Privacy policy check: Facebook

As part of this blog, we will regularly review privacy policies of companies and services with a GDPR-inspired lens. Different companies cover privacy in slightly different ways: for most, privacy policies can be found under Terms and Conditions, while some companies cover privacy in more detail through a specific policy. Today, we look at none other than Facebook, a company whose privacy policies and practices have come under intense scrutiny over the years.

How is consent obtained?

Facebook’s Statement of Rights and Responsibilities makes it clear that you, the consumer, owns all of the content that you post. However, Facebook also stresses that you “grant [Facebook] a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.” So basically, you own your stuff, but give Facebook the right to use it as it sees fit, all for free. This, essentially, is the “price” you pay for using Facebook free of charge.

If you happen to be the one collecting data from other users (say, through a Facebook app), you need to “obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.” It’s similar to the standard Facebook holds itself to, although the whole “non-exclusive, transferable, sub-licensable, royalty-free” portion of data ownership, not surprisingly, appears to be missing ;)

GDPR insists on clear, opt-in consent when it comes to personally-identifiable information (PII). Given that all users need to agree to Facebook’s Statement of Rights and Responsibilities, we feel it’s safe to say that Facebook is obtaining consent that is sufficiently explicit for GDPR.

What information does Facebook collect?

  • Activities and information shared: This covers the sexy stuff, including content that you or others share about you (messages, tags, photos, profile details, etc.), and how you engage on the platform (say, for example, the fact that you didn’t like your mother’s facebook post about how proud she is that you’ve finally hit puberty).
  • Networks: who you’re connected to, how (frequently) you communicate, and what you like to share with each other
  • Payment details: payment information (credit card details), billing and shipping details
  • Hardware information: what device(s) you use to access Facebook, and associated details related to location, software versions, etc.
  • Information from websites, apps, third-party partners, and Facebook-owned companies: this includes your activities on other platforms and websites that are somehow affiliated with Facebook (think cookies ++)

Although a bit creepy, you have in fact explicitly consented to Facebook’s Statement of Rights and Responsibilities, making this GDPR-compliant. But a few concerns arise: What if I do not consent to Facebook collecting all this information? Do I have an option to say no, without being banned from using Facebook? GDPR seems to encourage companies to provide users with alternatives other than either fully consenting, or completely rejecting. What would a Facebook “partial consent” look like?

Another issue is related to how the data is actually used and processed. Facebook provides a high-level description of how it uses data, but the description is far too generic for what GDPR expects: that companies provide users with full clarity on how their data is being used.

How is this information shared?

Facebook shares a lot of information about you, to lots of different partners. When it comes to other users and the general public, you have control over what you want to share with whom, through the audience settings. If you select the public setting, then practically anyone on the web can access that content. The customizable nature of these settings appears to be GDPR-friendly, in that it empowers users, to a certain extent, with the ability to manage who their data is being shared with.

Erasure of data

Facebook grants users the ability to delete their account at any time, which also deletes things that users have posted. Seems fair enough, but there are two GDPR-related concerns here:

  1. Facebook states that “information that others have shared about you is not part of your account and will not be deleted when you delete your account.” Basically, if other users share PII related to you, you will not be able to delete that, which conflicts with GDPR’s requirement that users be able to request companies to delete all PII-related data at its disposal.
  2. Facebook also states that “When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).” So even if you permanently delete your account, your PII is still stored somewhere, for what Facebook calls a “reasonable period of time”. The EU surely won’t like the sound of that.

Cookie policy

Facebook’s cookie policy mainly describes the benefits of cookies for Facebook users, ranging from authentication, security, performance improvement, and research purposes. It also describes how cookies used for online interest-based advertising capture browsing activity on websites and apps that are within and beyond the Facebook ecosystem of companies and third parties. This is nothing out of the ordinary, as most websites utilize cookies. Facebook does allow you to control the extent to which you see ads based on online interest-based advertising cookies, but it does not directly offer you a way of actually limiting the use of such cookies. GDPR will require companies to obtain explicit consent for cookie usage, to store that consent, and to not store cookies when asked not to. Our initial analyses of Facebook’s website suggests that the company does not comply with any of these stipulations.

Policy changes

Like all enterprises, Facebook reserves the right to amend its terms an policies. It promises to inform you of instances of changes, but notes that “Your continued use of the Facebook Services, following notice of the changes to our terms, policies or guidelines, constitutes your acceptance of our amended terms, policies or guidelines.” This raises GDPR-compliance doubts, given GDPR’s insistence that consent must be opt-in, and never implied.