When you use WhatsApp, the app uploads your phone's contact list to WhatsApp's servers, including the phone numbers of people who may not use WhatsApp, and the policy requires you to confirm you have permission to share those contacts' data.
This analysis describes what WhatsApp's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision involves the processing of personal data belonging to third parties (your contacts) who have not agreed to WhatsApp's terms and may be unaware their phone number and name have been uploaded to WhatsApp's servers.
The updated policy removes an unconditional statement of intent and replaces it with conditional language: 'We have no intention to introduce them, but if we ever do, we will update this Privacy Policy.' This revision reserves WhatsApp's right to introduce ad formats in Status and Channels in the future, subject only to updating the privacy policy at that time. The prior language established a stronger commitment; the updated language is more permissive. No specific consumer action is required; the change is informational regarding WhatsApp's future flexibility on advertising formats.
View change record →The updated terms no longer state that WhatsApp has no intention to introduce ads in Status and Channels. Instead, the revised language indicates that if ads are introduced in these features, WhatsApp will update its privacy policy to reflect the change. This means the company has reserved the option to add ads to Status and Channels in the future, subject to policy update notification.
View change record →The updated policy now explicitly discloses that users 'may see other types of ads in Status and Channels,' whereas the prior language stated WhatsApp had 'no intention to introduce' new ad types. This represents a shift from a stated commitment not to expand advertising toward an explicit acknowledgment that new ad categories may appear on WhatsApp's social features. The policy also updated its regional privacy guidance by removing a reference to Thai Personal Data Protection Act rights and adding a new section directing US residents to WhatsApp's United States Regional Privacy Notice for information about their consumer privacy rights under US law.
View change record →Your entire phone contacts list, including people who do not have WhatsApp accounts, is uploaded to and processed by WhatsApp; the policy places the responsibility on you to confirm you have authorization to share those third-party individuals' personal data.
How other platforms handle this
If you are in the European Economic Area (EEA), we only process your personal data when we have a valid legal basis to do so, including when: (a) you have consented to the processing; (b) the processing is necessary to perform a contract with you; (c) we have a legitimate interest in processing your...
We process the information you share with us when you create your profile or send messages. This includes photos, videos, messages, and other content you share on the platform. We may use this content to improve our services, ensure safety, and comply with legal obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
WhatsApp has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You provide us the phone numbers of WhatsApp users and your other contacts in your mobile phone address book on a regular basis, including those of both the users of our Services and your other contacts. You confirm you are authorized to provide us such numbers to allow us to provide our Services.— Excerpt from WhatsApp's WhatsApp Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 6 (lawful basis for processing third-party data), Article 13/14 (transparency obligations toward data subjects who are not party to the contract), and the data minimization principle under Article 5(1)(c). The Irish DPC and other EU supervisory authorities have examined contact upload features across messaging platforms in the context of transparency and third-party rights. CCPA may also apply to the extent California residents' contact data is uploaded by WhatsApp users. GOVERNANCE EXPOSURE: High. The upload of contacts data implicates the rights of individuals who are not WhatsApp users and who have not been informed that their personal data is being processed. The policy's statement that users confirm they are 'authorized' to provide these numbers places a legal obligation on users that may not be practically meaningful or enforceable, and does not resolve WhatsApp's own obligations as a data controller toward those third-party data subjects. JURISDICTION FLAGS: EU and UK users face the highest exposure given GDPR requirements for lawful basis and transparency toward all data subjects, including non-users whose data is uploaded. Illinois BIPA may be implicated if contact data includes biometric-adjacent identifiers in future feature contexts. Brazil's LGPD imposes similar third-party data subject rights. CONTRACT AND VENDOR IMPLICATIONS: Enterprise deployments of WhatsApp Business must assess whether employee or customer contacts uploaded through business accounts create data processing obligations or liability exposure under applicable law. Vendor contracts should address whether WhatsApp's contact upload mechanism is compatible with the enterprise's own privacy notices and consent frameworks. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether user-facing consent flows adequately inform users of the contact upload requirement and the implied representation that they have authorization for all uploaded contacts. Privacy teams should assess whether this provision is compatible with applicable data minimization requirements and whether a narrower alternative (such as hashed contact matching without bulk upload) is technically available.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision involves the processing of personal data belonging to third parties (your contacts) who have not agreed to WhatsApp's terms and may be unaware their phone number and name have been uploaded to WhatsApp's servers.
Your entire phone contacts list, including people who do not have WhatsApp accounts, is uploaded to and processed by WhatsApp; the policy places the responsibility on you to confirm you have authorization to share those third-party individuals' personal data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by WhatsApp.