WHATSAPP FOR BUSINESS: What A Business Needs to Know

 

By: The Arrka Privacy Team

 

With the current discussion around WhatsApp’s Updated Terms of Use & Privacy Policy, many people reached out to us to understand the impact on WhatsApp for Business. So we decided to compile our understanding into a small note.

 

• All content transmitted on WhatsApp for Business can be used by WhatsApp and further shared with Facebook
• Hence it is advisable to NOT exchange any sensitive/secret data e.g. financial or health data via WhatsApp for Business. WhatsApp takes no responsibility for that and all content can be shared and used further for any purpose.
• As a subscriber to WhatsApp for Business, you will have access to a whole lot of ‘aggregate data’ about the user. Which you can further process as you deem fit, like profiling & tracking the user. Please understand that a lot of this data is considered Personal Data and aggregate data. Which means this will come under the ambit of India Personal Data Bill and the anticipated India Non Personal Data Bill. This your user needs to be in the know.
• It is YOUR responsibility (as the business) to get the necessary consent from the user for this availability of data with WhatsApp & Facebook.
  • If it is not acceptable to a user, then you cannot use WhatsApp for Business to deal with that user. There is no choice being given here.
• In some cases, your WhatsApp for Business account may likely be linked with your business Facebook account (most likely if you are using the WhatsApp for Business API). The requirements of data protection and concerns still remain the same as a regular WhatsApp for Business.

 

So what do you need to do about this?

 

• Firstly, understand what data you typically collect while interacting with a user via WhatsApp for Business. Assume all data coming to you through WhatsApp for Business is personal data OR Business Confidential data – both are critical to protect. Classify it under the following heads:
  • Identity, demographic, contact and related data
  • Financial Data
  • Health Data
  • Any other
  • Business sensitive/ critical data (Note that some of the data mentioned earlier can be Personal data as well as Business sensitive/ critical data and so it is important to classify as both)
• See if you can avoid collecting Financial & Health data as far as possible through your WhatsApp for Business account. 
  • If you need to, do it via a form on your website or via some other channels where you know the data will not be automatically shared with another entity but would come directly to you.
• Put up a Privacy Notice (policy) on your website/app. In that Notice, specifically call out:
  • The fact that you use WhatsApp for Business
  • That anyone interacting with you over WhatsApp for Business understands and accepts the terms laid out by WhatsApp for Business
• Make sure you get a firm ‘opt-in’ /consent when a user starts interacting with you on Whatapp for business to the terms laid out in the Privacy Notice
  • Your first communication to a new user interacting with you should be for them to accept your privacy notice and provide consent via an Opt-In mechanism
  • Your first communication to existing users after your policy, consent mechanism etc is set up should be for them to accept your privacy notice and provide consent via an Opt-In mechanism
  • Keep a record of this – as an evidentiary audit trail – should there be a dispute at any later point in time with the user
  • Best to also re-confirm whenever WhatsApp for Business/ your business changes the notice
• Set up a process to enable users to opt-out of this anytime
  • And a downstream process to stop interacting with the user over WhatsApp for Business and/or let the user know that if she continues to interact over WhatsApp for Business, she is still subject to the policies of WhatsApp for Business. 

 

If you have any further queries, do connect with us at privacy@arrka.com