What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages the EU General Data Protection Regulation (GDPR), with WhatsApp Ireland Limited identified as the data controller for EU and UK users and the Irish Data Protection Commission (DPC) designated as lead supervisory authority. The policy also engages the California Consumer Privacy Act (CCPA) and its amendments under CPRA for California residents, the UK Data Protection Act 2018, and various national implementations of data protection law across WhatsApp's …

How does WhatsApp's WhatsApp Privacy Policy affect users?

Under this policy, users' phone numbers, device identifiers, usage patterns, and uploaded contact list data are designated for collection and cross-company sharing within Meta's corporate group for ad targeting purposes on Facebook and Instagram. The policy establishes that contact list uploads include phone numbers and identifiers of non-WhatsApp users whose data is processed by WhatsApp's systems. Users in covered jurisdictions have access to in-app settings to review data practices, download…

How often is WhatsApp's WhatsApp Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when WhatsApp updates this document?

Yes. Watcher subscribers ($9.99/month) can add WhatsApp to their watchlist and receive same-day email alerts whenever this document or any other WhatsApp document changes.

CA-D-000176

WhatsApp Privacy Policy

Last change detected April 21, 2026 Privacy policy

SHA-256: 0f56bba4c520822a1fe… 5 versions captured 5 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at WhatsApp ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

8 Medium severity

1 Low severity

Summary

This document establishes WhatsApp's data collection, use, and sharing practices, including the categories of personal information processed and the mechanisms through which data flows to Meta Companies. The policy authorizes WhatsApp to collect phone numbers, device identifiers, usage data, and contact lists, and to share these categories with Meta Companies for use in ad personalization on Facebook and Instagram. The policy specifies data subject rights procedures differentiated by jurisdiction: EU and UK users may exercise access, correction, deletion, and data portability rights through in-app settings or direct request; California users may submit data access requests through designated channels.

Technical / Legal Breakdown

This document is WhatsApp's global Privacy Policy, governing the collection, use, storage, and sharing of personal data by WhatsApp LLC (and WhatsApp Ireland Limited for EU/UK users), with stated legal bases including contract performance, legitimate interests, legal obligations, and user consent depending on jurisdiction. The policy states that WhatsApp collects account registration information (phone number, profile name, picture), device identifiers, IP addresses, battery level, signal strength, browser type, mobile network, connection information, location-related data, usage and log information, cookies and tracking technologies, payment and financial transaction data, contacts from user address books, status information, and the content of messages to the extent necessary to deliver services (noting end-to-end encryption for personal messages). The policy authorizes sharing of user information with the broader Meta Companies family of products for infrastructure, safety, research, and product improvement purposes, as well as with third-party service providers, business partners, and in response to legal requests; this cross-company data sharing with Meta platforms (including Facebook and Instagram) is operationally distinct from messaging-only service expectations and has been subject to regulatory scrutiny in multiple jurisdictions. The policy engages GDPR (for EU and UK users, with WhatsApp Ireland Limited as data controller), CCPA (for California residents), and various national data protection frameworks; EU users retain specific rights including access, rectification, erasure, portability, and objection, while the policy designates the Irish Data Protection Commission as lead supervisory authority for EU matters. Material compliance considerations include the scope of Meta-group data sharing, the adequacy of consent mechanisms for cross-platform data integration, the treatment of contacts data uploaded by users (implicating third-party data subject rights), and WhatsApp's use of data to inform advertising shown on Meta platforms even where WhatsApp itself does not display third-party ads.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

5 important changes detected

5 versions captured · Last updated: April 2026

April 21, 2026

low

What changed WhatsApp modified its language about potential future ad formats in Status and Channels. Previously, the policy stated it had no intention to introduce other types of ads but acknowledged users might see them anyway. The updated language now states that if WhatsApp ever does introduce other ad types, it will update the Privacy Policy to disclose this. Additionally, WhatsApp removed a sentence that directed United States residents to a separate Regional Privacy Notice for information about consumer privacy rights.

Why this matters The updated policy establishes a commitment that if WhatsApp introduces additional ad formats in Status and Channels beyond current offerings, the company will update the Privacy Policy to disclose this change. Previously, the policy included language stating WhatsApp had no intention to introduce other ad types but acknowledged users might see them anyway. The revised language clarifies that policy updates will accompany any introduction of new ad formats. Separately, the policy no longer includes a direct reference to United States Regional Privacy Notice for consumer privacy rights information.

