On July 16, the Federal Public Ministry of Brazil (Ministério Público Federal, hereinafter MPF) and the Brazilian Institute for Consumer Protection (Instituto Brasileiro de Defesa do Consumidor, hereinafter IDEC) filed a public interest lawsuit demanding that WhatsApp compensate for collective moral damages amounting to 1.734 billion reais (approximately 309 million USD) for the harm caused to Brazilian users due to its unlawful changes to its privacy policy, and bear other civil liabilities.
It is reported that WhatsApp updated its terms of service and privacy policy in January 2021. MPF and IDEC argue that the updated privacy policy of WhatsApp is vague, its interface is misleading, and it coerces users into consent. Furthermore, WhatsApp collects and processes data far beyond what is necessary for normal operations and shares it with other platforms under the Meta group, such as Facebook and Instagram, thus infringing on users' rights.
Case Background
WhatsApp, the largest messaging app globally, has 147 million active users in Brazil and covers 99% of smartphones. With its expansion into payments, social communities, and business communication, WhatsApp is ubiquitous in Brazilian daily life. Despite being a free app, its widespread use allows it to easily collect and process vast amounts of user data, which it can sell to related companies, thus posing significant risks to personal data and related rights. Although WhatsApp claims to use end-to-end encryption and that it does not pose risks to user data rights, MPF and IDEC believe that the platform's architecture still allows its operators to collect, process, and commercialize large amounts of personal data, with controllers still able to access user phone numbers, registration names, device models, IP addresses, and other information.
MPF and IDEC found that after WhatsApp updated its privacy policy in 2021, its actions violated Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, hereinafter “LGPD”) and Consumer Protection Law. Starting in January of that year, Brazilian users of WhatsApp saw a brief and vague notice about the privacy policy update, stating that from the following month, if users did not accept the new terms, they would not be able to access the app. Many users mistakenly believed this was required to continue using the platform and clicked "Agree." The updated privacy policy is vague, confusing, and scattered. For example, to understand the terms of data sharing between WhatsApp and its parent company, Meta, users must visit three different links. WhatsApp also did not specify what data would be collected or the purpose of collecting it.
Moreover, the privacy policy does not mention the legal basis for data processing. Although WhatsApp was previously penalized by the EU for this, it only corrected the behavior within the EU and did not extend the same respect to Brazilian users. Additionally, the updated privacy policy allows WhatsApp to collect and share information far beyond what is necessary for normal operations, such as profile photos and location information.
Given these actions by WhatsApp, MPF and IDEC sued in court due to the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, hereinafter ANPD) failing to fulfill its regulatory duties. They demanded that WhatsApp stop sharing data used for Meta group's purposes, provide an in-app opt-out feature for Brazilian users to exercise their right to object to unnecessary data processing and withdraw consent, and pay at least 1.734 billion reais as compensation for collective moral damages.
Legal Analysis
The LGPD, Brazil's fundamental regulation for personal data protection, shares many similarities with the EU GDPR, such as principles of transparency, necessity, purpose limitation, and accuracy. The LGPD also provides legal bases for data processing, including data subject consent, fulfilling legal obligations, and legitimate interests of the controller or third parties, as well as rights for data subjects such as access, correction, and deletion.
MPF and IDEC believe WhatsApp‘s conduct has violated the following regulations:
1. Transparency Principles and Infringe on User Access Rights
Article 6, Item VI of the LGPD requires ensuring that data subjects can easily obtain clear and accurate information about data processing and processors. Article 9 establishes the data subject’s right to access information about data processing, including purposes, forms, durations, controllers' information, data sharing, and data subject rights. This information should be provided in a clear, appropriate, and visible manner and be easily accessible.
In this case, WhatsApp did not meet these requirements.
