WhatsApp has agreed not to share UK user data with owner Facebook, which ostensibly wanted to use it to improve the ads that show up in people’s Facebook feeds.
But an investigation by the Information Commissioner’s Office (ICO) found that WhatsApp failed to properly inform users how their data would be used by Facebook when the changes were announced in 2016.
WhatsApp also only gave users in the UK 30 days to opt-out of this data sharing, which the ICO found to be inadequate.
No WhatsApp user data has been shared with Facebook yet for the purposes of improving “Facebook ads and products experiences.” The only instances where data was shared between the two companies was when Facebook was providing technical support to WhatsApp and even then, on a “controller-to-processor” basis.
Had WhatsApp given Facebook user data to “improve” users Facebook feeds with more relevant ads, then it would have broken the Data Protection Act and may have been fined up to £500,000 ($697,500).
“I am pleased to state that WhatsApp has now signed an ‘undertaking’ wherein they have given a public commitment not to share personal data with Facebook until they can do so in compliance with the upcoming General Data Protection Regulation (GDPR), which comes into force in May this year,” Information Commissioner Elizabeth Denham said in a statement. “I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case.”
The GDPR, which kicks in on May 25, will require all companies holding data on citizens in EU states to take a firmer stance on data protection; any customer data lost as the result of a hack, made possible by negligent practices, will result in fines of up to €20 million ($24.7 million, £17.7m) or 4 percent of a company’s annual revenue, whichever is higher.
The ICO currently has the power to issue fines of up to half a million pounds for preventable breaches, but to date, the biggest fines issued have been £400,000 ($558,000), to budget ISP TalkTalk and Carphone Warehouse.
Under GDPR, companies also need to tell users what they plan to do with their data and there needs to be a way for customers to opt out without that service being unusable. There are exceptions for things like bank card details and postal addresses, though. It would be pretty hard for Amazon to deliver all those sweet Black Friday bargains if it didn’t have your credit card number and address.