How businesses can use WhatsApp and ensure data protection (yes, it’s possible!)
Can you use WhatsApp in your customer communication and still ensure data protection? Yes! However, there are some things you need to consider. We explain the requirements of using WhatsApp as a business, and show you which WhatsApp Business solution offers the best data protection.
WhatsApp is one of the most popular social media apps in the world! People not only use it to send text messages, videos, or memes to friends, they also increasingly use it to reach out to businesses. In fact, about 175 million people message a business account each day on WhatsApp.
At the same time, this presents a challenge for businesses because they have to make sure that the users’ data is protected.
Depending on your business’ location, data laws will vary. However, from Europe’s GDPR to India’s “IT Act” to California’s Consumer Privacy Act, protecting personal user information is becoming a legal requirement for companies around the world. So, can you even combine using WhatsApp and protecting user data?
Absolutely! If you keep certain things in mind. Here’s how it works!
WhatsApp and data protection for businesses
- Why is data protection important for your business?
- Why is your company’s WhatsApp communication affected by data protection laws?
- WhatsApp communication: What’s safe, and what’s risky for businesses?
- What WhatsApp platform guarantees data protection for companies?
- How to ensure 100% data protection in your WhatsApp communication
The main goal of data protection laws is to protect the consumers’ personal data, and allow them to decide for themselves who can handle their personal information and in what way. Personal data refers to information, such as someone’s name, address, date of birth, e-mail address, IP address, license plate, location, and bank information. While data protection might seem like a recent trend in legislation, regulations that protect a citizen’s privacy are nothing new.
For example, the Constitution of India explicitly recognizes the fundamental right to privacy. What’s new is that data protection laws have been expanded to include personal data that is collected digitally. This could be information gathered by tracking cookies on an e-commerce website like Amazon, or user data stored by social media companies, such as Facebook or WhatsApp.
On the one hand, this personal data can help companies offer better products and services and improve the customer experience. On the other hand, there’s potential for abuse as this digital data footprint holds sensitive information about a person. That’s where data protection laws like the IT Act in India or the GDPR in the European Union come in. They aim to protect the users’ right to privacy. Companies that violate these laws, have to pay hefty fines.
At the same time, as a company, you also don’t want to abuse the information that customers entrust you with because, even if this happens by accident or through ignorance, it can damage the image of your company. Companies that can show their customers that they use their data with care, will gain more trust. And that includes your customer communication on WhatsApp!
Depending on the location of your business and of your customers, different data privacy laws might come into play.
Business guide: easily combine messaging and data protection!
Get insights and best practices from companies from various industries in different countries
In India, there are several acts that regulate data protection like the Consumer Protection Act, rules from the Telecom Regulatory Authority of India or the Reserve Bank, and the Health Data Management Policies. Currently, the government is also working on a new draft of the telecommunication act that could include a special “Light Touch” regulation for OTT-based messaging services like WhatsApp, Signal, or Telegram.
The IT Act states in general terms that if companies cause any loss by being negligent in implementing and maintaining security rules for handling personal data, they are liable to pay damages, and, in some cases, prison sentences up to three years. The basic guideline is that in order to gather, process, and store personal data, explicit consent is required.
In turn, the SPDI rules define more specific requirements and standards for how companies are to handle personal data. These include the following personal rights (data subject rights).
Right to access: Users have the right to see the information collected on them.
- Right to rectification: individuals have the right to amend or change incorrect information that a company has about them.
- Right to erasure: currently, individuals don’t have the right to have information erased, but they can withdraw their consent to process their data (right to object or opt-out).
Since 2018, the GDPR regulates the usage of personal data in the European Union. Companies that handle personal data have to comply with the following principles.
- Data minimization: never process more data than necessary.
- Purpose limitation: companies need a defined, clear, and legitimate reason to handle personal data.
- Accuracy: only data that is accurate can be processed.
- Accountability: companies are responsible for making sure that handling user data is GDPR-compliant.
- Storage limitation: personal data can’t be stored for longer than is necessary for the purposes for which the personal data are processed.
The UK is currently in the process of reviewing and ratifying the Data Protection and Digital Information Bill 2022-23.
According to its current version, under the UK GDPR, “personal data can only be processed if there is a lawful basis for doing so.” There are six such bases.
