What Businesses Can Learn From WhatsApp’s Privacy Policy Uproar

In the few short days since its unveiling, WhatsApp’s updated Privacy Policy has provoked widespread backlash, including a request from the Indian government to withdraw the changes entirely.

In the few short days since its unveiling, WhatsApp’s updated Privacy Policy has provoked widespread backlash, including a request from the Indian government to withdraw the changes entirely.

In short, the change describes how users’ data – including device type, general location, and language – would be shared with Facebook, which acquired WhatsApp back in 2014 and appears keen to use the platform for future data-driven e-commerce initiatives.

A handful of in-depth recaps explain the changes in greater detail, like this overview from Gizmodo. However, one of the most concerning impacts of this development is not so much a particular policy change but rather the trend it illustrates: for users in the United States and other countries lacking strong privacy regulation, their data protection is left to individual companies’ policies. Without federal laws to guarantee a legal baseline for users’ privacy protection, companies must intentionally enact a long-run commitment to informing users of how the processing of their data could evolve over time. Later in this piece, we’ll share a few recommendations on how this can be done.

Privacy Policy Pitfalls & User Loyalty

Unpacking the fallout from the updated WhatsApp policy and charting more effective privacy initiatives require a commitment to delivering relevant information to users in an accessible way.  Maintaining user loyalty is hard. It becomes significantly harder when the data relationship between user and platform is modified without transparent communication, and ultimately, respect for the end-user’s position. From WhatsApp’s case, there are plenty of lessons to be gleaned on how that relationship should be managed. In short:  unclear communication creates confusion, which rapidly snowballs when there is no legal framework that guarantees users’ privacy protections.  In the absence of such laws, millions of WhatsApp users around the world are understandably concerned.

These concerns undercut trust in a business like WhatsApp. And trust in businesses is a massive factor in consumers’ behavior: 89% of consumers express concerns about the protection of their personal information, and 75% of shoppers will prioritize brand trust over price when purchasing a product

Privacy policies, never having been considered light reading, have actually become over 25% longer and measurably more difficult to read since the enactment of GDPR, in a survey of some of the largest tech platforms. Considering that these opaque policies also apply to those not afforded GDPR protections, businesses must do better to inform users of their privacy protections.

3 Steps to Gain Trust Through Respectful Privacy Policies

Trust in a brand is cumulative and gradual. In the absence of a federal privacy law (though one might be not far off in the United States), businesses must prioritize user privacy as a long-term commitment. Updates to privacy policies are often healthy and necessary. Following these three recommendations can reduce the risk that you catch users by surprise and help you grow your customers’ trust.

  1. Provide an opt-out function. A privacy policy, governing not only future customers’ data but also that of long-standing customers, should accommodate existing users’ concerns when updated. Ideally, the policy will allow for an opt-out function that restricts the data-collection practices to those outlined in the earlier policy. Crucially – and unlike WhatsApp’s short-lived opt-out function, trialled briefly in 2016 – such an option should remain available to users at any point in using the product.

  2. Offer a fair way out. WhatsApp has become an indispensable communications tool for millions, so the recent ultimatum of either agreeing to the concerning new Privacy Policy or losing access to a central piece of technology left users feeling betrayed. If an opt-out function is not tenable, guide users through the process of deleting their accounts and transitioning any assets out of the product.

  3. Make privacy a daily decision. When a user receives notice of a Privacy Policy update, they do not take the information in isolation; they remember how the company has valued their data protection throughout the customer’s involvement. Employing data mapping software to chart out what business functions process customers’ data helps customers better trust the company. They can quickly get a data subject request fulfilled, clearly understand why their data is being processed, and know their trust in this business is a worthwhile investment.
Strong password practices are essential for keeping your company's and users' data safe, in processing DSARs and in your general business practices. However, passwords are just one part of the equation. For next-level protection, here's the 411 on 2FA: two-factor authentication.

Ready to get started?

While it was just a TV show, that little speech at the beginning of the original Star Trek show really did do a good job of capturing our feelings about space. It is those feelings that drive our love of astronomy