Go to page content

How do social media companies collect and use your personal data?

Man and woman on sofa with laptop and flies on wall nearby representing big social media companies

Social media companies have developed an increasingly bad reputation for how they handle the personal data of their users. With scandals like Cambridge Analytica being subject to international media coverage and documentaries like Netflix's The Social Dilemma making data accessible, more and more people are concerned about their privacy. Plus, privacy policies are notoriously hard and labour-intensive to read, making it difficult to quickly find out yourself.

So, what do some of the world’s biggest social media companies do with your data? We've gone through each of their privacy policies to find out.

Facebook’s privacy policy

What data do they collect about you?

Facebook collects various kinds of information about you. Some examples include:

  • Personal information used to create an account
  • Information in content you upload like location or photo information
  • Information in content other people upload about you
  • How you use the site, what you engage with, and who you talk to
  • Transactions through Facebook, such as in games or through Marketplace
  • Device information like IP address, operating system, and network data
  • Information from third-parties who use Facebook features such as the like button or Facebook pixel

Do they share your data with third-parties for advertising purposes?

Yes. While Facebook makes it clear that they “don't sell any of your information to anyone and [...] never will”, they do share information with partners in various ways. Facebook doesn’t share data that personally identifies you without permission, but it does share demographic info with advertisers to let them know how their ads are performing.

Who with?

Facebook lists some of the kinds of people they share your information with, including:

  • Advertisers
  • Data measurement companies
  • Vendors and service providers
  • Researchers and academics
  • Law enforcement

Any headlines?

You’ll have probably heard of the Cambridge Analytica scandal in 2018, when millions of Facebook users’ personal information was gathered and sold without consent. An app created by a Cambridge academic was used to collect data such as public profile, page likes, birthday, and location, which was then used to create individualised profiles. Suggestions for political advertisements were attached to each profile, and then the information was sold to political campaigns. The 2016 campaign teams of Ted Cruz and Donald Trump both purchased data, and speculation surrounds whether the UK’s Leave campaign also bought in.

Instagram’s privacy policy

Acquired by Facebook in 2012, Instagram shares a lot of its parent company’s privacy policies.

What data do they collect about you?

Instagram collects various kinds of information about you. Not all data is shared with third parties. Some examples include:

  • Personal information used to create an account
  • Information in content you upload like location or photo information
  • Information in content other people upload about you
  • How you use the site, what you engage with, and who you talk to
  • Transactions through Instagram
  • Device information like IP address, operating system, and network data
  • Information from third-parties who use Facebook features such as the share to Instagram button or Facebook pixel

Do they share your data with third-parties for advertising purposes?

Yes. Like its parent company, Instagram makes it clear that they “don't sell any of your information to anyone and [...] never will”, they do share information with partners in various ways. Facebook doesn’t share data that personally identifies you without permission, but it does share demographic info with advertisers to let them know how their ads are performing.

Who with?

Instagram lists some of the kinds of people they share your information with, but they specify that this info is rarely personally identifying. These companies include:

  • Advertisers
  • Data measurement companies
  • Vendors and service providers
  • Researchers and academics
  • Law enforcement

Any headlines?

A significant data breach in August 2020 affected a number of social media companies and their users. The security research team at Comparitech disclosed how an unsecured database left almost 235 million Instagram, TikTok and YouTube user profiles exposed online in what can only be described as a massive data leak.

Twitter’s privacy policy

What data do they collect about you?

Twitter collects various kinds of information about you. Not all data is shared with third parties. Some examples include:

  • Personal info used to create an account
  • Payment information if paid services are used
  • Location information from tags, check-ins, and IP
  • Device information like IP address, operating system, and network data

Do they share your data with third-parties for advertising purposes?

Yes. Twitter shares user information with third-parties, but usually only shares non-personal, aggregated information to let advertisers know how their ads are performing. This kind of information includes demographics, engagement such as clicks or votes on polls, inferred interests, or location. However, Twitter’s ad policy prohibits companies from “targeting ads based on categories that [they] consider sensitive or are prohibited by law, such as race, religion, politics, sex life, or health.”

Who with?

Twitter shares info with third-parties from a number of areas:

  • Advertisers
  • “Service providers” such as Google Analytics or payment companies
  • Law enforcement

Any headlines?