- Consent: an individual has given clear consent for their personal data to be processed for a specific purpose.
- Contract: personal data can be processed if it’s necessary for the performance of a contract that the individual has agreed to.
- Legal obligation: processing is necessary to comply with a legal obligation that the party controlling the data is subject to.
- Vital interest: it’s necessary in order to protect someone’s life.
- Public task: it’s necessary in order to perform a task that’s in the public interest.
- Legitimate interest: the party controlling the data has a legitimate interest in processing the information.
If companies handle personal data in the UK, they must follow seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Anybody violating these policies could face a penalty of up to 500,000 British pounds.
The California Consumer Privacy Act from 2020 aims at protecting the data privacy rights of Californian residents. Any company that does business in the state of California and meets any of the following criteria has to comply with the CCPA.
- an annual gross revenue higher than $25 million
- handles personal data of 50,000 or more consumers
- derives at least 50% of annual revenue from selling personal data
While the CCPA technically is limited to California, it can affect foreign companies that do business in the state. It’s also worth noting that other US states, such as Colorado, have started adapting similar privacy laws.
The CCPA includes the following privacy rights:
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to erase personal information collected from them (with some exceptions).
- The right to opt-out of the sale of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
Even though, data privacy laws differ by country or region, they all limit the way businesses are allowed to use WhatsApp for their customer communication.
When you communicate with your customers via WhatsApp, you inevitably deal with personal data, such as the name, the phone number, the delivery address, or the client number. If the customers reach out to your business first, that personal data is not an issue, as far as data protection laws are concerned. In that case, as a business, you have a legitimate reason (purpose) to handle customer data.
As soon as you initiate a conversation with a customer, though, for instance by sending a WhatsApp newsletter or marketing message, it becomes tricky. In these cases, the customer data that ends up with WhatsApp is being handled on behalf of your company, and not on behalf of the customer.
That’s when your company becomes the responsible party that has to ensure compliance with data privacy laws.
Depending on the location of your customers and your company, the exact requirements for handling personal user data, vary. Between the European Union and the US, for example, the US and EU PrivacyShield regulated this process. On July 2020, however, the EU decided that the PrivacyShield didn’t sufficiently cover the data protection required by the GDPR.
After a period of uncertainty, the EU came out in June 2021 with the Standard Contractual Clauses for International Transfers that set new clear guidelines. At the same time, WhatsApp reworked their data policies for the European Union to make sure they met the new standards.
However, even these new agreements don’t guarantee that your company can ensure 100% data protection when using WhatsApp in your customer communication.
It’s important to distinguish between the security protocol within the WhatsApp messenger app and data protection.
As most messaging apps, WhatsApp uses an end-to-end encryption for its chats. This means: No outside person, only sender and receiver, can read the content of your messages. (Exception: you save your chats in the back-up cloud, and somebody hacks the cloud.)
What many might not know: WhatsApp uses end-to-end encryption as a standard setting. In other messenger apps, such as Telegram, users have to activate the end-to-end encryption themselves.
In other words, the content of the WhatsApp chats is secure. WhatsApp’s security protocol doesn’t raise any data privacy concerns. Rather, they occur in the creation of metadata and through the synch feature of the app.
Like all messenger apps, WhatsApp communication works through a cloud. This produces data that is not encrypted, such as the phone number, the location, or IP address.
According to data protection laws in India, Europe, and some parts of the US, this information falls under the definition of “personal data” that requires special care. However, as this data is saved on Meta’s servers in the US, they don’t comply with the requirements of some of the stricter data privacy regulations.
And the problem is: as a company, you become liable!
Aside from personal data being stored in the US, and not being processed according to data privacy regulations, there is also a technical issue with using WhatsApp for your customer communication. When you use WhatsApp on your smartphone (as you typically do with the WhatsApp Business App), you automatically allow the app to scan your contacts.
This contact synching is an integrated WhatsApp feature that scans your contacts to see if any of them already have WhatsApp installed. There is a way to make sure this process is data-privacy-compliant, but it’s not easy.
Altogether, this makes using WhatsApp and ensuring data protection difficult, albeit not impossible for companies. It all starts with using the right platform.
