WhatsApp Will Disable Your Account If You Don’t Agree Sharing Data With Facebook

“Respect for your privacy is coded into our DNA,” opens
WhatsApp’s privacy policy^[1]. “Since we started
WhatsApp, we’ve aspired to build our Services with a set of strong
privacy principles in mind.”

But come February 8, 2021, this opening statement will no longer
find a place in the policy.

The Facebook-owned messaging service is alerting users in India
of an update to its terms of service^[2]
and privacy policy^[3]
that’s expected to go into effect next month.

The “key updates” concern how it processes user data, “how
businesses can use Facebook hosted services to store and manage
their WhatsApp chats,” and “how we partner with Facebook to offer
integrations across the Facebook Company Products.”

The mandatory changes allow WhatsApp to share^[4]
more user data with other Facebook companies, including account
registration information, phone numbers, transaction data,
service-related information, interactions on the platform, mobile
device information, IP address, and other data collected based on
users’ consent.

Unsurprisingly, this data sharing policy with Facebook and its
other services doesn’t apply to EU states^[5]
that are part of the European Economic Area (EEA), which are
governed by the GDPR data protection regulations.

The updates to WhatsApp terms and privacy policy come on the
heels of Facebook’s “privacy-focused vision^[6]” to integrate WhatsApp,
Instagram, and Messenger together and provide a more coherent
experience to users across its services.

Users failing to agree to the revised terms by the cut-off date
will have their accounts rendered inaccessible, the company said in
the notification. This effectively means that, while the profiles
will remain inactive, WhatsApp will eventually end up deleting the accounts after 120 days of
inactivity^[7] (i.e. not connected to
the app) as part of its efforts to “maintain security, limit data
retention, and protect the privacy of our users.”

WhatsApp’s Terms of Service was last updated on January 28,
2020, while its current Privacy Policy was enforced on July 20,
2020.

Facebook Company Products refers^[8]
to the social media giant’s family of services^[9], including its flagship
Facebook app, Messenger, Instagram, Boomerang, Threads,
Portal-branded devices, Oculus VR headsets (when using a Facebook
account), Facebook Shops, Spark AR Studio, Audience Network, and
NPE Team^[10] apps.

It, however, doesn’t include Workplace, Free Basics, Messenger
Kids, and Oculus Products that are tied to Oculus accounts.

What’s Changed in its Privacy Policy?

In its updated policy, the company expands on the “Information
You Provide” section with specifics about payment account and
transaction information collected during purchases made via the app
and has replaced the “Affiliated Companies” section with a new “How
We Work With Other Facebook Companies” that goes into detail about
how it uses and shares the information gathered from WhatsApp with
other Facebook products or third-parties.

This encompasses promoting safety, security, and integrity,
providing Portal and Facebook Pay integrations, and last but not
least, “improving their services and your experiences using them,
such as making suggestions for you (for example, of friends or
group connections, or of interesting content), personalizing
features and content, helping you complete purchases and
transactions, and showing relevant offers and ads across the
Facebook Company Products.”

One section that’s received a major rewrite is “Automatically
Collected Information,” which covers “Usage and log Information,”
“Device And Connection Information,” and “Location
Information.”

WhatsApp’s revised policy also spells out the kind of
information it gathers from users’ devices: hardware model,
operating system information, battery level, signal strength, app
version, browser information, mobile network, connection
information (including phone number, mobile operator or ISP),
language and time zone, IP address, device operations information,
and identifiers (including identifiers unique to Facebook Company
Products associated with the same device or account).

“Even if you do not use our location-related features, we use IP
addresses and other information like phone number area codes to
estimate your general location (e.g., city and country),” WhatsApp
updated policy reads.

Concerns About Metadata Collection

While WhatsApp is end-to-end encrypted, its privacy policy
offers an insight into the scale and wealth of metadata that’s
amassed in the name of improving and supporting the service. Even
worse, all of this data is linked to a user’s identity.

Apple’s response to this unchecked metadata collection is
privacy labels^[11], now live for first-
and third-party apps distributed via the App Store, that aim to
help users better understand an app’s privacy practices and “learn
about some of the data types an app may collect, and whether that
data is linked to them or used to track them.”

The rollout forced WhatsApp to issue a statement^[12] last month. “We must
collect some information to provide a reliable global
communications service,” it said, adding “we minimize the
categories of data that we collect” and “we take measures to
restrict access to that information.”

In stark contrast, Signal collects no metadata, whereas Apple’s
iMessage^[13] makes use of only email
address (or phone number), search history, and a device ID to
attribute a user uniquely.

There’s no denying that privacy policies and terms of service
agreements are often long, boring, and mired in obtuse legalese as
if deliberately designed with an intention to confuse users. But
updates like this are the reason it’s essential to read them
instead of blindly consenting without really knowing what you are
signing up for. After all, it is your data.