Meta has improved transparency and user control regarding data collection and targeted advertising practices—however reputational, financial, and legal risks persist as regulators and investors scrutinize Meta’s practices, urging for more robust measures to protect user privacy and comprehensive disclosure of data collection/retention. A recent study analyzing privacy policies of over 5,000 apps determined “Meta’s apps take the lion’s share of data privacy intrusion.”1 Instagram and Facebook tied for first place as “most invasive” (with Meta Business Suite and Messenger tying for third place) due to the apps’ collection of 32 types of user data, including sensitive information with a significant portion of the data being tracked and linked to individual users (surprisingly, TikTok ranked much lower at 76th).2
Meta incurs substantial harm due to privacy violations, impacting financial performance and signaling potential future liabilities. Meta was fined by US and UK regulators and recently agreed to a $31.85 million settlement with Australian regulators over the Cambridge Analytica scandal;3 investors sued Meta for SEC filings treating the risk of unauthorized use of user data as a hypothetical when Meta already knew Cambridge Analytica accessed information on 30 million users, causing stock price and market capitalization to plunge by $100 billion4 (a multibillion-dollar lawsuit currently alleges Meta misled shareholders about the data-harvesting scandal);5 Meta was fined €1.2 billion for breaching the General Data Protection Regulation by illegally transferring EU users’ data;6 and Meta Pixel has opened avenues for privacy and healthcare litigation.7
Meta’s Privacy Policy does not fully detail the extent/specifics concerning the exact nature/granularity of data collected across all platforms, particularly concerning user interactions, device information, geolocation, biometric data, identified and deidentified data (including photos, videos, audio), offline conversions, and off-platform activities. Meta states: “we process information about you, including Personal Information, whether or not you have an account or are logged in,”8 and collects “[s]ome location-related information, even if Location Services is turned off.”9 Meta retains data to “provide services,” without specific timeframes/criteria for data retention/deletion, and policies regarding data anonymization/deidentification are not clearly outlined. Though Meta states it obtains user consent for data collection and processing, specific methods by which consent is obtained, how users are informed about data practices, options for users to manage/withdraw consent, cross-platform data integration, and how artificial intelligence/algorithms process user data to create targeted advertisements (including criteria/data used) are not thoroughly detailed—raising concerns about the adequacy of informed consent and the ability to opt-out of specific data collection practices.