Conversations about online privacy have existed as long as the internet itself. As the internet’s capabilities expanded and technology became more pervasive (and invasive), these conversations became more and more important—as well as harder to act upon. Social media and the commodification of user data only made privacy harder to protect. And unfortunately, it’s doubtful things will improve much without decisive action. Just a brief look at social media’s abysmal track record of data privacy shows that the vast majority of online platforms seem to care more about generating profits than respecting users’ social media privacy.

Facebook’s Data Breaches & Other Ongoing Debacles by Meta

Literal books have been written on Facebook’s repeated disregard for user privacy. For the sake of keeping this article at a reasonable length, let’s just look at a highlight reel of some of Facebook’s most recent (and most egregious) data mishaps.

• 2011: Facebook assured users that third-party apps connected to Facebook collected only the data necessary to function. It quickly came to light that not only was this not true, but also that the apps in question could access nearly all of any given user’s private information. It even affected users who didn’t download the apps. If their friends used one or more, their private posts could be shared with people who never intended to see them. Facebook was issued significant fines for this violation.
• 2015: around 270,000 Facebook users were paid to take a personality test. However, the test didn’t stop with recording the individual’s results. Their friends’ profiles were also targeted, collecting data while the users were none the wiser. This resulted in Facebook selling the private information of over 87 million users (or 2/3 of all Americans) to Cambridge Analytica, a political data analytics firm. The full extent of the data breach only came to light in 2018 following whistleblower testimony and public pressure.
• 2021: Apple’s iOS 15.2 update included the App Privacy Report, a user-friendly explanation of which apps used which permissions and whether or not they were tracking you. This gave iPhone users a clear picture of what Facebook was doing on their phones, and they didn’t like what they saw. The fact that Facebook kept this as quiet as possible until Apple forced their hand certainly wasn’t promising either.
• 2022: as the US and EU governments worked to negotiate regulations to protect citizens’ data during international transfers, Facebook’s parent company Meta stated that they might not be able to continue supporting European users if data transfers were restricted too heavily. This is already a bit of a red flag, highlighting just how much data they transfer. Amusingly enough, two prominent European politicians dismissed Meta’s threat and said they would be very happy without Facebook.
• Also in 2022: Facebook’s targeted ad strategies were revealed to segment audiences based on protected characteristics, such as race and religion, which are considered private information and not to be sold or used for marketing purposes. The company was fined the maximum allowable penalty of $115,054 and ordered to completely revamp its segmentation strategy by December 2023.
• 2023: Meta IE, the Irish branch of Meta, was fined a staggering €1.2 billion (approximately $1.4 billion USD) for ongoing data transfer violations. As of January 2024, this fine is the highest ever levied under the GDPR, displacing Amazon’s previous record. The European Data Protection Board called Facebook’s poor handling of private data during transfers “systematic, repetitive and continuous”.

For a more detailed timeline of Facebook’s blunders prior to 2018, check out this compilation from NBC.

The fact that Facebook’s parent company Meta owns multiple other prominent social media platforms, including Instagram and WhatsApp, certainly does not inspire confidence.

Instagram’s track record shows Meta’s continued lack of privacy concerns. Highlights include:

• 2015: InstaAgent, a third-party app that promised additional features for Instagram users, was discovered to be stealing users’ passwords and reposting their photos. The stolen data was sent to unknown servers with no encryption, leaving them even more vulnerable. Google and Apple promptly removed the app from their stores.
• 2017: 6 million Instagram users, primarily celebrities, found their phone numbers and emails posted to a searchable database run by hackers. These hackers charged for each search and presumably made a significant amount of money from their theft.
• 2019: a significant data breach exposed more than 49 million users’ private data. That’s 1 out of every 20 users! While the majority of targeted accounts belonged to influencers or celebrities, leaving most no-name accounts alone, this still represented a huge breach of trust and exposed a massive amount of data never meant to be shared.
• 2022: Irish privacy authorities fined Instagram €405 million (approximately $396.2 million ) after alleged mishandling of children’s data in the app.

