WhatsApp, cookies & the GDPR. WhatsApp purports to follow the letter of the law, but what about the spirit of the law?
This is a personal piece, and I’d welcome your thoughts.
I’m fairly old school when it comes to tech. Truth be told, I’d sometimes feel I’d be happier in an age of pen and paper, and horse-drawn carts; except with modern medicine and Netflix. I prefer SMS messaging, but I do enjoy the functionality and fun which iMessage brings to my phone. This post isn’t to push one brand or technology over another, but rather to kick around ideas about how we easily we allow access to our personal information.
There’s a new old saying that “If you are not paying for the product, then you are the product.”.
There’s no such thing as free lunch. So, if a messaging service, and its underlying platform is free for us to access, then where does the money come from for the platform to run? For WhatsApp, and the parent company, Meta, their income comes from things like business services, or in-app advertising and purchases.
From time to time, when I visit a website, I get the now familiar cookie permission window. Our of habit I would reject the cookies, but since the GDPR came into force, we also see the phrase “Legitimate Interest”.
For a long time I’ve wondered what is the difference between a request to set “normal cookies”, and those for “Legitimate interest”? Is this just a “pretty please?” meaning, “we really do want to track you…”. So, what does WhatsApp, cookies & the GDPR actually mean for us on a daily basis?
Pretty please?
This a screen-grab of the information provided by WhatsApp after I clicked on the in-app notification. I’m actually glad I did, because once clicked, or dismissed, the link doesn’t come back. So, I am unable to then consciously consent to how my data is being processed.
For me, action without consent is abuse.
If I want to opt-out of WhatsApp gathering my information, I need to click a link, fill in a form, reply to an email, and then wait for however long for the decision to be made.
Protecting uses from abuse should, in my mind, be baked into the product deeply. Invoking the “Legitimate interest” clause in the GDRP framework for this feels to me … wrong.
Compare this the BBC’s model below.
WhatsApp doesn’t actually let me control what data is collected, rather they give links to the various user guides for each browser. They place responsibility on the user to dig into their browser settings are remove cookies and the like.
The thing is, because tracking cookies flood in from all over the place, the user would need to empty their cookie store on a regular basis This can remove saved logins and site preferences, which makes using the internet feel cumbersome.
So, yes, cookies do have their place, but the right not to be tracked should be respected by the site we are visiting.
By removing simple buttons for the user to revoke consent, and make them jump through hoops reminds me of this text from “The Hitchhiker’s Guide to the Galaxy”
Vogon: “But the plans were on display…”
Arthur: “On display? I eventually had to go down to the cellar to find them.”
Vogon: “That’s the display department.”
Arthur: “With a flashlight.”
Vogon: “Ah, well, the lights had probably gone.”
Arthur: “So had the stairs.”
Vogon: “But look, you found the notice, didn’t you?”
Arthur: “Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”
Douglas Adams, The Hitchhiker’s Guide to the Galaxy
I made a GDPR request a couple of days ago. I received an automated reply, which basically asked me to justify why I didn’t want to be tracked. Is it not enough that I simply don’t want to be tracked?
Imagine being followed day in, day out, by a stranger who simply follows your every move because you haven’t filed a restraining order …
This, is the BBC.
Compare the way that WhatsApp approaches the idea of giving the user both informed consent, and control, with the way the BBC does it.
The BBC website presents a very clear pop-up window with clear text and easy to use control. We clearly see what can be done with the data collected by the website (Features), and we can see who will be getting hold of our data (Partners). It’s a massive list, and something I found really quite intimidating. And this is “just” a news website. I can’t even imaging what Meta will be doing my data.
You test this yourself at https://www.bbc.com/usingthebbc/cookies/how-can-i-change-my-bbc-cookie-settings/. Scroll down to the bottom of the page and click on “Change your settings for personalised advertising”.
The BBC’s open approach leaves me feeling respected and safe. When I think about the combination of WhatsApp, cookies & the GDPR framework, WhatsApp’s approach doesn’t give me this safe feeling at all. This is one reason why I use Meta products as little as possible. An excellent alternative for WhatsApp is Signal.
In summary …
It’s not just the cookies on our computers which can be used to track us as we travel the internet, it’s the server side data which is held about us. We can’t remove that as easily as we remove cookies. Once that data has been gathered, it can hard to remove. Particularly if we don’t actually know which organisation or server is holding that data. That’s why opting out of collecting the data is so important.
Using WhatsApp and the BBC as examples , we can see the difference between an organisation which gives clear and comprehensive controls over what data is gathered, and another which gives very little control.
As I say, this is personal piece, with my own thoughts and opinions, and this blog is offered as food for thought and a basis for discussion. If there is something you think I have missed, or have misunderstood, do let me know in the comments!
References
This is the link to the WhatsApp notice I am quoting: https://faq.whatsapp.com/781249240131848
Deeper reading on the GDPR and Legitimate Interest is here: https://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-and-when-does-it-apply
Cover image reference: link