Firstly, the wording used by WhatsApp in the pop-up notification of privacy policy changes was vague and general, making it difficult for users to understand. The pop-up only mentioned changes related to “WhatsApp services and how we handle your data,” “how businesses use Facebook’s hosting services to store and manage conversations on WhatsApp,” and “how our relationship with Facebook promotes integration between Facebook’s products,” without specifying the types of data collected, purposes of data processing, legal basis for processing data, or data sharing details, violating the transparency principle.
Secondly, WhatsApp designed the pop-up to guide users to click “Agree.” On one hand, while the pop-up did not contain specific details about privacy policy changes, it featured a prominent “Agree” button. On the other hand, users had to click an “Important Update” link and leave the application to access the updated privacy policy on WhatsApp’s website. This design led many Brazilian users to agree to the privacy policy changes without understanding the details.
Thirdly, the “Important Update” links provided by WhatsApp were scattered and unclear. Even if users accessed these links, obtaining specific information about privacy policy changes was challenging. The links contained numerous hyperlinks and did not clearly describe all aspects of data processing, such as whether user data would be used for targeted advertising on Meta group platforms.
2. Lack of Legal Basis
Article 7 of the LGPD specifies the legal bases for processing general personal data. A legal basis is required for processing personal data.
In this case, WhatsApp did not explain to users on what legal basis its data processing was conducted. Although the LGPD does not explicitly require this, it is reflected in various provisions, such as Article 9, which mandates that information should be provided clearly for data subjects to access, including the specific purposes of data processing. Without knowledge of the legal basis for processing personal data, data subjects cannot understand the purposes of processing.
According to ANPD investigation documents, it can be inferred that WhatsApp indicated to ANPD that its processing activities were based on contract execution (Article 7, Item V of LGPD) and legitimate interests (Article 7, Item IX of LGPD), but neither applies. Firstly, Article 7, Item V of LGPD allows data processing if necessary for contract performance or preliminary procedures related to the contract, but many of WhatsApp's data processing activities, especially those related to personalized recommendations and targeted advertising, are not necessary for fulfilling its contract with users as WhatsApp only provides instant messaging services. Secondly, Article 7, Item IX of LGPD permits data processing if necessary for achieving legitimate interests of the controller or a third party, unless it impairs data subjects' fundamental rights and freedoms. Article 10 further defines legitimate interests but does not support processing of sensitive personal data and many of WhatsApp’s data processing activities, such as sharing user data with other Meta group companies, are unnecessary and show a significant imbalance between the controller’s interests and the data subject’s reasonable expectations.
Additionally, WhatsApp cannot use data subject consent as a legal basis for processing because the consent provided by users was flawed. According to Article 7, Item I of LGPD, consent obtained in a knowledgeable and voluntary manner is required for data processing. LGPD defines consent as “an explicit expression made by the data subject, indicating their agreement to process personal data for specific purposes” (Article 5, Item XII of LGPD). Article 8 further specifies that consent must be clearly highlighted and for specific purposes, and flawed consent cannot be used as a legal basis. WhatsApp’s collection of user consent had two flaws. Firstly, WhatsApp provided vague and general information, which could not be considered informed consent and did not specify the purposes. Secondly, WhatsApp’s notification pop-up stated that users would not be able to continue using WhatsApp if they did not click “Agree” before the start of the following month, during the global COVID-19 pandemic when many users relied on messaging apps to stay in touch with friends and family, communicate with vendors, and obtain health updates, effectively coercing users into consenting to the updated privacy policy.
3. Necessity Principle
Article 6, Item III of LGPD mandates that data processing must adhere to principles of necessity and minimization, meaning the collection and processing of personal data should be limited to what is minimally necessary to achieve the processing purpose, and the data must be relevant and appropriate.
In this case, despite WhatsApp’s vague descriptions of data processing and purposes, the range of data collected, processed, and shared is evidently far beyond what is necessary for normal operations.
