WhatsApp enforcement notice | POPIA breaches

South Africa’s Information Regulator has issued a formal enforcement notice against WhatsApp for failing to comply with the Protection of Personal Information Act (POPIA).This marks a significant step in enforcing South Africa’s data protection laws and signals that the Regulator expects all organisations—local and global—to meet POPIA’s requirements.

Background to the WhatsApp enforcement notice

The Information Regulator began engaging with WhatsApp in 2021 after it identified concerns with the platform’s privacy practices. WhatsApp offered users in the European Union stronger privacy protections under the GDPR but did not apply the same standard to South African users. This unequal treatment prompted the Regulator to assess WhatsApp’s compliance with POPIA.

The Regulator asked WhatsApp to update its privacy policy to align with POPIA. When WhatsApp failed to respond within the prescribed timelines, the Regulator issued an enforcement notice in September 2024 and made it public in April 2025.

What the Regulator Found

The WhatsApp enforcement notice identifies several breaches of POPIA, including:

• Section 8: Lawfulness of Processing: WhatsApp failed to demonstrate that it processes personal information lawfully and fairly.
• Section 9:Processing Limitation: WhatsApp did not justify the necessity or relevance of the personal information it collects.
• Section 11:Consent: WhatsApp did not obtain consent in a manner that was voluntary, specific, and informed.
• Section 13: Purpose Specification: WhatsApp failed to clearly state why it collects personal information and how it will use it.
• Section 15: Further Processing: WhatsApp processed personal information for new purposes without providing a legal basis.
• Section 17: Openness: WhatsApp did not provide users with adequate information about its data practices.
• Section 19: Security Safeguards: WhatsApp failed to show that it had put appropriate measures in place to protect personal information.

The Regulator also found that WhatsApp did not comply with the Promotion of Access to Information Act (PAIA), particularly in relation to making its PAIA manual publicly accessible.

What the Enforcement Notice Requires WhatsApp to Do

The Regulator has directed WhatsApp to take the following actions:

1. Amend its privacy policy to comply with POPIA’s transparency and consent requirements.
2. Complete and submit a detailed Personal Information Impact Assessment (PIIA) to the Regulator.
3. Update its PAIA manual and ensure it is accessible to the public.
4. Implement enhancements to its
   1. Data Subject Rights FAQ
   2. The Service Providers FAQ
   3. The Legal Bases FAQ
   4. The Retention FAQ
   5. The How to Delete Your Account FAQ.

The Regulator gave WhatsApp 60 days to comply. If WhatsApp fails to do so, it may face a fine of up to R10 million, imprisonment for up to 10 years, or both.

Actions to take

Organisations that process personal information in South Africa should take proactive steps to comply with POPIA. This includes:

• Reviewing and updating privacy policies and notices to reflect local requirements.
• Auditing consent mechanisms to ensure they are valid under POPIA.
• Completing Personal Information Impact Assessments for high-risk activities.
• Updating and publishing PAIA Manuals as required by law.