UPDATE (9/12/16): We have clarified that users have 30 days after they first see WhatsApp's privacy policy update to agree or not agree to its terms. We have also clarified that accounts created after August 25 join WhatsApp under the new privacy policy with no option to refuse the data sharing it entails.

WhatsApp is establishing data-sharing practices that signal a significant shift in its attitude toward privacy—though you wouldn’t know it from the privacy policy update that popped up on users’ screens last week. The new policy lays the groundwork for alarming data sharing between WhatsApp and its parent company Facebook. The update screen that users see, however, mentions only benign new features like WhatsApp calling, and requires a user to click a “Read more” link to see any mention of how the data sharing arrangement will work for users. Where WhatsApp could have offered users up-front information and choices, the UI as it stands buries critical details and options. If WhatsApp wants to merge user data with Facebook, it should give users opportunities to make choices about their privacy—starting with a clearer, more informative UI.

Broader data sharing

While WhatsApp previously passed no user information to its parent company Facebook or vice versa, the new privacy policy allows WhatsApp to directly integrate some user data with the social network. WhatsApp’s update describes this as “improving your Facebook ads and products experiences.” The impact on users and their privacy, however, goes much further.

If you use both WhatsApp and Facebook, this change allows Facebook access to several pieces of your WhatsApp information, including your WhatsApp phone number, contact list, and usage data (e.g. when you last used WhatsApp, what device you used it on, and what OS you ran it on). With confusing wording, the update correctly points out that your phone number and messages will not be shared onto Facebook. This means that your data will not be shared publicly on your Facebook page or anywhere else on Facebook’s platform. Instead, it will be shared with Facebook—that is, Facebook systems and the “Facebook family of companies.” While WhatsApp’s privacy-friendly end-to-end encryption remains, and the company assures users it will not share their data directly with advertisers, this nevertheless presents a clear threat to users’ control of how their WhatsApp data is shared and used.

In its first privacy policy change since 2012, WhatsApp offers some motivations behind the shift, including detecting fraud and spam, getting a better count of unique users between the two platforms, and enabling “business-to-consumer” communication in the form of appointment reminders, flight updates, receipts, and other commercial notifications typically sent via SMS or email.

Most critically for user privacy, however, sharing this kind of metadata also gives Facebook an enhanced view of users’ online communication activities, affiliations, and habits, and runs the risk of making private WhatsApp contacts into more public Facebook connections. The new privacy policy, for example, permits Facebook to suggest WhatsApp contacts as Facebook friends. Facebook can also use the data to show “more relevant” ads. In an announcement accompanying the privacy policy update, WhatsApp offers the example of “an ad from a company you already work with, rather than one from someone you’ve never heard of”—a frightening prospect considering the data coordination and sharing required for Facebook to know the companies with whom you do business.

Law enforcement policy lags behind

Despite these expanded uses for WhatsApp data, WhatsApp’s law enforcement policies have not changed along with its privacy policy. In particular, WhatsApp has still not committed to providing advance notice to users about law enforcement and government requests for user data. Providing notice is an industry-wide best practice, and we have noted WhatsApp’s failure to meet it in the past.

With tech companies often acting as the sole gatekeepers between user data and law enforcement, transparency from tech companies regarding data requests is often the only way to give users a chance to get a lawyer, fight overly broad subpoenas, and understand when and why their data is being accessed. Knowing that a certain company is committed to giving users notice could even make law enforcement stop and think twice about unnecessarily broad requests. If WhatsApp is going to move forward with more direct data sharing with private companies, it also needs to make this long overdue commitment regarding public authorities.

Permanent changes and bigger questions

From the first time they see the update screen on WhatsApp, existing users have 30 days to click through the privacy policy update, opt out of data sharing, and prevent Facebook from suggesting friends or serving ads based on WhatsApp data. After that, they have an additional 30 days to change their settings further. We offer a step-by-step guide here.

As of the announcement of the new policy on August 25, however, new WhatsApp accounts do not have the option to refuse these expanded uses of their data. Instead, the only option available to new users will be whether to join WhatsApp at all under the new privacy policy and all of the data sharing it entails.