WhatsApp has been warned by European regulators it has one more month to fix its confusing terms of service, the Commission said today.
"In particular, WhatsApp is asked to show how it plans to communicate any future updates to its terms of service, and to do so in a way that makes it easy for consumers to understand the implications of those updates and to freely decide whether they wish to continue using WhatsApp after those updates," the Commission wrote in a statement in French [translated with machine translation]. "The company is also asked to clarify whether it derives revenue from commercial policies related to user data," it added.
The EU's executive said WhatsApp responded to its earlier complaint letter by claiming it was providing users with "the necessary information" regarding the ToS updates, including through in-app notifications and its support center.
But the Commission's assessment is that WhatsApp's comms is still not compliant -- criticizing how the information is provided ("in an insistent manner") and also still assessing it as "insufficient and confusing for users."
"WhatsApp must ensure that users understand what they are agreeing to and how their personal data is being used for commercial purposes, in particular to offer services to business partners," added justice commissioner, Didier Reynders, in a statement. "I reiterate that I expect WhatsApp to fully comply with EU rules that protect consumers and their fundamental rights."
The Commission said WhatsApp has one month to demonstrate to consumer protection authorities across the bloc that its practices comply with EU consumer law.
It's not immediately clear what might happen if that deadline elapses without WhatsApp making the required changes but enforcement of consumer protection law is devolved to national agencies -- and the Commission is essentially taking on a co-ordinating role here because it's a cross border complaint. So the likely upshot of ongoing non-compliance is that WhatsApp risks receiving a series of enforcements at Member State level.
Historically, the level of penalties available to national agencies to levy for consumer protection breaches has varied and can be low.
However, in 2019, EU lawmakers backed a modernization of consumer protection rules to bring in more dissuasive penalties -- especially for issues which cut across borders and affect many EU consumers, agreeing back then that for widespread infringements (as this issue would surely be judged, given how extensively WhatsApp is used in Europe) national authorities should be able to issue fines of at least up to 4% of global annual turnover.
EU Member States were required to apply these new rules from May 28, 2022 -- so, since WhatsApp is still being warned over consumer protection non-compliance in June 2022, the issue should fall under the beefed up regime, putting the company on the hook for what could be a meaty fine if it doesn't clean up its act in time.
We reached out to WhatsApp for comment on the Commission's latest warning -- and it sent this statement, attributed to a spokesperson:
Our 2021 update did not change our commitment to user privacy or the way we operate our service, including how we process, use or share data with anyone, including Meta. We welcome the European Commission's acknowledgement that we have provided users with the necessary information about our updates, including through in-app notifications and our help center. We are reviewing the letter from the CPC and will respond in due course.
Data protection regulators have raised a number of similar concerns about WhatsApp's operations -- although the laws involved are distinct vs. consumer protection rules; and Ireland's data protection regulator has long been accused of failing to vigorously enforce them against tech giants like WhatsApp's parent, Meta.
Last summer, following an intervention by other concerned EU data protection agencies, the European Data Protection Board ordered the DPC to swiftly investigate WhatsApp-Facebook data sharing -- although it's not clear how/whether it acted on that specific order.
Additionally, a very long running complaint against WhatsApp in the EU (dating back to May 2018) -- which is focused on the crux issue of what is its legal basis for processing user data for ad targeting purposes -- has yet to be decided, although we understand the DPC previously sent a draft decision to other EU DPAs for review (and the chance to object) so, at the time of writing, that standard GDPR Article 60 process of seeking consensus remains ongoing.
A final decision on that four-year-old+ complaint could thus finally emerge later this year -- with the possibility of another big penalty headed WhatsApp's way. Or even an order to cease processing user data for ads which could have a far more damaging impact on Meta's adtech business.