Vietnam’s National Competition Commission (NCC) has taken a decisive stance against Zalo, the leading messaging app operated by VNG Corporation, in light of rising user privacy concerns. In a formal notice issued on December 31, the NCC mandated that VNG promptly revise its updated service terms, which have sparked significant user complaints.
The NCC’s directive emphasizes the necessity for VNG to ensure that users are not coerced into consenting to the collection, storage, and use of their personal data as a prerequisite for continued access to the app. The commission highlighted that consent mechanisms should be “voluntary, clear, and substantive,” rather than merely formal. Additionally, it called for a temporary halt to any third-party data transfers involving users who have already accepted the new terms.
This directive follows Zalo’s recent rollout of a revised service agreement, which was introduced just days prior to the enforcement of Vietnam’s Personal Data Protection Law on January 1, 2026. Under the new terms, users are faced with an ultimatum: accept all provisions regarding data management or risk account deletion after 45 days. This all-or-nothing approach has drawn criticism, as it does not allow users to selectively opt out of specific clauses.
Moreover, the updated terms reduce corporate accountability concerning data-related risks, stating that VNG does not guarantee service stability, information security, or the accuracy of information provided on the platform. Users are also required to indemnify VNG against any losses incurred from their use of the service.
On the same day, Zalo communicated to its users via the app that the updated terms do not alter the app’s functionality but are designed to comply with regulatory requirements. The company clarified that it collects certain user data to enhance service operations and ensure account security, asserting that identification information is collected solely for account verification or fraud prevention purposes. Zalo further stated that it does not store or utilize the content of private messages or calls for any purpose and shares user data with third parties only with user consent and in accordance with legal standards.
User backlash
The policy update has incited a notable backlash among users. On Apple’s App Store, Zalo’s average rating has plummeted to around two out of five stars, heavily influenced by a surge of one-star reviews citing privacy and security issues. A similar trend is evident on Google’s CH Play store, where recent reviews have skewed predominantly negative.
These shifts in app rankings suggest that users may be seeking alternatives. As of December 31, international messaging apps such as WhatsApp and Viber have ascended to the top of the free-download charts on Apple’s App Store in Vietnam, while Zalo has slipped to 59th place. With approximately 78 million active users, Zalo holds a significant presence in Vietnam, commanding about 85 percent of the local messaging market, according to research from Decision Lab.
Zalo’s influence extends beyond personal communication, with over 17,000 official accounts operated by government entities and businesses, collectively serving more than 40 million followers across the nation. These accounts facilitate administrative services, disseminate public information, and engage in commercial activities.
Truong Duc Luong, co-founder and chairman of Vietnam Security Network, remarked, “The data collected for the core services of messaging apps is a natural requirement from a technical and product development standpoint to serve user needs.” He emphasized the importance of ensuring proper security measures are in place to mitigate risks in the event of information leaks. In its latest statement, Zalo asserted that its systems comply with the ISO/IEC 27001:2022 international standard for information security and is pursuing regulatory approval for end-to-end encryption to enhance the security of private conversations.
Luong noted that, theoretically, platforms could design consent mechanisms allowing users to accept some terms while rejecting others. However, he cautioned that refusing to provide certain data might hinder a developer’s ability to deliver services at the expected quality, potentially justifying service withdrawal. “It’s important to look squarely at product quality,” he stated, highlighting Zalo’s effective service to Vietnamese users as a key factor in its widespread adoption.
Regulatory scrutiny
The NCC had intended to meet with VNG on December 31 to discuss the updated policy, but the company requested a postponement to gather documentation from various business units. Nonetheless, the NCC underscored the urgency of implementing corrective measures to safeguard consumers’ rights and interests.
This scrutiny of VNG aligns with a broader international trend of regulatory pushback against “pay or consent” and “take-it-or-leave-it” data policies employed by major digital firms. In the European Union, the European Data Protection Board cautioned in April 2024 that models compelling users to either pay or consent to behavioral data tracking often fail to meet the General Data Protection Regulation’s standards for “freely given” consent, particularly in the context of significant power imbalances.
In a separate case, the European Commission levied a €200 million fine against Meta under the Digital Markets Act for not providing Facebook and Instagram users with a genuine option to decline personalized data processing while maintaining access to equivalent services. Similarly, India’s Competition Commission imposed a fine of approximately .3 million on Meta for WhatsApp’s 2021 privacy policy update, concluding that its “accept or leave” approach constituted an abuse of market power and mandated the introduction of meaningful opt-out mechanisms for non-service-related data usage.
