Recently, a complaint was laid against Whatsapp by the European Consumer Organisation ("BEUC"). (1) Although the Irish Data Protection Commissioner has already fined Whatsapp a whopping €225 million for a range of GDPR-related complaints, (2) what's interesting about the current complaint is that it is being laid apart from GDPR, in terms of consumer laws.
The complaint related firstly to what the BEUC called "persistent, recurrent and intrusive notifications pushing users to accept WhatsApp’s policy updates", which it argued "put an undue pressure on users and impair their freedom of choice."
The second complaint related to a failure to explain what the policy updates mean in plain language. The BEUC said that "It is basically impossible for consumers to get a clear understanding of what consequences WhatsApp's changes entail for their privacy, particularly in relation to the transfer of their personal data to Facebook and other third parties. This ambiguity amounts to a breach of EU consumer law which obliges companies to use clear and transparent contract terms and commercial communications."
As in the EU, Whatsapp has drawn scrutiny in South Africa from the Information Regulator, which has stated (3) that it is contemplating litigation to force Whatsapp to apply the same privacy standards in South Africa as it has already agreed to provide in the EU. But the question arises whether a similar complaint could be laid against Whatsapp in terms of SA consumer law?
The Consumer Protection Act and POPIA
A "consumer", for purposes of the Consumer Protection Act 68 of 2008 ("CPA"), is defined very broadly to include not only people who purchase goods or services in a transaction, but also people who are "users" of goods or services, and those to whom those goods or services are marketed in the ordinary course of a supplier's business. As with the Protection of Personal Information Act 4 of 2013 ("POPIA"), a "person" is not limited to a natural person, although the CPA exempts certain transaction types and entity sizes. There is, therefore, substantial overlap between consumers and data subjects, at least for responsible parties who supply goods or services.
How does the CPA affect compliance with POPIA? In a variety of ways, but for starters, section 22(1) of the CPA provides that:
"The producer of a notice, document or visual representation that is required, in terms of this Act or any other law, to be produced, provided or displayed to a consumer must produce, provide or display that notice, document or visual representation— … (b) in plain language, if no form has been prescribed for that notice, document or visual representation."
The implication of this section is that if any law (including POPIA) requires a notice to consumers and does not prescribe a form for that notice, the notice should be in plain language. This is done for a variety of reasons, not least of which is that plain language has, both nationally and internationally, long been linked to both transparency and procedural fairness. (4)
POPIA requires data subjects to be notified of the way in which their personal information is being used (see section 18). This is typically done in the form of a privacy policy. Many of the privacy policies that flooded all our inboxes on 1 July featured a large amount of legalese. However, in terms of the CPA, these notices are in fact required to be in plain language, at least when they're addressed to consumers.
What does plain language look like?
In language which is far from plain, the CPA provides some guidance on what plain language might look like. Section 22(2) provides that a notice is in plain language if: "it is reasonable to conclude that an ordinary consumer of the class of persons for whom the notice, document or visual representation is intended, with average literacy skills and minimal experience as a consumer of the relevant goods or services, could be expected to understand the content, significance and import of the notice, document or visual representation without undue effort, having regard to— (a) the context, comprehensiveness and consistency of the notice, document or visual representation; (b) the organisation, form and style of the notice, document or visual representation; (c) the vocabulary, usage and sentence structure of the notice, document or visual representation; and (d) the use of any illustrations, examples, headings or other aids to reading and understanding."
Section 22(3) further provides for the consumer commission to provide guidelines on plain language, which it has not done to date. Some guidance may, however, be drawn from the interpretation of a very similar provision in section 64 of the National Credit Act 34 of 2005 (the "NCA"). In the case of Standard Bank of South Africa Ltd v Dlamini 2013 (1) SA 219 (KZD) the court dealt with a consumer who was functionally illiterate (that is, well below the "average literacy" contemplated by both the CPA and the NCA). The court stated that while a strict interpretation of section 64 of the NCA would not assist an illiterate consumer, "purposively interpreted, the credit provider bears the onus to prove that it took reasonable measures to inform the consumer of the material terms of the agreement." The court went on to state that what counts as reasonable measures, and material terms, would vary depending on considerations such as industry, regional or geographic circumstances, price, nature of the goods or services, and the class of consumers likely to contract for them.
