Status Updates – Real Time Notice Recommended By Privacy Commissioner


As I mentioned in an earlier post, the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) announced the results of their coordinated investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet.

In addition to the issue of the use of address book information, the OPC raised concerns regarding status update broadcasts.

The app requires a user to enter a status update. The OPC reported that standard messages include “available”, “busy”, “at school”, “at work”, “sleeping”, “in a meeting” and “urgent calls only”. Users may also personalize status updates using 139 characters. The status field must be populated. However, the user could use emoticons or meaningless combinations of characters.

The status update is visible to every other user with the user’s phone number in his or her address book. There is no method to limit broadcasts. As the OPC put it:

[51]. In contrast to some social networking platforms which allow an individual to limit or control the broadcast of status submissions to only certain people, status messages shared using the WhatsApp messenger service are, by design, broadcast to all WhatsApp users who have the broadcasting user’s telephone number in their contact list. As such, a sender may not have knowledge of the identity of all those application users who may be receiving or monitoring the sender’s status messages. Any individual, whether for friendly or nefarious purposes, may track a user’s status, so long as that individual has the message sender’s telephone number.

It should be noted, however, that the app did permit users to block other users. A status would not be seen by a blocked user.

The OPC concluded that the status information was personal information because the information might be used alone or in combination with other data to render an individual identifiable.

Notwithstanding that the status information was being broadcast within the app to other users of the app, as disclosed in the privacy policy, the OPC concluded that the app provider needed to obtain more meaningful consent to the collection, use and disclosure of that status information.

The OPC distinguished the app from micro-blogging platforms because unlike a micro-blogging platform, the the app was primarily marked as a SMS replacement. As the OPC put it, the app conveyed “the general impression that such messages are being shared only with those people the user knows”.

Given the lack of granular user controls to limit the sharing of the status update, the OPC recommended real-time notification. However, the OPC conceded that users should be given control over notification prompts.

This decision provides an illustration of the OPC’s concern that meaningful consent in the mobile environment may require notice and consent contemporaneous with collection and disclosure as well as in stand-alone privacy policies.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.