Brazil: National Data Protection Authority ordered an audit and transparency plan following a review of WhatsApp and Meta's data sharing practices

On 11 November 2025, the National Data Protection Authority (ANPD) concluded its assessment of personal data sharing between WhatsApp and Meta, initiated after the 2021 update to WhatsApp’s Privacy Policy. The ANPD found that data is shared under two frameworks, one where Meta acts as a processor for WhatsApp’s messaging operations and another where it acts as a controller for services linking WhatsApp to other Meta platforms. Although WhatsApp demonstrated mechanisms to ensure Meta’s role remains that of a processor under the General Personal Data Protection Law (LGPD), the ANPD identified high risks to data subjects due to the large volume of shared data, the companies’ belonging to the same economic group, and Meta’s business model based on extensive personal data use. As a result, the ANPD ordered WhatsApp to conduct an independent external audit to verify Meta’s compliance with processor obligations and to submit a Compliance Plan improving transparency towards users. The plan must clarify when Meta acts as a processor or controller, explain possible secondary uses of data for advertising when users choose to connect with Meta services, and update WhatsApp’s Brazilian Privacy Notice accordingly. Additional determinations require WhatsApp to clearly distinguish between legal bases for processing, specify the categories and purposes of shared data, introduce transparency screens for optional features, and explicitly state when data sharing enables advertising use by Meta. The company must also clarify that certain types of data processing, such as for user recommendations or content personalisation, are not performed in Brazil. Recommendations include listing the legal bases for all processing activities and specifying that marketing communications occur outside the platform.