Whatsapp’s Privacy Policy Update: Tracing the Harm to Consumers

By: Ankita Biswas and Lavanya Jha


The latest update to WhatsApp’s Privacy Policy was introduced in January, 2021, creating headlines as users expressed concerns about loss of their privacy. Following this WhatsApp clarified that with its feature of end-to-end encryption still intact, there will be no breach of user privacy and the changes were only with respect to WhatsApp’s business accounts.  However, the wording of the policy is exclusionary as although WhatsApp lists what it cannot see, it leaves out a vast amount of metadata which it can share with Facebook, a phenomenon which has been going on since the 2016 privacy policy update, the scope of which will only increase with the new update.

Technological advancements and the increasing access to the internet has ascribed value to information and thereby, the value of profits. There has been an increase in a mode of advertising known as targeted advertising. Services employing targeted advertising offer customised user campaigns by firstsending a ‘notice and consent’ form and secondtracking and profiling the user data.

Facebook generates a large chunk of its revenue from advertisement alone, and this increased invasion of user data will help Facebook improve its targeted advertisements visible on its platforms – Facebook and Instagram.

The debate around the legitimacy of this form of advertising has been largely contentious. This is because traditional legal principles have failed to evolve at the same pace as the growth of digital markets. Therefore, while most popular businesses have adopted this model of advertising, its legality is still unclear.

Without conflating the two, at the outset it is clarified that targeted advertisements work on the user information gathered by the AI-based services. WhatsApp offers a platform for mining user information, which is then used for tailoring the targeted advertisements on other social media platforms owned by Facebook.


1. Notice and consent

Over the years, ‘notice and consent’ has become one of the dominant mechanisms for processing personal data lawfully. Notice and consent usually operates with the binary choice of either consenting to the notice, or abandoning the desired service. A similar position was re-iterated by the Delhi High Court in the challenge to WhatsApp’s Privacy Policy. This binary choice is neither a conducive nor a sustainable option in face of privacy concerns. This is because this firstly, leads to an unsuitable burden on the consenting individual to understand the issues, make an informed choice and engage in its oversight and enforcement.

This is aggravated by the fact that in India, a large number of people might not be in a position to understand and comprehend the vague and technical terms used in these notices and consent to it.

Secondly, it can be argued that in the event of breach of privacy in order to claim damages under S.43 of the Information Technology Act, the burden of proof which lies upon the afflicted individuals is unjust. This is primarily because practically the organization having a greater proof of record and information in comparison to the individual should be the one to bear the burden of proof.

2. Collection of user data

Upon obtaining the consent from the user, user data is collected in two ways, by means of ‘tracking cookies’ and by hardware-based collection systems. In the first model, when the user visits a particular website, few lines of code are dropped on the user’s browser, known as ‘tracing cookies’. These cookies record the user’s activities and report it to the targeting software. The second model employed tracks the user’s activities on their phone/computer. Every activity for example – the items searched, websites accessed, information about places visited, etc. is stored. The combined metadata is used to estimate the behavioural and demographic attributes of each user.

The information collected by publishers and the cookies are sent to ‘supply side platforms’ (SSP), who operate parallel to the ad exchanges to connect the users/consumers with the advertisers. The information is incorporated by SSPs into what is known as a bid request – which is broadcast to the advertisers who compete with each other to land ‘impressions’ on the targeted individuals in an almost instantaneous auction mechanism where every individual user’s information is sold to these advertisers.

For an advertiser looking for an ideal ‘target’, the more information they have about a user, the greater the price they are willing to pay to an ad exchange for placing an ad, or an ‘impression’ on the user. Thus, the supply side of the advertising ecosystem therefore has an incentive to collect as much information about individuals and ultimately profile them for the purposes of selling to advertisers.


A. Lack of healthy competition

The European Commission clearly defined the objective of the Competition Act in the case of Intel Corp v European Commission, where it said that in order to prove anti-competitive practice by a dominant firm two criteria needs to be proved – whether the firm is capable of excluding rivals and whether it is liable to reduce consumer welfare.

This accumulation of user data brings to fore the concern that individuals lose the right to their own data identities. It also highlights the concern that the more data a dominant form accumulates the more it entrenches its dominant position in the market. This creates a vicious cycle where the more data a firm collects and analyses, the better its products are and more users are attracted to it, leading to more collection of their data.

In a 2016 paper titled Privacy and Competitiveness, it was understood that there is a close link between the dominance of the company, its data collection processes and the competition from relevant markets which could justify the consideration of privacy policies and the regulations in competition proceedings.