In June 2020 Twitter contacted business clients who used Twitter’s advertising and analytics platforms to inform them that personal information might have been compromised. The scale of the breach wasn’t clear. In 2018, 330 million users were similarly contacted and urged to change their passwords after some were exposed.

Linkedin’s privacy policy

What data do they collect about you?

Linkedin collects a number of different types of data, such as:

  • Name, email, mobile number, and sometimes payment info
  • Email header information if email accounts are synched
  • Personal profile information such as education or work
  • Synced contacts or calendar events
  • Information collected through third-parties who use Linkedin’s services

Do they share your data with third-parties for advertising purposes?

Yes. Linkedin serve tailored ads on their site and elsewhere on the web, and share some data with third parties in connection with those services. The company shares certain information with advertising providers, such as how an ad is performing, device identifiers, and profile data. While Linkedin states that “do not share your personal data with any third-party” (excluding the kinds listed above), they do note that if you view an ad through their platform, advertisers can “determine it is you” through cookie identifiers and other technologies. In these cases, Linkedin “contractually require such advertising partners to obtain your explicit, opt-in consent before doing so.”

Who with?

Linkedin shares this kind of personal information with areas such as:

  • Advertisers
  • “Affiliated entities”, including all other Microsoft platforms
  • Law enforcement agencies

Any headlines?

In 2016 Linkedin discovered a 2012 hack of the company which exposed up to 165 million user passwords. More recently in January 2020 Linkedin’s parent company Microsoft was shown to have been hacked, exposing 250 million customer records online. Whether this included specific Linkedin-related information is unclear, but it doesn’t bode well for the social platform’s security.

Youtube’s privacy policy

What data do they collect about you?

Youtube’s data collection practices fall under its parent company Google. Google collects a variety of personal information, including:

  • Name, email, and sometimes phone number and payment information
  • Search history
  • Purchases
  • Interaction with ads and content
  • Location through device information

Do they share your data with third-parties for advertising purposes?

Yes. Google (and Youtube) uses personal information to customise advertising services. Personalised ads are based on interests, and some information is shared with advertisers. Google doesn’t show personalised ads based on sensitive categories “such as race, religion, sexual orientation, or health”, and doesn’t share personally identifying information such as name or email. However, as with Linkedin, if you engage with an advertisement the advertiser can use cookies to personally identify you later.

Who with?

Google shares personal data with a number of categories, such as:

  • Google “affiliates”, meaning their entire suite of companies
  • “Over 2 million non-Google websites” who run ads through Google
  • Law enforcement

Any headlines?

In 2018 Google discovered a leakage in their social platform Google+ which led to the compromising of over 5 million users’ data. An additional bug in the service subsequently led to the exposure of user data from a further 52.5 million accounts. The leaks went unreported until the Wall Street Journal broke the story, prompting Google to eventually shut down Google+ in 2019.

TikTok’s privacy policy

What data do they collect about you?

TikTok collects a really significant amount of personal data, including:

  • Age, username and password
  • Phone number and email
  • Content uploaded by or about you on their platform
  • Interactions on their platform
  • Payment information
  • Synced phone and social network contacts
  • Information from third-parties like other social media platforms
  • Device information and location data

Do they share your data with third-parties for advertising purposes?

Yes, TikTok shares some data with third parties. The platform only shares aggregated user information with third-party ad companies, meaning you can’t be personally identified by advertisers.

Who with?

Partners that TikTok shares data with include:

  • Business partners like other social networks (Facebook, Twitter etc.)
  • Payment providers
  • Service providers and analytics companies
  • Advertisers
  • Tiktok’s “Corporate Group” (under its parent company ByteDance)
  • Law enforcement

Any headlines?

TikTok has been a turbulent new contender in the social media industry, and has had its fair share of controversy, particularly due to its popularity with kids. In February 2019 the US Federal Trade Commission fined TikTok a record £4.2m for illegally collecting personal information from children under 13. Both the UK and the US launched investigations into TikTok’s handling of childrens’ data and their compliance with GDPR.

Final thoughts

Privacy policies are often unnecessarily confusing and time-consuming to read. At Rightly, we believe it shouldn't have to be that way. Companies should provide a clear, transparent and easily scannable document that tells their users exactly what happens to their personal data. Until that happens with social media companies, hopefully we've made it a little easier for you!

As always, let us know what you think @rightlydata