As a company, you have two options for using WhatsApp in your customer communication: the WhatsApp Business App and the WhatsApp Business Platform (former: API). The private app is off-limits for commercial use.
WhatsApp Business is WhatsApp’s commercial solution for small businesses for up to five employees. Similar to the private app, you also download the business version on your smartphone, connect it to a phone number, and create a business profile.
The app is free of charge, and therefore, for many businesses their first choice. However, it doesn’t guarantee data protection. What’s the issue?
1. The app works through a smartphone
Just like the private app, WhatsApp Business App is a mobile application. Even if you can use it on a desktop, all the processes are synched with your business’ smartphone. This includes the synching of your phone contacts, by which you already violate data privacy, if you don’t get explicit permission from all of your contacts to do so prior to installing WhatsApp. You would also have to get a prior permission from any new contact that you add to your phone.
Even if you use a dedicated business phone, this can be quite the chore.
You could alternatively block WhatsApp from scanning your contacts. However, then you would only see phone numbers in your WhatsApp contacts, and wouldn’t know what customers they belong to.
Finally, if you use WhatsApp Business, you also have to always run all the updates immediately, deactivate the cloud back-up, and not send or save any attachments, such as images or PDF files.
Of course, this makes using WhatsApp for your customer communication completely impractical.
2. You use Meta’s cloud and server in the US
Even if you somehow managed to keep your WhatsApp Business App on your smartphone above board, all your customers’ information would still run through Meta’s cloud and be saved on their servers in the US. This doesn’t guarantee data protection.
If you want to use WhatsApp and ensure 100% data protection, you’ll have to use the WhatsApp Business Platform.
The WhatsApp Business Platform (API) is the official WhatsApp interface for companies. You don’t access it through a mobile app, but through a Business Solution Provider. A Business Solution Provider is an official Meta partner company that sets up the infrastructure that grants you access to the API. This infrastructure is typically already set up for you to start using WhatsApp in your customer communication right away, and ensure data protection.
Meta’s partner directory shows you if a company is an official Business Solution Provider.
This option is not free, but guarantees 100% data protection if you make sure that your Business Solution Provider runs their servers in a region where data protection is guaranteed. With MessengerPeople by Sinch, for example, you would be using WhatsApp through servers that are in the European Union. This already solves the issue of Meta’s servers being in the US.
In addition, the MessengerPeople software solution for your WhatsApp communication is only available in a desktop version. This means: there will never be any synch with your smartphone contacts. In addition, the entire data transfer is handled by MessengerPeople by Sinch, and not by Meta.
When using the MessengerPeople solution, you also sign a data processor and data processing agreement with us, which means that all personal customer information is stored securely with MessengerPeople by Sinch. And we ensure that all data is processed in compliance with data privacy laws.
Stay up to date with important news from the messaging world: get our newsletter!
The first and most important step to use WhatsApp and protect your customers’ data is to use the WhatsApp Business Platform through a Business Solution Provider.
In addition, you also have to get the users’ explicit opt-in in advance (legitimization), and explain in detail what will happen to their data.
1. Get user consent
There are two easy ways to get your users’ consent to process their data on WhatsApp:
- Opt-in widget: If you set up a widget on your website, users can click on it, and end up directly in a WhatsApp chat with your company — but not before they agree to the data policies, and have sent an initial message to you. (Note: the widgets provided by MessengerPeople by Sinch already fulfill data protection requirements.)
- Chatbot: A user follows a WhatsApp link or QR code on your website or on one of your flyers, and ends up per click-to-chat in your WhatsApp chat. Here, a chatbot takes over to not only get the user’s consent to your data policies, but also to get some information from the user before handing the person over to a human agent.
2. Explain legitimacy of data processing
Aside from a user’s agreement to your data policies, you also have to inform them about what data you will process in what way. If you are processing health data, there might be additional requirements, so make sure to consult a legal expert first.
From my point of view, it’s possible to legitimize the informed consent of any process.
Data lawyer Dr. Carsten Ulbricht
Summing up: yes, it’s possible to ensure data protection and use WhatsApp in your customer communication if you use the right solution.
Check out how data protection and WhatsApp go together on one platform
Schedule a free demo with our messaging experts!