When you grant WhatsApp access to your contacts, the phone numbers of everyone in your address book, including people who do not use WhatsApp, are uploaded to WhatsApp's servers.
This analysis describes what WhatsApp's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the operational mechanism by which WhatsApp obtains contact list data and allocates responsibility to users for ensuring they have authorization to share third-party phone numbers. This supports the service's core functionality of identifying contacts and enabling user connections.
Interpretive note: The legal basis under GDPR for processing non-users' phone numbers is not clearly stated in the policy, and the scope of data retained about non-users and available remedies for those individuals are ambiguous.
The updated policy removes an unconditional statement of intent and replaces it with conditional language: 'We have no intention to introduce them, but if we ever do, we will update this Privacy Policy.' This revision reserves WhatsApp's right to introduce ad formats in Status and Channels in the future, subject only to updating the privacy policy at that time. The prior language established a stronger commitment; the updated language is more permissive. No specific consumer action is required; the change is informational regarding WhatsApp's future flexibility on advertising formats.
View change record →The updated terms no longer state that WhatsApp has no intention to introduce ads in Status and Channels. Instead, the revised language indicates that if ads are introduced in these features, WhatsApp will update its privacy policy to reflect the change. This means the company has reserved the option to add ads to Status and Channels in the future, subject to policy update notification.
View change record →The updated policy now explicitly discloses that users 'may see other types of ads in Status and Channels,' whereas the prior language stated WhatsApp had 'no intention to introduce' new ad types. This represents a shift from a stated commitment not to expand advertising toward an explicit acknowledgment that new ad categories may appear on WhatsApp's social features. The policy also updated its regional privacy guidance by removing a reference to Thai Personal Data Protection Act rights and adding a new section directing US residents to WhatsApp's United States Regional Privacy Notice for information about their consumer privacy rights under US law.
View change record →If someone in your contacts uploads their address book to WhatsApp, your phone number is collected and processed by WhatsApp and Meta even if you do not have a WhatsApp account and have never agreed to its terms.
Cross-platform context
See how other platforms handle Contact List Upload and Processing of Non-Users and similar clauses.
Compare across platforms →Monitoring
WhatsApp has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You provide us the phone numbers of WhatsApp users and your other contacts in your mobile phone address book on a regular basis, including those of both the users of our Services and your other contacts. You confirm you are authorized to provide us such numbers to allow us to provide our Services.— Excerpt from WhatsApp's WhatsApp Privacy Policy
REGULATORY LANDSCAPE: Processing personal data of individuals who have not consented to that processing, specifically the phone numbers of non-WhatsApp users drawn from a user's contacts, raises significant questions under GDPR Article 6 regarding the lawful basis for processing data belonging to third parties who are not party to the WhatsApp user agreement. The policy asserts that the uploading user confirms they are authorized to provide such numbers, but this contractual assertion does not substitute for a valid GDPR legal basis for processing the third party's data. The Irish Data Protection Commission and other EU supervisory authorities have examined analogous contact harvesting practices. GOVERNANCE EXPOSURE: High for EU/EEA deployments. The practice of processing non-user contact data based on a contractual representation by the uploading user, rather than on a documented legal basis applicable to the data subject, is a recognized area of regulatory concern under GDPR. The policy does not describe what data about non-users is retained, for how long, or whether non-users have any mechanism to object. JURISDICTION FLAGS: EU/EEA and UK jurisdictions create the highest exposure given the GDPR requirement for a lawful basis for each data subject's data. Illinois BIPA may be relevant if contact data includes biometric-adjacent identifiers. California residents who are non-WhatsApp users but whose numbers are uploaded by contacts may have limited CCPA rights as they are not WhatsApp account holders. CONTRACT AND VENDOR IMPLICATIONS: Enterprise deployments of WhatsApp should consider whether employee use of the personal version of WhatsApp results in business contacts, including customers or partners, having their data uploaded to WhatsApp's infrastructure without organizational consent or awareness. This may trigger data mapping and third-party disclosure obligations under internal privacy programs. COMPLIANCE CONSIDERATIONS: Organizations should advise employees about the contact upload implications of personal WhatsApp use where business contacts may be involved. Privacy teams should assess whether the policy's reliance on the uploading user's self-certified authorization is sufficient under applicable law, and whether any notification or opt-out mechanism exists for individuals whose data is collected in this way.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the operational mechanism by which WhatsApp obtains contact list data and allocates responsibility to users for ensuring they have authorization to share third-party phone numbers. This supports the service's core functionality of identifying contacts and enabling user connections.
If someone in your contacts uploads their address book to WhatsApp, your phone number is collected and processed by WhatsApp and Meta even if you do not have a WhatsApp account and have never agreed to its terms.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by WhatsApp.