Plain language in privacy statements and notices
While South African law has yet to provide specific guidance on plain language in relation to privacy notices, the EU has engaged with this issue in some depth, and some of the biggest GDPR-related fines to date have related to inadequate privacy notices. (5) In 2018, the EU's Article 29 Data Protection Working Party adopted binding guidelines on transparency (the equivalent of 'openness' in terms of GDPR), which include some very practical guidelines on privacy notices. The guidelines warn against "complex sentence and language structures", as well as abstract and ambivalent terms which leave room for different interpretations. "In particular," the guidelines state, "the purposes of, and legal basis for, processing the personal data should be clear."
The following paragraph of the guidelines should give pause to companies which make use of generic, "catch-all"-style privacy policies:
Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing. … Writing should be in the active instead of the passive form and excess nouns should be avoided. The information provided to a data subject should not contain overly legalistic, technical or specialist language or terminology. (6)
Does that sound like some privacy notices that have landed in your inbox recently?
The guidelines go on to give some practical examples of good and bad practice. (6) Poor practice being “We may use your personal data to develop new services," as it is unclear what the services are. Better practice would be "We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in," as it is clear what types of data will be processed, that the data subject will be subject to targeted advertisements for products, and that their data will be used to enable this.
Another example of poor practice given is: "We may use your personal data for research purposes," as it is unclear what kind of research this refers to. It would be better to state "We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive," as it is now clear what type of data will be processed and the type of analysis which the controller is going to undertake.
Certainly, being that specific can be more difficult if a company is attempting to address all its uses of personal information in a single privacy policy. Some of our clients have found that it makes sense to create more than one privacy policy, for instance an internal one to inform employees, and an external one to inform suppliers, customers and others. The Working Party 29 guidelines also acknowledge what they describe as a “tension between completeness and understanding”, (6) and for particularly complex uses of personal information they recommend the use of layering and the provision of hard copies and/or hyperlinks to help consumers engage properly with the disclosures.
It remains to be seen whether the Information Regulator will require companies to be as clear and precise in their privacy policies as is required by similar regulators in the EU. However, companies preparing privacy policies would be wise to keep in mind that they will also be accountable to the National Consumer Tribunal and could in effect be liable for separate fines in terms of both POPIA and the CPA if the language of their privacy policies is found not to be sufficiently clear.
Endnotes
(1) See https://www.beuc.eu/publications/consumer-groups-file-complaint-against-whatsapp-unfairly-pressuring-users-accept-its/html and the updated complaint following the September ruling: https://www.beuc.eu/publications/beuc-x-2021-077_letter_cpc_-_whatsapp_september.pdf.
(2) https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry
(3) https://www.justice.gov.za/inforeg/docs/ms/ms-20210513-WhatsAppPrivacyPolicy.pdf.
(4) See for instance PN Stoop and C Chürr PER / PELJ 2013(16)5 "Unpacking the Right to Plain and Understandable Language in the Consumer Protection Act 68 of 2008" at page 531.
(5) In 2019, for instance, Google was fined €50 million relating to its inadequate privacy notice. The details of the fine are available on the French regulator's website here: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.
(6) Article 29 Working Party Guidelines on transparency under Regulation 2016/679 (adopted on 29 November 2017; as last revised and adopted on 11 April 2018), at pages 9-10, 19.
Please note that our blog posts are informal commentaries on developments in the law as at the time of publication and not legal advice. You should place no reliance on our blog posts; we look forward to discussing your particular matter with you.