“I’m an administrator for a number of social WhatsApp groups that share information about neighbourhood safety and security, school lift clubs for our children, sporting activities, etc. I also belong to a number of other WhatsApp groups and have noticed that some of the group administrators have sent lengthy POPIA consent notices. Is this really necessary under POPIA and will I also have to do this for the WhatsApp groups that I administer?”
WhatsApp is a popular communication platform between people and the ability to form groups on WhatsApp has become a common occurrence across the world. Even businesses have started to use WhatsApp for business communication, marketing activities and customer engagement.
However, since the Protection of Personal Information Act (“POPIA”) came into full effect, there has been a lot of uncertainty regarding whether POPIA finds application to WhatsApp groups. It appears that many people have been told that members may only be part of a group if they have expressly consented thereto (opted-in). Others have said that if they are already part of the group, they can remain as members, provided they are given the right to opt-out and only new users will have to purposefully consent and opt-in to the group.
With all of these opinions floating about, what is the correct position in respect of POPIA and WhatsApp groups?
Firstly, POPIA is only applicable where personal information is ‘processed.’ Processing is however widely defined and can include most acts of in some way dealing with personal information, including, sharing personal information in a WhatsApp group or possibly even just having access to someone’s name and contact details as a result of their group membership. Chances are therefore likely that personal information may be processed within the parameters of a WhatsApp group and accordingly come within the ambit of POPIA, unless an exception applies.
Secondly, when it comes to processing, consent is generally required for such processing, unless such processing is otherwise justified in terms of POPIA, leading to many of the current consent processes floating around on WhatsApp groups. In terms of POPIA consent is defined as “…any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.
Added to this, POPIA also requires that the obtaining of personal information, and by implication any consent given, must be for a purpose that is specific, defined and lawful. So, it begs the question that if information is taken from a group and used for other purposes than the primary intent of the group, whether any consent given would cover this. As can be seen from this, things can get complicated very quickly, and in part is also why there are so many differing views floating about.
What must be appreciated is that in general POPIA does not provide hard and fast rules for these matters. POPIA provides principles which need to be applied, and in time rules and guidelines may develop. But for now, we have to work with the principles and try to apply them as best as possible until there is more clarity.
That said, POPIA does clearly state that any processing of personal information conducted in the course of purely personal and household activities would not amount to processing under POPIA and is essentially also excluded from the requirement of obtaining consent. This means that groups dealing with personal, friendship, family or even social activities would generally fall outside POPIA and would not require consent to be obtained. This should therefore be a huge relief for most administrators that probably manage WhatsApp groups of this nature. On the other hand, with a business that creates an official work WhatsApp group for communication and information sharing purposes, the position might be different.
As always, there are the groups that could be borderline or clearly fall under POPIA, and here consent again becomes important. Does this mean that consent must be in the form of a form filled in and completed and sent back? It could, but it could also be sufficient for a clearly worded message to members advising of the purpose of the group and why and how their information will be processed as well as their right to opt-out at any time. The nature, scope and purpose of the processing will definitely have an impact on the most appropriate mechanism chosen for obtaining consent.
With regards to managing or creating new groups or inviting new members to join groups, it is useful to consider WhatsApp’s own practice guidelines on how to do this and which largely aligns with many of the requirements of POPIA. Have a look at these at https://faq.whatsapp.com/general/security-and-privacy/how-to-use-whatsapp-responsibly/
In conclusion, it appears that most of your WhatsApp groups fall within the exclusion of being personal or household related and would therefore not require you to obtain the consent of your members or issue a privacy notice as is required under POPIA for more business-related groups.
It is however advisable to make sure that you do not form WhatsApp groups which breach this common divide and venture into a scenario where you may require consent from or notification to your members. Consider having a look at how you can bring the WhatsApp best practices into your group administration as suggested above. If consents are required, maybe consider discussing the scope of processing with your attorney to develop an appropriate strategy for obtaining the consent of existing and new members of your WhatsApp group.