WhatsApp given a month to fix consumer ToS concerns in Europe

Image Credits: Justin Sullivan / Getty Images

WhatsApp has been warned by European regulators it has one more month to fix its confusing terms of service, the Commission said today.

The Meta-owned messaging platform has been under investigation by the bloc following a series of consumer protection complaints lodged against it by the Consumer Protection Cooperation (CPC) Network, led by Sweden’s national authority, back in July 2021, following complaints by BEUC and a number of its member organizations, after WhatsApp had sought to enforce a controversial privacy policy update — leading to a major user backlash earlier that same year.

Concern over WhatsApp’s updated ToS — separately — led a number of EU data protection agencies to issue their own earlier warnings.

There is some overlap in these respective regulatory concerns but the consumer protection complaints accuse WhatsApp of unfairly pressuring users to accept changes to its T&Cs and privacy policy, as well as objecting to a lack of clarity in its communiques to users — which watchdogs dub insufficient and confusing.

The Commission said today it’s followed up a letter sent to WhatsApp about the consumer protection complaints back in January with a second letter urging the company to take action to address remaining concerns with its ToS and privacy policy updates; and to “clearly inform” consumers about its business model.

“In particular, WhatsApp is asked to show how it plans to communicate any future updates to its terms of service, and to do so in a way that makes it easy for consumers to understand the implications of those updates and to freely decide whether they wish to continue using WhatsApp after those updates,” the Commission wrote in a statement in French [translated with machine translation]. “The company is also asked to clarify whether it derives revenue from commercial policies related to user data,” it added.

The EU’s executive said WhatsApp responded to its earlier complaint letter by claiming it was providing users with “the necessary information” regarding the ToS updates, including through in-app notifications and its support center.

But the Commission’s assessment is that WhatsApp’s comms is still not compliant — criticizing how the information is provided (“in an insistent manner”) and also still assessing it as “insufficient and confusing for users.”

“WhatsApp must ensure that users understand what they are agreeing to and how their personal data is being used for commercial purposes, in particular to offer services to business partners,” added justice commissioner, Didier Reynders, in a statement. “I reiterate that I expect WhatsApp to fully comply with EU rules that protect consumers and their fundamental rights.”

The Commission said WhatsApp has one month to demonstrate to consumer protection authorities across the bloc that its practices comply with EU consumer law.

It’s not immediately clear what might happen if that deadline elapses without WhatsApp making the required changes but enforcement of consumer protection law is devolved to national agencies — and the Commission is essentially taking on a co-ordinating role here because it’s a cross border complaint. So the likely upshot of ongoing non-compliance is that WhatsApp risks receiving a series of enforcements at Member State level.

Historically, the level of penalties available to national agencies to levy for consumer protection breaches has varied and can be low.

However, in 2019, EU lawmakers backed a modernization of consumer protection rules to bring in more dissuasive penalties — especially for issues which cut across borders and affect many EU consumers, agreeing back then that for widespread infringements (as this issue would surely be judged, given how extensively WhatsApp is used in Europe) national authorities should be able to issue fines of at least up to 4% of global annual turnover.

EU Member States were required to apply these new rules from May 28, 2022 — so, since WhatsApp is still being warned over consumer protection non-compliance in June 2022, the issue should fall under the beefed up regime, putting the company on the hook for what could be a meaty fine if it doesn’t clean up its act in time.

We reached out to WhatsApp for comment on the Commission’s latest warning — and it sent this statement, attributed to a spokesperson:

Our 2021 update did not change our commitment to user privacy or the way we operate our service, including how we process, use or share data with anyone, including Meta. We welcome the European Commission’s acknowledgement that we have provided users with the necessary information about our updates, including through in-app notifications and our help center. We are reviewing the letter from the CPC and will respond in due course.

The company also pointed to a reorganization of its regional Privacy Policy it undertook earlier this year, following a major EU data protection sanction — when it also said it had added extra detail for people in the European region at the direction of its lead EU data protection regulator, the Irish Data Protection Commission (DPC).

Data protection regulators have raised a number of similar concerns about WhatsApp’s operations — although the laws involved are distinct vs. consumer protection rules; and Ireland’s data protection regulator has long been accused of failing to vigorously enforce them against tech giants like WhatsApp’s parent, Meta.

Last summer, following an intervention by other concerned EU data protection agencies, the European Data Protection Board ordered the DPC to swiftly investigate WhatsApp-Facebook data sharing — although it’s not clear how/whether it acted on that specific order.

Last fall, the DPC did issue a $267 million fine against WhatsApp — for violations of the transparency principles of the EU’s General Data Protection Regulation (GDPR) — although that investigation dated back to December 2018, which long pre-dates the controversial privacy policy update that both consumer protection authorities and (other) EU data protection agencies have raised concerns about, even as Ireland has seemed content to accept Meta’s line that there’s been no meaningful change to its policies.

Additionally, a very long running complaint against WhatsApp in the EU (dating back to May 2018) — which is focused on the crux issue of what is its legal basis for processing user data for ad targeting purposes — has yet to be decided, although we understand the DPC previously sent a draft decision to other EU DPAs for review (and the chance to object) so, at the time of writing, that standard GDPR Article 60 process of seeking consensus remains ongoing.

A final decision on that four-year-old+ complaint could thus finally emerge later this year — with the possibility of another big penalty headed WhatsApp’s way. Or even an order to cease processing user data for ads which could have a far more damaging impact on Meta’s adtech business.

WhatsApp faces $267M fine for breaching Europe’s GDPR

Meta consolidates its privacy policy to appease regulators

Latest Stories