me to reach out to my audience type for the purposes I want to?

d) Control

  • How much control do I have as an admin in groups?
  • How much control do I have as a user in groups?
  • How much control do I have as a user?

e) Risks

  • What are the risks when using each of these platforms?
    E.g., if you have a group of 200,000 vs 200, sending something wrongly or something sensitive can have a bigger impact in a bigger group.

f) Other important questions

  • How are each of the platforms financing the free app?
  • How long can they finance the free app?
  • What happens if they sell the platform? To my metadata, etc.
  • Who has an interest in using the app?
  • Who has an interest in hacking the app?

These are but some of the factors to consider in the WhatsApp controversy debate and the follow-up actions.

In case you missed Part I where the controversy was outlined, do click here.

Please click here for Part II outlining What HAS NOT changed.

Article by Kevin Shepherdson - Fellow of Information Privacy, CIPM, CIPP/A, CIPP/E, CIPT, Exin (GDPR, Infosec), GRCP

Based on webinar panel discussion with:

Celine Chew - Fellow of Information Privacy, CIPM, CIPP/A, CIPT, Exin (GDPR, Infosec), GRCP

Dr Prapanpong Khumon - Associate Dean at School of Law, University of the Thai Chamber of Commerce, Thailand. Advisor to Secretary-General of the Personal Data Protection Commission in Thailand.

Lyn Boxall - Fellow of Information Privacy, CIPP/E, CIPP/A, CIPM

Andrew Fam - CIPT, Chief Technology Officer (CTO)

PS (as of 18 January 2021): Due to widespread criticism, WhatsApp has announced that the change in privacy policy will be delayed to 15 May 2021.  Do visit the forum and share your comments or ask any other questions you may have! 

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
Heightened Demand for Data Protection expertise

Well, this was going to happen at some point in time in the world - with the ex…

Compliance Trends you better leave behind in 2019

Now that we are starting a new year, we can reflect on a few compliance trends …

7 impending Data Protection Trends in the region …

The initial years of computerisation and digitisation has enabled businesses to…