WhatsApp is currently notifying its users of a new privacy policy. Personal data is also collected for direct marketing, among other things. Anyone who wants to make use of their right to object therefore embarks on an odyssey of many individual steps and deterrent formulations.
Meta and the issue of privacy share a long, conflicted history. Via Facebook, WhatsApp and Instagram, the parent company has access to a large amount of user data, the handling of which actually has to be GDPR-compliant. Actually. Because there were always deficiencies here, WhatsApp recently had to revise its data protection guidelines. This happened on July 17th and since then, users have been gradually informed about it. Anyone who does not want to agree to WhatsApp’s new guidelines can now appeal. But that turns out to be more complicated than expected. TECHBOOK reveals what needs to be considered when applying for an objection – and why it is still worthwhile.
WhatsApp versus GDPR
The General Data Protection Regulation (GDPR) is part of EU law and regulates, among other things, how companies handle the personal data of their users. TECHBOOK has already classified the latest adjustment of WhatsApp’s data protection guidelines in conversation with the media law expert Christian Solmecke. Solmecke has expressed concerns about the current guideline, as it requires users to actively object (opt-out instead of active permission (opt-in) to data processing.
Specifically, with the new guidelines, WhatsApp wants to obtain users’ permission to use their data within the framework of a “legitimate interest”. This results in two pitfalls: Users give their permission passively by doing nothing. This seems convenient at first, but the result is that many users are not aware of the rights they are giving WhatsApp. The other problem lies in the vague formulation of “legitimate interests”. In his help area WhatsApp specifies the purposes of using the personal data as follows:
- Business intelligence and analytics.
- Storing and sharing information with others, including law enforcement, and to respond to legal requests.
- Retaining and sharing information when we seek legal advice or need to protect ourselves in the context of legal proceedings or other disputes.
- To promote safety and integrity outside of the performance of our contract with you.
- To improve WhatsApp Customer Support.
- To improve the WhatsApp service by developing new features or updating existing features.
That doesn’t sound too unusual at first. But the actually interesting part is somewhat hidden in a paragraph below this listicle: “You also have the option at any time to object to the processing of your personal data for the purpose of direct marketing – regardless of the legal basis on which the processing is based .” If you do not object to this aspect, Meta collects your data in order to be able to place personalized advertising.
Opt-out method for data processing not legal
In relation to TECHBOOK, Solmecke refers to a ruling by the European Court of Justice (ECJ) of July 4, 2023 that “the personalization of advertising is not considered a legitimate interest [für] the data processing”. (Ref. C‑252/21). “Instead, Meta will have to obtain voluntary and active consent from its users,” says the media law expert. It is therefore probably only a matter of time before WhatsApp has to adapt its current data protection guidelines again to the GDPR. Until then, users can object to the policy.
The long road to contradiction
To opt out of WhatsApp’s privacy policy, one must either click the notification banner or the FAQ website call from whatsapp. From here you can get to one Form – after allowing or disabling the mandatory cookies. Here you can now choose from various options, including: “How can I delete my information?” or “How can I object to the processing of my information?”
If you click on the latter, a tab opens in which the various areas of data processing are listed again. And here, too, the problematic aspect – the data processing for personalized advertising – is hidden and separated from the other lists.
Before you finally click on “I would like to object”, WhatsApp tries to redirect you to the original FAQ page again. Here you can find out more about the individual steps to object. WhatsApp also announces at this point that you should state exactly which data processing you object to. According to its own statements, WhatsApp can always reject the objection if it does not relate to direct marketing, but to one of the other aspects mentioned.
In addition, according to the guidelines, you should justify your objection and explain “how the processing affects you (which rights and freedoms you think are affected by the processing and why).” WhatsApp has therefore made great efforts to explain the instructions to make it as complex and daunting as possible. Anyone who objects to data processing for direct advertising must do so Art. 21 Para. 2 GDPR not justify at all.
Don’t be put off
If you finally click on “I would like to object”, you have to enter an e-mail address and the cell phone number of the WhatsApp account in a form. You will then receive an e-mail with the same request as on the website: you should state which data processing you would like to object to and justify the objection. Theoretically, it should be possible to object to data processing for direct marketing without justification. If you want to be on the safe side with the wording, you can sample letter the consumer protection agency.
Once the email has been sent, you have to wait. In the next step, WhatsApp checks the objection that has been filed, but reserves the right to refrain from checking if the user has not provided “sufficient information”. Don’t be put off by this wording either. If the objection to data processing for direct marketing is upheld, WhatsApp will stop data processing.
TECHBOOK means
“While it doesn’t surprise me that Meta and GDPR aren’t best friends, WhatsApp’s latest prank is just plain cheeky. Not only do experts fundamentally doubt the GDPR compliance of the new directive – no, even the path to objection is made unnecessarily difficult for users. What is actually a statutory right degenerates into a fig leaf of data protection in this directive, which can only adequately hide the data collection frenzy of WhatsApp and parent company Meta. All users who are less stubborn, dogged or simply conscientious about the protection of their data will throw their smartphones in the corner after the second forwarding link at the latest. Maybe personalized direct mail isn’t so bad after all…? But even those who stoically work their way through WhatsApp’s extra deterrent instructions can suddenly face unexpected hurdles. This is how I – a user with a German cell phone number – received the e-mail from WhatsApp in French. Not a big problem thanks to DeepL, but what is that supposed to mean? Do you really have to subject your users to such an odyssey so that they get at least a touch of data protection?” – Natalie Wetzel, editor