View full change record →

April 19, 2026

medium

What changed WhatsApp modified two sections of its Privacy Policy on April 19, 2026. First, the policy changed language about advertising on the platform, removing a statement that WhatsApp had 'no intention' to introduce new ad types and replacing it with an explicit statement that users 'may see other types of ads in Status and Channels.' Second, the policy replaced its section addressing Thai residents' privacy rights under Thai law with a new section on privacy rights for United States residents, including a reference to WhatsApp's United States Regional Privacy Notice.

Why this matters The updated policy now explicitly discloses that users 'may see other types of ads in Status and Channels,' whereas the prior language stated WhatsApp had 'no intention to introduce' new ad types. This represents a shift from a stated commitment not to expand advertising toward an explicit acknowledgment that new ad categories may appear on WhatsApp's social features. The policy also updated its regional privacy guidance by removing a reference to Thai Personal Data Protection Act rights and adding a new section directing US residents to WhatsApp's United States Regional Privacy Notice for information about their consumer privacy rights under US law.

View full change record →

March 23, 2026 low

WhatsApp added a single sentence to its Privacy Policy on March 23, 2026, providing Thai residents with a direct reference to learn about their rights under Thailand's Personal Data Protection …

View change record →

March 20, 2026 low

WhatsApp modified language describing potential future advertising on its Status and Channels features. The previous version stated the company had no intention to introduce other ad types but said users …

View change record →

March 19, 2026 low

WhatsApp's privacy policy was updated on March 19, 2026 to reflect changes in how ads function on the platform. Previously, the policy stated WhatsApp had no intention to introduce certain …

View change record →

High — 1 provision

Meta Companies Data Sharing Compare →

WhatsApp shares your data (including your phone number, device info, and usage data) with Facebook, Instagram, and other Meta-owned services, and those companies can use that information to improve their own products and to personalize ads you see on their platforms.

Added May 12, 2026 Standard Seen across 246 platforms

Medium — 8 provisions

Contacts List Upload and Processing

When you use WhatsApp, the app uploads your phone's contact list to WhatsApp's servers, including the phone numbers of people who may not use WhatsApp, and the policy requires you to confirm you have permission to share those contacts' data.

Added May 12, 2026 Rare
End-to-End Encryption Scope and Limitations Compare →

Messages sent between WhatsApp users are end-to-end encrypted, meaning WhatsApp itself cannot read the content of your personal messages or listen to your calls in transit.

Added May 12, 2026 Standard Seen across 262 platforms
GDPR Rights for EU and UK Users Compare →

If you are in the EU or UK, you have the legal right to see the data WhatsApp holds about you, correct it, delete it, move it to another service, or object to certain uses, including any use of your data based on WhatsApp's claimed legitimate interests.

Added May 12, 2026 Standard Seen across 262 platforms
California Resident Rights (CCPA)

California residents can ask WhatsApp to disclose what personal data it holds about them, request deletion of that data, and are protected from being penalized for exercising these rights.

Added May 12, 2026 Rare
Data Retention and Account Deletion Compare →

WhatsApp keeps your data for as long as it needs to run the service or until you delete your account, but the exact retention period is determined case by case rather than fixed, and some data may be retained longer for legal or operational reasons.

Added May 12, 2026 Standard Seen across 223 platforms
Location and Device Data Collection Compare →

WhatsApp automatically collects extensive technical information from your device including your IP address, mobile network, battery level, unique device identifiers, and identifiers linked to other Facebook/Meta products on the same device.

Added May 12, 2026 Standard Seen across 251 platforms
Legal Requests and Law Enforcement Disclosure Compare →

WhatsApp can share your information with law enforcement, government agencies, or others if it believes this is required by law, necessary to enforce its terms, or needed to address fraud, safety risks, or legal requests.

Added May 12, 2026 Standard Seen across 246 platforms
Minors and Age Requirements Compare →

WhatsApp requires users to be at least 13 years old globally, or older in countries with higher age requirements, and requires parental or guardian consent for users who are old enough to use the service but not old enough to legally agree to terms on their own.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 1 provision

Policy Change Notification Compare →

WhatsApp commits to notifying users before changes to the privacy policy take effect and giving them a chance to review the new terms before deciding whether to continue using the service.

Added May 12, 2026 Standard Seen across 178 platforms

Monitoring

WhatsApp has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Children's Privacy and Age Restrictions and similar clauses.

Compare across platforms →