As I mentioned in an earlier post, the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) announced the results of their coordinated investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet.
In addition to the issue of the use of address book information, the OPC raised concerns regarding status update broadcasts.
The app requires a user to enter a status update. The OPC reported that standard messages include “available”, “busy”, “at school”, “at work”, “sleeping”, “in a meeting” and “urgent calls only”. Users may also personalize status updates using 139 characters. The status field must be populated. However, the user could use emoticons or meaningless combinations of characters.
The status update is visible to every other user with the user’s phone number in his or her address book. There is no method to limit broadcasts. As the OPC put it:
. In contrast to some social networking platforms which allow an individual to limit or control the broadcast of status submissions to only certain people, status messages shared using the WhatsApp messenger service are, by design, broadcast to all WhatsApp users who have the broadcasting user’s telephone number in their contact list. As such, a sender may not have knowledge of the identity of all those application users who may be receiving or monitoring the sender’s status messages. Any individual, whether for friendly or nefarious purposes, may track a user’s status, so long as that individual has the message sender’s telephone number.
It should be noted, however, that the app did permit users to block other users. A status would not be seen by a blocked user.
The OPC concluded that the status information was personal information because the information might be used alone or in combination with other data to render an individual identifiable.
The OPC distinguished the app from micro-blogging platforms because unlike a micro-blogging platform, the the app was primarily marked as a SMS replacement. As the OPC put it, the app conveyed “the general impression that such messages are being shared only with those people the user knows”.
Given the lack of granular user controls to limit the sharing of the status update, the OPC recommended real-time notification. However, the OPC conceded that users should be given control over notification prompts.
This decision provides an illustration of the OPC’s concern that meaningful consent in the mobile environment may require notice and consent contemporaneous with collection and disclosure as well as in stand-alone privacy policies.