The privacy policy document lists data used, including account status data and payment data provided by users, as well as automatically collected data such as user avatars, usernames, device models, sleep time, phone usage duration, location information, etc. The document does not provide a comprehensive list of data shared with Meta group companies but mentions types such as account registration information, transaction data, service-related information, interactions with WhatsApp, mobile device data, and IP addresses, stating that some other information “may also be shared.” The privacy policy uses terms like “including” that create significant scope for WhatsApp to collect and share user data.
The purposes for data collection, processing, and sharing are described vaguely, making it difficult for data subjects to understand. Moreover, the Portuguese version of the privacy policy for Brazilian users narrows the purpose of data sharing compared to the English version, which acknowledges the purpose of displaying ads through Meta group platforms. This results in Brazilian users'
data being overused without adequate communication.
4. Consumer Rights
Article 39 of Brazil’s Consumer Protection Law prohibits abusive practices by suppliers, including Item IV, which involves exploiting consumer vulnerability or ignorance to forcefully sell products or services, and Item V, which involves demanding excessive benefits from consumers. Article 51 establishes invalidity of contract terms in situations where Item IV conditions place consumers at a clear disadvantage or violate principles of good faith and fairness.
WhatsApp's actions clearly violate these provisions: the updated privacy policy is vague and scattered, depriving consumers of their right to be informed and coercing them into accepting the service; the updated privacy policy allows WhatsApp to excessively collect user data and share it with other Meta group companies, resulting in undue profit; during the COVID-19 pandemic, WhatsApp's requirement for consumers to accept privacy policy changes within a certain period to continue using the app places consumers at a disadvantage and does not align with principles of fairness and good faith.
5. Differentiated Treatment of Brazilian Users Compared to European Users
Brazil’s personal data protection legislation is similar to that of the EU, but WhatsApp treats Brazilian and European users differently.
Following a series of sanctions by EU data protection authorities, WhatsApp only made corresponding adjustments to the privacy policy applicable to European users. For example, the privacy policy texts for Europe have been updated three times, each update clarifying data processing descriptions. The privacy policy for Europe also specifies the legal bases for data processing and explicitly prohibits Meta from using WhatsApp-shared data for its own purposes. In contrast, WhatsApp has not provided the same level of protection to Brazilian users.
Compliance Insights
Currently, the rigor of enforcement and judicial scrutiny in personal data protection is increasing globally, raising higher requirements for privacy compliance. International companies must pay attention to and actively implement measures to ensure their practices comply with legal regulations.
When formulating and executing privacy compliance measures, international companies need to focus on adhering to data processing principles, protecting data subject rights, and meeting cross-border data transfer requirements. As global data protection legislation converges, addressing core common issues of privacy compliance typically meets the regulatory requirements of most countries.
Common issues reflected in this case include:
- Transparency: Companies must provide specific, clear, and understandable information about data processing to protect data subjects' right to be informed. Particular attention should be given to the readability of texts. If information is embedded in hyperlinks and nested, it may be considered to increase user understanding costs, not meeting transparency requirements.
- Necessity: Data collection and processing must be limited to the minimum necessary to achieve the processing purpose.
- Validity of Consent: Only informed and voluntary consent that is explicit and specific can serve as the legal basis for data processing.
- Legitimate Interests: Legitimate interests are a common legal basis for data processing, but the scope of "legitimate interests" recognized by regulatory authorities is generally narrow. Companies must provide sufficient reasons if relying on this basis.
- Data Sharing: Sharing user data within corporate groups must strictly meet legal basis requirements. For cross-border data transfers, relevant regulations must be satisfied.
- Equal Treatment: Companies operating in multiple countries and regions need to ensure their data processing practices comply with local regulatory requirements. Where similar personal data protection regulations exist across countries or regions, companies should ensure that data subjects are treated equally to avoid multiple penalties for the same behavior. It is particularly important for companies to align compliance measures across different regions and offer consistent privacy protection, taking into account regional differences where applicable and ensuring appropriate compliance measures.
