Waze updated its privacy policy on March 23, 2026 to expand what personal data it collects, notably adding new sections about connecting social network accounts, a 'find friends' feature that periodically collects phone numbers from your contacts book, and your own phone number for account verification. Previously, the policy did not explicitly mention collecting contact list phone numbers or social network data in this way. This matters because Waze may now collect more data about you and your contacts — including people who have never used Waze — than before.
Waze is now periodically collecting phone numbers from your device's contacts — including numbers belonging to people who never agreed to share their data with Waze. This is one of the more privacy-invasive data practices a navigation app can implement and has attracted regulatory enforcement in similar contexts.
Waze now explicitly states it will periodically collect all phone numbers stored in your device's contacts book as part of a 'find friends' feature, and may also collect your own phone number and data from connected social network accounts. This affects not just Waze users but also people in their contacts who have never consented to having their phone number shared with Waze. You can disable the 'find friends' feature and revoke social network integrations in your Waze account settings to limit this data collection.
Waze has materially expanded its data collection scope to include periodic harvesting of device contact-book phone numbers (described as anonymized hashes), user phone numbers, and social network profile data. This touches GDPR Art. 5 (purpose limitation, data minimisation), Art. 6 (lawful basis for processing third-party contact data), Art. 13/14 (transparency obligations toward data subjects who are contacts of Waze users), and CCPA Cal. Civ. Code §1798.100 et seq. The collection of contact-book data from non-users is particularly sensitive and has drawn regulatory scrutiny in multiple jurisdictions. Immediate DPO review is warranted.
1. GDPR: Art. 5(1)(b) (purpose limitation), Art. 5(1)(c) (data minimisation), Art. 6(1) (lawful basis — particularly for processing phone numbers of non-users who have not consented), Art. 13/14 (transparency obligations to both users and third-party data subjects whose numbers are harvested), Art. 9 (if social network data reveals special category attributes), Art. 25 (data protection by design and by default). The collection of third-party contact data has been directly addressed in EDPB guidelines and national DPA enforcement actions (e.g., Irish DPC investigations into similar contact-upload features, WhatsApp/Facebook enforcement).
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000076.
ConductAtlas Policy Archive Entity: Waze | Document: Waze Privacy Policy | Record: CA-C-000076 Captured: 2026-03-23 06:16:18 UTC URL: https://conductatlas.com/change/2026-03-23-waze-waze-privacy-policy-76/ Accessed: April 4, 2026
On March 23, 2026, Waze removed a large portion of its Terms of Use, including key introductory language that explained …
Create a free account and add Waze to your watchlist. We'll email you the moment something changes.