WhatsApp has a shorter but no less serious rap sheet. Highlights include:

• 2021: Irish privacy authorities fined WhatsApp €225 million ( approximately $267 million) for GDPR violations. Allegations centered around WhatsApp’s failure to maintain the level of transparency that EU privacy laws require.
• Also in 2021: WhatsApp users who wanted to avoid using Facebook were alarmed when an in-app notification told them that their data was being shared with Meta. This represented a huge breach of trust—especially since they were only just now learning about a practice that had allegedly been going on since 2016.

X’s (Formerly Twitter) Data Losses: Pursuit of Profits

• 2022: asked users to submit additional personal information, claiming it would be used to secure their accounts. However, according to the FTC, X passed on the collected data to advertisers. X was fined $150 million.
• Also in 2022: X later suffered a security breach in July where 5.4 million user profiles had their associated email addresses and phone numbers leaked.
• Also in 2022: In September, former X Security Chief Peiter Zatko delivered damning testimony before the US Senate. He alleged that when he alerted X leadership to serious security risks, such as unauthorized employees having access to personal data and nearly a third of employee devices lacking security software, he was brushed off. Zatko claims that X executives preferred to pursue the money to be made from this data access rather than protect private information. Worse, Zatko painted a picture that implied that even more stringent security measures may not be enough. He stated, “[X executives] don’t know what data they have, where it lives, or where it came from. And so, unsurprisingly, they can’t protect it .”
• 2023: Security experts alleged that more than 200 million email addresses belonging to X users were being shared in hacker forums. X claimed there was no evidence that a fault in their security system was responsible.

Following Elon Musk’s takeover of Twitter, one significant change was touted as a way to verify users and discourage bot accounts: paying for premium features. This was eventually followed by the proposal to every X user $1/year to verify their account. Of course, both of these changes assume that users trust X’s data management system enough to keep their payment information private. The full impact of these changes remains to be seen.

YouTube: Accounts Exposed to Hackers

YouTube isn’t safe either. In 2020, CompariTech discovered that just under 4 million YouTube user profiles were exposed and farmed for private data. TikTok and (unsurprisingly by now) Instagram were also affected, resulting in a total of 235 million accounts exposed across the three platforms.

TikTok: Compromising Privacy for Minor Users

Finally, in addition to the account exposure discussed above, TikTok has faced legal trouble for allegedly collecting and mishandling minor users’ private data. A 2021 claim accused TikTok of violating European data protection laws by collecting private data, including that of minors, and misleading parents about what they were doing and why. This is understandably quite serious as children’s data is one of the most stringently protected categories in privacy laws.

Why Don’t They Care About Privacy?

All of this makes one thing painfully clear: social media platforms continue to put profits before privacy. But why?

The answer can be found in Zatko’s X testimony. In a nutshell, social media giants care more about making money than about protecting private information, even if their violations earn them massive fines and blow to their reputations. Consumer data sells for a high price. Repeated violations of the same nature have demonstrated that this behavior shows no signs of stopping without significant intervention. And what intervention will have the most impact?

Why We Need a Federal US Privacy Law

Comprehensive laws like the GDPR in Europe have raised consumers’ awareness of their own privacy rights, given actual consequences for violations, and held companies accountable for how they use and sell collected data. A similar law in America is long overdue. Individual states have passed their own laws, but a comprehensive federal regulation has far more potential to achieve long-term national change.

That’s why the American Data Privacy & Protection Act (ADPPA) is so critical. It may not be perfect, but it’s the first proposed federal privacy law to come as far as it has. As of January 2024, the bill has not passed Congress. If it does, America will be well on its way to establishing higher privacy standards and protecting consumer data on a national scale.

With new privacy regulations on the horizon, businesses should be ready for significant changes. With a privacy compliance software like 4Comply, you can easily keep up to date with every new privacy law and how it affects your company. Learn how you can embrace privacy and build trust with your customers. Get in touch with us today to schedule a free demo of 4Comply