After three years of investigation, the Federal Competition and Consumer Protection Commission (FCCPC) fined Meta $220 million for its conduct and operations between May 2021 and December 2023.
The Commission found that the tech giant violated the FCCPC Act 2018, Nigeria Data Protection Regulation 2019 (NDPR), and other relevant laws.
However, Meta has disputed the FCCPC’s claim, disagreed with the judgment and the fine, and plans to appeal.
Interestingly, the 116-page document that details FCCPC's investigation into WhatsApp shows that the instant messaging platform might have been exploiting Nigerian users.
Here are four reasons why the FCCPC is suing Meta for $220 million.
From shady methods of collecting data to allegations about discrimination, the FCCPC dug deep into WhatsApp's operations in Nigeria and uncovered that the instant messaging app was abusing its market dominance by enforcing exploitative and non-compliant privacy.
Although Meta denies that its company — WhatsApp — has done anything wrong, the FCCPC’s detailed investigative report says otherwise.
1 Fingerprinting devices by collecting excessive data
The FCCPC found out that WhatsApp was collecting more data than necessary from Nigerian users to use the app. Compared to similar apps like Signal and Telegram, which collect four metadata points, WhatsApp collects 44. This excessive data can be used to fingerprint people’s devices.
Device fingerprinting is a technique used to identify and track devices (like smartphones, tablets, or computers) based on the unique characteristics and settings of the device.
This fingerprint can be used to recognise your device even if you clear your cookies or use private browsing mode.
Give it a try, you can unsubscribe anytime. Privacy Policy.
While device fingerprinting can help apps remember your preferences, provide personalised content, and improve security by detecting suspicious activities, it can also track you across different websites and apps without your consent or knowledge.
Unlike cookies, which users can delete or block, device fingerprints are much harder to avoid.
When the FCCPC asked WhatsApp for a log of all the data it collects, it could not provide it. Per the Commission, it “failed to provide the said information and rather responded in a generalized statement that consent was not a mandatory requirement.”
Interestingly, WhatsApp is an instant messaging app, which means there’s very little need for the app to fingerprint Nigerian devices. Banking apps or eCommerce websites, on the other hand, could use it for increased security or better product recommendations for users.
2 Coercing users to accept privacy policy
According to the FCCPC, WhatsApp forced users to accept its updated privacy policy by reducing the app’s user experience. They also used “persistent, recurrent, and intrusive notifications pressuring users to accept the Updated Privacy Policy.”
These updated policies forced users to share necessary and unnecessary data required to use the messaging platform.
The platform did not also give users a choice to opt-out or give consent to providing these data points.
“Users had no choice but to accept a Privacy Policy that essentially compelled them to waive their right to self-determination and control processing and use of their personal data, and object to the sharing of such data with third parties, including Facebook companies.”
3 Discrimination against Nigerians
While WhatsApp forced Nigerian users to accept its new privacy policy, it gave Europeans a different option.
The FCCPC said European users were offered more protection and information on the kind of data collected and why it was being collected, and even gave them the option to withdraw consent without losing functionality.
Faced with the allegations of discrimination against Nigerians, WhatsApp said that “WhatsApp Ireland Limited provides the service in Europe, whereas WhatsApp LLC provides the service to users elsewhere.”
It added that there’s a difference between the privacy policies of Europe and Nigeria because both regions have different legal and regulatory environments.
The FCCPC’s counter to this, however, is that the Nigerian Data Protection Regulation (NDPR) and General Data Protection Regulation (GDPR), used by Europeans, are similar. This means there is no need for the privacy policy to be different.
4 Updating privacy policy to reduce data protection right
The FCCPC highlighted that in recovered web pages from 2016 to 2020, WhatsApp's privacy policy offered some protection to users.
“Third-Party Providers: We work with third-party providers to help us operate, provide, improve, understand, customize, support, and market our Services. When we share information with third-party providers, we require them to use your information in accordance with our instructions and terms or with express permission from you.”
In the 2021 updated privacy policy, the final phrase which gave users some power over their data was left out.
In WhatsApp’s defence, it updated the policy because third-party recipients of user data can only use this information to support WhatsApp, not for their own purposes.
It also argued that mentioning "consent" was unnecessary since all third-party data use is already regulated by WhatsApp’s terms.
However, this is quite different from the updated privacy policy sent to Europeans.
“Under applicable data protection law, you have the right to access, rectify, port and erase your information, as well as the right to restrict and object to certain processing of your information…This includes the right to object to our processing of your information for direct marketing and the right to object to our processing of your information where we are performing a task in the public interest, or pursuing our legitimate interests or those of a third party.”
This privacy policy gives Europeans more power over their data than the one sent to Nigerians.
The FCCPC concluded that WhatsApp’s actions were a result of its dominance in Nigeria. According to the Commission's data, WhatsApp has a market dominance of 65% while Facebook and Telegram have a market share of 28% and 1%, respectively.
This means that despite the exploitative privacy policy, switching to other messaging platforms would be difficult as users would need to convince their friends and family to switch too.
While Meta — WhatsApp’s parent company — has been instructed to pay a $220 million fine, the company has demonstrated its willingness to appeal the judgment. It appears which means the fight between the FCCPC and WhatsApp is far from over.
Read: 3 reasons why WhatsApp will not leave Nigeria