FCCPC probe found WhatsApp threatened to delete user accounts, collected excessive data

On Friday, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) handed down a surprising $220 million fine to instant messaging app Whatsapp after a three-year investigation alleged that the company’s privacy policy was “foisted” on users. Meta rejected the regulator’s decision, and Nigerians, who view such actions as shakedowns, received it with skepticism.

The FCCPC has now shared a 116-page document detailing the charges against WhatsApp and Meta, the company’s rebuttals, and the investigative process. The core of the investigation is an updated WhatsApp privacy policy sent to users in May 2021.

The FCCPC argues that WhatsApp did not allow users to opt out of the policy and presented them with a different privacy policy from European users. Meta deleted previous versions of the policy and attempted to mislead in its submission, the commission claimed,

Crucially, an early version of the policy, which was later deleted, told users they could either accept or be kicked off the social media platform, FCCPC showed. The commission found WhatsApp’s “my way or the highway” stance anti-competitive.

While the commission cited WhatsApp’s market dominance—65% of Nigerian internet users are on WhatsApp, while 28% use Facebook, per an independent survey cited—it argued that even if it did not have such market power, WhatsApp’s actions violated customer rights.

Why the 2021 privacy policy is a big deal

The 2021 update was sent to users through frequent pop-ups asking them to accept the privacy policy. While there was an arrow that allowed users to dismiss the pop-up, they could not opt out or reject the update.

If users refused to update their apps, the pop-ups became more frequent, and many users lost the ability to read or respond to chats.

The 2021 update, which told users it would share their data with third parties and Meta for marketing and profiling purposes, had important implications. One key change was that the 2021 privacy policy did not require the third parties it shared user data with to seek permission from the users.

In Whatsapp’s 2019 and 2020 privacy policies, users were told their information would be shared with third-party providers who were required to “use your information in accordance with our instructions and terms or with express permission from you.”

FCCPC says Meta treated Nigerians differently from Europeans

“[The] Privacy Policy essentially compelled [users] to waive their right to self-determination and control processing and use of their personal data, and object to the sharing of such data with third parties, including Facebook companies,” the commission said in its report.

The commission found this particularly worrying because of the amount of data collected by the Meta-owned messaging app. “WhatsApp collects 44 metadata points, Signal collects 4, and Telegram collects 4.”

“Remarkably, Meta parties cannot establish there are any unique, or key features of the service that materially differentiates the services to a point where it is impracticable to provide the service offered without the collection of such additional data,” the FCCPC concludes.

While Nigeria’s data protection laws offer a similar level of data protection as European laws, Meta failed to offer users in both jurisdictions the same amount of privacy protection or information on the metadata that they requested, the use of the metadata, and how to use WhatsApp without accepting the policy. An excerpt from the privacy policy shows that consenting users agreed for their data to be used for profiling and marketing.

The commission found that in the European privacy policy, the word ‘consent’ is mentioned at least ten times, but only once in the Nigerian version. European users also had an entire section dedicated to their rights and consents, while Nigerian users did not have similar privileges.