The Bundeskartellamt, in the Facebook Case had held that when a privacy policy is implemented where access to personal data is essential for keeping the market position of the company, then the question becomes relevant for both data protection as well as antitrust authorities.

Applying this to the WhatsApp Privacy Case, it can be seen that the new privacy policy can prove to be a way for Facebook to further entrench itself in the market. By presenting a scheme of either accepting the entire policy or leaving the service – it can be contended that the action leads to the creation of ‘data monopolies’. A clear link can be inferred between Facebook’s acquisition of WhatsApp and Instagram which signals the huge pool of user data, and its revenue collection from targeted advertising. This concentration of user data and its monopolisation precludes competition from other services providing better privacy safeguards. Strategic acquisitions and monopolistic exclusion have also aided in lowering the standard of consumer protection levied upon these services, that would have otherwise been a result of healthy market competition.

B. Harm to consumer welfare

With reference to the second criteria, it can be argued that WhatsApp’s privacy policy harms consumer welfare. It is thus argued that Facebook, being a dominant firm, reinstates its position in the market by excluding its competitors from collecting personal data, The problem with this is the smaller firms who might have better user data privacy safeguards in place, will be slowly eliminated . This can also be attributed to the costing structures of the numerous stages of data processing makes it difficult for rival firms that have recently entered the market to extract personal information at par with the dominant firm. This strengthens the point that the users are ultimately coerced into providing consent for using the dominant firm’s service in lieu of lack of suitable alternatives.

In India specifically, the Competition Commission of India (‘CCI’), has not relied on these aspects of consumer harm to hold such social media giants responsible for abuse of dominance under Section 4(1) of the Competition Act, 2002. In this regard, the approach of CCI should be that a tech giant which is in a dominant position has special responsibility to protect the consumer from harm as it has previously observed in the Google ‘Search Bias’ case. Further, as per CCI’s report, abuse of dominance can take the form of lowering privacy protections. This consequently would pose a harm to consumer welfare, as lower standard of privacy falls under the ambit of antitrust.


The direct comparison with the current WhatsApp privacy controversy in India can be made with that of the European Union, where WhatsApp has not imposed its new privacy policy. This is attributed to EU’s data privacy legislation – General Data Protection Regulation (hereafter, ‘GDPR’). GDPR provides a criterion of ‘tests’ which the data controller must follow before processing user data. The new privacy policy not being introduced in the EU, can be understood to be a prototype for Indian lawmakers as the Personal Data Protection Bill, 2019 (hereafter, ‘the Bill’) lies pending.

The Bill has been drafted in similar lines to the GDPR. It identifies the users as ‘data principals; and ‘data fiduciaries’ (which includes social media intermediaries). The Bill introduces an element of consent which the data fiduciaries are bound to obtain from the principals while they move to store their information, and for processing it. While seeking this consent it is imperative that the principal knows what purpose the data will be used for as well with whom the data will be shared. For the latter – the fiduciary will need to acquire explicit consent of the data principal.

While this does not explicitly denote an impact on the phenomenon of targeted advertisements- it has an effect on the two major user data gathering processes the process of attaching cookies as well as gathering of demographic data. Upon implementation of the Bill, the principals will be informed of their said data being, stored and processed (the option for this is available in multiple languages) – and the users will have to consent to both these processes. This would serve to solve the two problems outlined above by lucidly explaining the diverse population in India about what they are consenting to. It will also help ease the burden of proving breach of privacy as individuals will now have information available to them in greater transparency.

It is natural that upon seeing the information (majority of which will be sensitive user data) the principal will choose not to consent to it. This could eventually lead to falling out of this phenomenon as observed from the judicial pronouncements in the EU, US and Norway on non-compliance with GDPR in reference to programmatic advertising – which have categorically targeted advertisements violate the European and national data protection law and that courts and governments should adhere to it.


The preceding paragraphs serve to demonstrate that there are multiple perils of targeted advertising. In this light we require special emphasis on a privacy policy which allows consumers to make an informed choice and at the same time we need a uniform regulatory mechanism which can be enforced by the relevant authorities in cases of harm caused to the consumers due to the breach of privacy. It is only when an integrated approach is adopted that user data protection can be maximised.

(Ankita and Lavanya are current law undergraduates at West Bengal National University of Juridical Sciences, Kolkata. They may be contacted via mail at lavanya218024@nujs.edu)

Cite as: Ankita Biswas and Lavanya Jha, ‘Whatsapp’s Privacy Policy Update: Tracing the Harm to Consumers’ (The RMLNLU Law Review Blog, 26 February 2021) <https://rmlnlulawreview.wordpress.com/2021/02/28/whatsapps-privacy-policy-update-tracing-the-harm-to-consumers/> date of access.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s