Vietnam’s dominant messaging app faces regulatory scrutiny over data policy update

[HO CHI MINH CITY] Vietnam’s National Competition Committee (NCC) has issued a stern directive to Zalo, the country’s leading messaging app operated by local tech giant VNG, demanding immediate changes to its rollout of updated service terms following a surge in user complaints.

In a formal notice issued on Wednesday (Dec 31), the NCC instructed VNG to “review and adjust the implementation of Zalo’s service agreement in a way that does not place consumers in a position where they must consent to the collection, storage and use of their personal information as a condition for continuing to use the service.”

The committee stressed that consent mechanisms must be “voluntary, clear and substantive, not merely formal”, and called for measures to temporarily suspend third-party data transfers involving users who have already accepted the new terms.

The directive came after Zalo rolled out a revised service agreement with tens of millions of users just days before Vietnam’s Personal Data Protection Law takes effect on Jan 1, 2026.

Under Zalo’s latest update, users must either accept all provisions governing data collection, storage and sharing, or face account deletion after 45 days. The app does not allow users to selectively opt out of individual clauses, effectively imposing an all-or-nothing choice.

Newly introduced provisions also limit corporate responsibility for data-related risks. They state that VNG offers no guarantees regarding service stability, information security or the accuracy of information users receive on the platform. Users are also required to indemnify VNG against losses arising from their use of – or inability to use – the service.

On the afternoon of Dec 31, Zalo notified users via its smartphone app that the updated terms of service do not alter the app’s functionality, but are intended to meet regulatory requirements.

The company said it collects certain user data to support service operations and account security, adding that citizen identification information is gathered only when account verification is required or for fraud prevention.

Zalo also said it does not store or use the content of private messages or calls for any purpose, and that user data is shared with third parties only with user consent and in line with legal requirements.

SEE ALSO

Vietnam’s nationwide cash payout: Police-run ID app at core of digital push, financial inclusion

Crypto players find safe haven in Vietnam’s dual-city IFC

Vietnam ramps up blockchain as local players chase early lead

User backlash

The policy update has triggered a strong backlash among domestic users. On Apple’s App Store, Zalo’s average rating has fallen to about two out of five stars, weighed down by a flood of one-star reviews citing privacy and security concerns. Google’s CH Play store shows a similar trend, with most recent app reviews skewing sharply negative.

Shifts in app rankings suggest users may be exploring alternatives. On Dec 30, international messaging apps WhatsApp and Viber surged to the top of the free-download charts on both iOS and Android in Vietnam. Meta Platforms’ Messenger ranked 35th, while Zalo slid to 43rd.

With roughly 78 million active users, Zalo has become deeply embedded in everyday life in Vietnam, accounting for about 85 per cent of the local messaging market, according to a report by Ho Chi Minh City-based market research firm Decision Lab.

Its influence extends beyond private communication. More than 17,000 Zalo official accounts operated by government agencies and businesses serve over 40 million followers nationwide, supporting administrative services, public information dissemination and commercial engagement.

“The data collected for the core services of messaging apps is a natural requirement from a technical and product development standpoint to serve user needs,” said Truong Duc Luong, co-founder and chairman of Hanoi-based cybersecurity firm Vietnam Security Network.

“Once data collection occurs, the next priority is ensuring proper security handling and mitigation in case information leaks,” he added.

In its latest statement, Zalo said its systems meet the ISO/IEC 27001:2022 international standard for information security.

The company added that it is seeking regulatory approval to roll out end-to-end encryption, which would further strengthen the security of private conversations on the platform.

Luong said platforms could, in theory and under the law, design consent mechanisms that allow users to accept some terms while rejecting others. In practice, however, refusing to provide certain data could limit a developer’s ability to deliver services at the expected quality, potentially giving companies grounds to withdraw service.

“It’s important to look squarely at product quality,” he said. “Zalo has been serving Vietnamese users’ needs effectively, which helps explain its widespread adoption.”

Regulatory scrutiny

The NCC had planned to meet VNG on Dec 31 to discuss the updated policy, but the company requested a postponement, citing the need to compile documentation spanning multiple business units.

Even so, the committee said immediate corrective measures were necessary to prevent potential harm to consumers’ legitimate rights and interests.

The scrutiny of VNG echoes international regulatory pushback against so-called “pay or consent” and “take-it-or-leave-it” data policies of digital powerhouses.

In the European Union, the European Data Protection Board warned in April 2024 that models forcing users to either pay or consent to behavioural data tracking often fail to meet the General Data Protection Regulation’s standard for “freely given” consent, particularly where significant power imbalances exist.

Separately, the European Commission fined Meta 200 million euros (S$302 million) under the Digital Markets Act for failing to offer Facebook and Instagram users a genuine option to refuse personalised data processing while retaining access to an equivalent service.

India has taken a similarly tough stance. In November 2024, the Competition Commission of India fined parent company Meta about US$25.3 million over WhatsApp’s 2021 privacy policy update, concluding that its “accept or leave” approach amounted to an abuse of market power. Regulators also ordered the company to introduce meaningful opt-out mechanisms for non-service-related data use.