The Whatsapp messaging app has been criticised after a joint investigation by Dutch and Canadian regulators.
Investigators said that when smartphone owners installed the app it asked to access their address books.
They said the problem was that it then transmitted all the contained phone numbers to its servers, and failed to delete those belonging to people who had not signed up to the service.
Whatsapp has not commented on the report at this time.
The Dutch Data Protection Authority has said that it could take punitive action if the Silicon Valley firm behind the product does not change it.
The Office of the Privacy Commissioner of Canada added that it would also continue to monitor the company, but said it did not have the power to issue sanctions despite its belief that the firm was breaking local laws.
Scan and store
WhatsApp was launched in 2009 and allows users to send each other text, image, video and audio messages.
It works across Android, iPhone, Blackberry, Windows Phone and Symbian platforms and does not charge a fee per message.
Instead some users pay its developer an annual $0.99 (63p) subscription, while others face a one-off cost to download the app. This has helped make it a popular alternative to SMS and MMS message services.
On installation users are asked permission to share their contacts so that the software can identify which of their friends are also on the service.
The regulators noted that only iPhone users running the latest version of Apple's iOS operating system were given the option of manually adding contacts rather than allowing their address book to be scanned.
They noted that although it was not illegal for the firm to have copied over data belonging to non-users, the problem was that it did not delete the information after running the friend-identification check.
Instead, the investigators said, the data was kept in a hashed form - in other words the telephone numbers were transformed into a short code and stored.
"This practice contravenes Canadian and Dutch privacy law, which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose," said the regulators,
The agencies added that the app's developer had taken steps to address some of their other concerns.
These included the introduction of encryption to prevent third-parties eavesdropping on messages sent via unprotected wi-fi networks, and the adoption of a stronger authentication process to make it harder for scammers to hack accounts in order to send messages from them.