The Competition Commission of India’s (“CCI”) penalty on Meta for abusing its dominant position through WhatsApp’s 2021 Privacy Policy (“Privacy Policy”) update is a significant step in regulating anti-competitive practices in digital markets. The order identifies two crucial markets where Meta holds dominance: Over-the-Top (“OTT”) messaging apps and online display advertising. The Privacy Policy, which made data sharing with Meta mandatory, was deemed an unfair, “take-it-or-leave-it” imposition on users. This unilateral change, without an opt-out option, was inferred as a way to leverage its dominance in the messaging app market to bolster its position in the digital advertising space, which potentially stifles competition and harms consumer autonomy. The CCI’s decision rightly highlights the detrimental impact on market access for rivals, using data sharing as a means to lock in users and limit their ability to choose alternative platforms.

From a data protection and privacy perspective, the CCI’s order resonates with evolving regulatory frameworks like the Data Protection and Data Privacy Act, 2023 (“DPDP Act”), which aims to protect user rights and ensure transparency in data practices. The order mandates WhatsApp to revise its Privacy Policy, particularly by offering users the ability to opt-out of sharing their data with Meta for advertising purposes, which aligns with growing global standpoint on data privacy rights. The CCI has pushed for more transparency and control for users over their personal data, reinforcing that user consent should not be coerced, but freely given. Moreover, the CCI’s directive to restrict Meta from sharing WhatsApp user data for advertising purposes for the next 5 (Five) years is an explicit effort to curtail the cross-leveraging of data across Meta’s platforms, potentially preventing monopolistic/ despotic practices in the online display of advertising sphere.

As the DPDP Act, and its accompanying DPDP Rules (which are yet to be officially issued) are set to shape the future of data governance, thereby meaning that companies like Meta shall be required to re- evaluate their respective privacy policies not only from a data protection standpoint but also from a competition law perspective. Compliance Teams prevalent in such Companies would be required to ensure that data collection, processing, and sharing practices do not inadvertently breach competition laws by imposing unfair conditions or creating barriers to entry in related markets. The CCI’s ruling highlights the need for firms to adopt privacy frameworks that prioritize both user consent and fair market competition. This dual approach of integrating Competition Law and Data Privacy Law shall prove to be crucial as businesses are bound to grow in this fast-paced dynamic environment, while also ensuring their practices navigate through the regulatory landscape, ensuring that they operate within legal boundaries, thus safeguarding user rights.

Although, it is reported that the tech-giant is considering to appeal against the said imposition of ₹213-crore (about USD 25.3 million) penalty, claiming that the policy was fair and preserved user choice, the said decision of CCI is being welcomed among all which aims to protect consumer interests, foster competition, and set a precedent for responsible data-sharing practices.