Sizable fines imposed for data breaches in recent years indicate that regulators are increasingly determined to crack down on organizations that fail to adequately protect consumer data. Meta, for example, was fined a record $1.3 billion in 2023 for violating European Union data protection regulations.
This regulatory pressure is also influencing consumer behavior, with nearly two in five Americans (38%) using social media less frequently due to concerns about data privacy. With this in mind, experts at Kiteworks, which unifies, tracks, controls, and secures sensitive content communications with a Private Content Network, investigated leading social media platforms to understand how they harvest personal data.
What Types of Data Does Each Social Media App Collect?
The Data Collected Across Platforms
As stated in their privacy policies, Meta, X, and TikTok all collect personally identifiable information (PII), including username, password, email, phone number, date of birth, language, location, and address book uploads.
All three social platforms also collect payment information and usage data, which details how users interact and engage with the platforms. Meta, X, and TikTok also collect content data, including posts, messages, photos, videos, and audio data.
How is the Data Used?
While each privacy policy outlines slightly different uses for the information they gather, the most common use case is to personalize and enhance user experience by providing customized content and ads. Additionally, all three emphasize the importance of data collection to ensure safety and security and support research.
Meta, for example, claims to use personal data to support the research and improvement of their products, including “personalizing features, content and recommendations”. Similarly, TikTok states that collected information can be used for “research, statistical, and survey purposes.”
As of February 9, 2024, X revoked free access to its API, which previously allowed public posts on the platform to be used freely for research purposes. This change underscores the platform’s shift towards stricter control over user data. X has, however, stated that their API can be used to “programmatically retrieve and analyze X data,” ensuring that public information remains accessible for research.
Sharing Information
Meta, X, and TikTok indicate that public posts and content are viewable by anyone, depending on users’ profile privacy settings. For users with public accounts, their information is shared with partners and third parties for services, authentication, and advertising, as well as with legal entities for compliance with laws and user protection.
Key Differences in Data Collection
Meta collects and integrates data across multiple platforms, including Facebook, Instagram, and WhatsApp, leading to a broader range of data collection compared to X and TikTok.
Although X and TikTok collect extensive data, their focus is more on their individual platforms, resulting in Meta having not only more data but more detailed and comprehensive data from across its platforms and user interactions.
All platforms collect payment information, but the context for collection varies: X collects this data for ads, Meta for marketplace transactions, and TikTok for in-app purchases.
Ultimately, with the extensive amount of personal data being collected by social media platforms, it’s crucial for users to be aware of what data is being collected and how it’s being used.
Data Collection Also Poses Risks for Businesses
Businesses must also be acutely aware of social media platforms. In many instances, social media users are corporate employees who frequently post at work or about work. Posts about company events, partners, or customers, and images containing desks, computer screens, facilities or other proprietary assets put companies at potential risk of exposing sensitive information like customer data and intellectual property.
To help navigate these challenges, Patrick Spencer, spokesperson at Kiteworks has shared the best practices for employees posting on social media:
“While individual consumer behavior is important, the harvesting of social media data can also significantly impact businesses. Unauthorized or inadvertent sharing of sensitive business information on platforms known for extensive data harvesting can lead to security breaches, intellectual property theft, and reputational damage.
Additionally, the exposure or unauthorized access of personally identifiable information (PII) through these platforms can expose both employees and their employers to various cyber threats. To mitigate these risks, we strongly encourage organizations to follow these recommendations:”
1.Thoroughly check privacy policies
“The most important thing you can do to protect sensitive data is to adopt a proactive approach to safeguarding digital assets and personal information. It’s pivotal to thoroughly read privacy policies before using any online service, paying attention to key sections such as data collection, usage and sharing. You need to understand what data is collected, how it is used, and who it is shared with.”
2.Avoid sharing sensitive information
“When posting on social media, do not include photos of workspaces where customer, financial, or other sensitive content may be visible on desks or computer screens. Refrain from posting images or descriptions of proprietary equipment or research without explicit permission from your employer.”
3.Use strong security practices
“Organizations should take a ‘zero-trust’ approach to protecting their business, which includes their content. In a zero-trust security approach, no user has unfettered access to all systems. A ‘content-defined zero-trust’ approach takes this model a step further, to the content layer. Organizations can protect their sensitive content when they can see where it sits in the organization, who has access to it, and what’s being done with it.
Similarly, employees should be cautious with the permissions they grant to apps and third-party integrations. Implement strong, unique passwords for your social media accounts and enable multi-factor authentication where possible. Regularly review and revoke access for any apps that are no longer needed to minimize potential security risks.”
4.Stay informed and educated
“Provide employee training on cybersecurity and best practices for social media use. Stay updated on the latest threats and techniques used in social engineering attacks. Regularly audit and review social media activity across the company to ensure that no sensitive information has been inadvertently shared.”
“By taking these steps and educating employees about the privacy policies of the platforms they use, businesses can mitigate risk and maintain better control over their digital footprint. Protecting personal and business data is not just an individual responsibility but a collective effort that requires vigilance and continuous education.”