Here's What You Need to Know About WhatsApp's New Privacy Policy

Abey Koshy Itty
Published on
10 Jan 2021
7 min read
Data Security

WhatsApp’s older privacy policy used to start with the following sentence: “Respect for your privacy is coded into our DNA. Since we started WhatsApp, we’ve aspired to build our Services with a set of strong privacy principles in mind.”

For the record, these two sentences have vanished from the new privacy policy.

Ever since Facebook’s multi-billion dollar acquisition of WhatsApp back in 2014, they have been gradually changing the way in which they have access over the user data.

The new privacy policy update is delivered through an in-app notification, as you can see in the attached screenshot.

whatsapp terms

It talks about three key updates about how WhatsApp processes your data, how businesses can use Facebook-hosted services to store and manage their WhatsApp chats, and how WhatsApp partners with Facebook to offer integrations across Facebook Company Products.

Now, let’s take a closer look at what has changed in the new privacy policy WhatsApp is rolling out.

Earlier, when there used to be privacy policy updates, users had the option to opt-out if they didn’t want their data to be owned by Facebook, WhatsApp’s parent company. This option has been removed from the updated policy.

Well, this means that starting February 8th, 2021 there is only going to be one solution. If you want to continue using WhatsApp, you’ll have to give consent to WhatsApp to collect and share your data with Facebook.

While for users in the European region, WhatsApp won’t share data with Facebook for ad-targeting purposes thanks to a stricter data protection law like GDPR, other users are left with no choice.

Apart from changes in how the app handles data, there are new sections including Transactions, Payment Data and Location Information. There’s also specific information on business interactions taking place on the app.

So, according to the new changes brought about in the privacy policy what user data will WhatsApp collect?

In terms of hardware data, WhatsApp will collect information such as battery level, signal strength, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).

And in terms of location information, the updated terms clearly state that “Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country).”

With WhatsApp rolling out its payment feature in certain countries, the update also talks about payments and transaction.

It says, “If you use our payments services, or use our Services meant for purchases or other financial transactions, we process additional information about you, including payment account and transaction information. Payment account and transaction information include information needed to complete the transaction (for example, information about your payment method, shipping details and transaction amount). If you use our payments services available in your country or territory, our privacy practices are described in the applicable payments privacy policy.”

The increased data sharing will allow Facebook to improve ad experience across its other platforms as they do not intend to start showing ads on WhatsApp yet.

Another change introduced is the way in which businesses can handle the data when you message them.

Businesses have the option to give third-party service providers (including Facebook) access to their communications to send, store, read, manage or otherwise process them for the business. With almost 50 million registered businesses accounts, WhatsApp is likely to explore a possible monetisation model which we’re likely to see coming up in the near future.

People often fail to recognize how powerful metadata is- the data about your data. Facebook’s whole data mining structure is based on attaching all the data about you- things like who you message, when and how often and much more and tracking it to your user ID. And that’s an area of concern as WhatsApp gets integrated with other Facebook products.

WhatsApp remains end-to-end encrypted, which means that your messages are safe but it is clearly mentioned that “Facebook may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.” As long as metadata remains unencrypted, it continues to be a grey area and a piece of valuable information that gets added on to.

Apple recently rolled out a privacy feature in iOS 14 which helps users understand how apps collect their data and whether that data is linked to them or used to track them. Apple users were in for quite a surprise as the data collection practices of App Store applications were heavily exposed.

TechCrunch editor Mike Butcher recently shared a screenshot on Twitter that clearly indicated the differentiators on how Facebook-owned Messenger and WhatsApp utilize user data compared to alternatives like Telegram and Signal.

app privacy comparisons

According to Apple, “data linked to you” means that “the data is collected in a way that is linked to your identity, such as to your account, your device or your details—to declare that data is collected but not linked to you, a developer must use privacy protections such as stripping any direct identifiers.”

From the above screenshot, it is now clear that in the case of WhatsApp every data collected links back to your identity. And in the case of Facebook Messenger, we rather not go into detail about the data being collected because that’s a topic for another whole article.

How you feel about WhatsApp’s new privacy policy and changing data collection practices totally depends on your personal views on privacy.

When your data is being collected and processed by a company that used to claim security and privacy is their DNA but instead continue to use it for their own monetary gains, it’s time to rethink whether you want to be part of this.

There are indeed viable alternatives that respect user privacy and are transparent so that users know what they’re signing up for. Signal, Telegram, Keybase, Element and Status are all privacy-focused messaging applications that are worth considering switching to.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Abey Koshy Itty
Abey Koshy Itty
Marketing Manager
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.