It's taken rather longer than a month for Meta-owned WhatsApp to commit to address complaints swirling around how it imposes terms of service on users but the European Commission has just announced that the messaging platform has agreed to improve how it communicates to users and presents future ToS updates.
Early in 2021, WhatsApp triggered a major user backlash after it pushed out an aggressive and confusingly worded update to its ToS that required users to accept the update in order to continue using the platform without making it clear what exactly was changing. The episode caused widespread confusion and drove some users to ditch the platform altogether -- with rivals like Signal and Telegram reporting a surge in adoption.
In July 2021 the European consumer protection association umbrella group, the BEUC, along with eight of its member organizations, lodged a complaint about WhatsApps' confusing ToS with the EU's executive, the Commission, and with the European network of consumer authorities. This led on to warnings from the bloc to WhatsApp that it needed to fix a variety of issues -- including a letter last summer when the Commission gave the end-to-end encrypted (E2EE) messaging platform a month to straighten out its messaging to users.
At the same time, the Commission asked WhatsApp to confirm whether or not it derives any revenue from commercial policies related to user data.
While message content on WhatsApp is E2EE, user metadata is not protected so it has remained unclear how Meta might use this information, given an earlier decision the tech giant took -- in August 2016 -- abandoning a privacy pledge by the WhatsApp founders by saying it would link their accounts to others on public social services it operates, such as Facebook, potentially giving the adtech giant the ability to enhance its profiling of WhatsApp users by cross-linking their digital activity with other social services it owns.
Today, the Commission said WhatsApp has confirmed that users' personal data is not shared with third-parties or other Meta companies -- including Facebook -- for advertising purposes. Although it is unclear whether the EU is simply taking Meta at its word on this -- and whether or not it intends to audit the claim; we've asked if it will be taking any follow on steps and will update this report with any response.
Update: The Commission has confirmed it will not be auditing WhatsApp's claims -- a spokeswoman told us it is for competent data protection authorities to assess whether the platform's processing of user data is in-line with EU law:
According to EU consumer law, consumers have to be well informed upfront on how a company might use their personal data, and in particular whether users’ data is shared with other companies for commercial purposes, such as targeted advertising.
WhatsApp confirmed that it does not share users’ personal data with third-parties and other Meta companies, including Facebook. It would be for the competent data protection authorities to assess whether WhatsApp’s processing of personal data is in line with data protection legislation.
The question of whether WhatsApp uses user data for marketing was an issue that Ireland's Data Protection Commission declined to look into, after it announced its final decision this January on a separate, multi-year data protection-related investigation of the platform, despite the European Data Protection Board instructing it to do so. So this aspect of WhatsApp's operation remains under-scrutinized by regulators.
"In June 2022, the CPC Network sent a second letter to WhatsApp reiterating their request that consumers must be clearly informed about WhatsApp's business model and, in particular, whether WhatsApp derives revenues from commercial policies relating to users' personal data. Following discussions among the CPC Network, the Commission and WhatsApp, the company confirmed that it does not share users' personal data for advertising purposes," the Commission said in its press release today.
"Following a dialogue with EU consumer protection authorities and the European Commission (CPC network), WhatsApp committed to being more transparent on changes to its terms of service. Moreover, the company will make it easier for users to reject updates when they disagree with them, and will clearly explain when such rejection leads the user to no longer be able to use WhatsApp's services," the EU's executive added.
Commenting in a statement, the EU's justice commissioner, Didier Reynders, also said: “I welcome WhatsApp's commitments to changing its practices to comply with EU rules, actively informing users of any changes to their contract, and respecting their choices instead of asking them each time they open the app. Consumers have a right to understand what they agree to and what that choice entails concretely, so that they can decide whether they want to continue using the platform.”
In an overview of the commitments made by WhatsApp, the EU said that -- for any future policy updates -- the messaging platform will:
explain what changes it intends to make to the users' contracts and how they could affect their rights;
include the possibility to reject updated terms of service as prominently as the possibility to accept them;
ensure that the notifications informing about the updates can be dismissed or the review of the updates can be delayed, as well as respect users' choices and refrain from sending recurring notifications.
So the EU appears to have extracted a commitment from Meta not to resort to any more dark pattern designs to try to force WhatsApp users to swallow self-serving ToS updates -- such as the deceptive choices it pushed out, back in 2016, when it tried to force WhatsApp users to agree to share their mobile phone number and last seen status on the app with the parent company (what was then known as Facebook and is now called Meta) and with any other companies it owned.
Of course the devil will be in the detail of how Meta interprets these ToS commitments -- and how effectively the bloc's regulators (which could include the Commission itself) monitor its design choices and enforce against any breaches.
That said, Meta has more reason not to ignore rules in this area than previously.
First up, a 2019 modernization of EU consumer protection law, which began to apply last May, brought in more dissuasive penalties -- especially for widespread infringement issues which cut across borders and affect many EU consumers -- allowing national authorities to issue fines of at least up to 4% of global annual turnover for confirmed breaches.
Additionally, the EU's Digital Services Act (DSA) -- which is set to apply for a subset of larger platforms (most likely including Meta) later this year -- foresees what the Commission describes as "an obligation for services to have clear terms and conditions, explaining to the user in comprehensible language when their content or their account can be affected by certain restrictions, and an obligation to apply such restrictions in a diligent, objective and proportionate manner".
Penalties for infringements of the DSA can be as high as 6% of global annual turnover -- and, for larger platforms, aka VLOPs, the Commission itself will take on a centralized oversight and enforcement role. So the days of multi-year 'dialogues' that let tech giants kick the can down the road for ages before -- eventually -- offering up some incremental correction or tidbit of information should be on the way out in the EU.
We contacted WhatsApp about today's announcement but a spokesperson told us it is not commenting.
We understand BEUC will be publishing a response later today.
Update: BEUC has described the outcome of the long-running investigation into its complaints as "weak" and a disappointment for consumers.
In a statement its director General, Ursula Pachl, said:
“Our complaint into the company has now been closed after more than one and a half years but the outcome is disappointing. More transparency and easy options to reject policy changes in the future are simply not enough. This will not offer a remedy to the millions of WhatsApp users who were forced to accept the changes due to the aggressive behaviour of the company back in 2021. Unfortunately, with this weak reaction, consumer authorities are sending a very worrying signal accepting that a tech giant like WhatsApp can breach consumer rights and then get away with just a promise to do better in the future. This illustrates the lack of deterrence from the current way to enforce consumer law and the need for an urgent reform to ensure more effective enforcement particularly in cases of EU-wide infringements.”