Meta has been ordered to stop using Brazilian data for training AI, with the company facing daily fines for non-compliance.

Recent years have seen sizeable fines imposed for data breaches, indicating a growing determination among regulators to crack down on organisations that fail to adequately protect consumer data.

For instance, Meta, was fined a record $1.3 billion in 2023 for violating European Union data protection regulations.

With this in mind, Kiteworks, which unifies, tracks, controls, and secures sensitive content communications with a Private Content Network, investigated leading social media platforms to understand how they harvest personal data.

The Data Collected Across Platforms

As stated in their privacy policies, Meta, X, and TikTok all collect personally identifiable information (PII), including username, password, email, phone number, date of birth, language, location, and address book uploads.

All three social platforms also collect payment information and usage data, which details how users interact and engage with the platforms. Meta, X, and TikTok also collect content data, including posts, messages, photos, videos, and audio data.

How is the Data Used?

While each privacy policy outlines slightly different uses for the information they gather, the most common use case is to personalise and enhance user experience by providing customised content and ads. Additionally, all three emphasise the importance of data collection to ensure safety and security and support research.

Meta, for example, claims to use personal data to support the research and improvement of their products, including “personalising features, content and recommendations”. Similarly, TikTok states that collected information can be used for “research, statistical, and survey purposes.”

As of February 9, 2024, X revoked free access to its API, which previously allowed public posts on the platform to be used freely for research purposes. This change underscores the platform’s shift towards stricter control over user data. X has, however, stated that their API can be used to “programmatically retrieve and analyse X data,” ensuring that public information remains accessible for research.

Sharing Information

Meta, X, and TikTok indicate that public posts and content are viewable by anyone, depending on users’ profile privacy settings. For users with public accounts, their information is shared with partners and third parties for services, authentication, and advertising, as well as with legal entities for compliance with laws and user protection.

Key Differences in Data Collection

Meta collects and integrates data across multiple platforms, including Facebook, Instagram, and WhatsApp, leading to a broader range of data collection compared to X and TikTok.

Although X and TikTok collect extensive data, their focus is more on their individual platforms, resulting in Meta having not only more data but more detailed and comprehensive data from across its platforms and user interactions.

All platforms collect payment information, but the context for collection varies: X collects this data for ads, Meta for marketplace transactions, and TikTok for in-app purchases.

Recommended reading

Ultimately, with the extensive amount of personal data being collected by social media platforms, it’s crucial for users to be aware of what data is being collected and how it’s being used.

Data Collection Also Poses Risks for Businesses

Businesses must also be acutely aware of social media platforms. In many instances, social media users are corporate employees who frequently post at work or about work. Posts about company events, partners, or customers, and images containing desks, computer screens, facilities or other proprietary assets put companies at potential risk of exposing sensitive information like customer data and intellectual property.

To help navigate these challenges, Patrick Spencer, spokesperson at Kiteworks has shared the best practices for employees posting on social media:

“While individual consumer behaviour is important, the harvesting of social media data can also significantly impact businesses. Unauthorised or inadvertent sharing of sensitive business information on platforms known for extensive data harvesting can lead to security breaches, intellectual property theft, and reputational damage.

Additionally, the exposure or unauthorised access of personally identifiable information (PII) through these platforms can expose both employees and their employers to various cyber threats. To mitigate these risks, we strongly encourage organisations to follow these recommendations:”

1. Thoroughly check privacy policies
   The most important thing you can do to protect sensitive data is to adopt a proactive approach to safeguarding digital assets and personal information. It’s pivotal to thoroughly read privacy policies before using any online service, paying attention to key sections such as data collection, usage and sharing. You need to understand what data is collected, how it is used, and who it is shared with.

2. Avoid sharing sensitive information
   When posting on social media, do not include photos of workspaces where customer, financial, or other sensitive content may be visible on desks or computer screens. Refrain from posting images or descriptions of proprietary equipment or research without explicit permission from your employer.

3.  Use strong security practices
   Organisations should take a ‘zero-trust’ approach to protecting their business, which includes their content. In a zero-trust security approach, no user has unfettered access to all systems. A ‘content-defined zero-trust’ approach takes this model a step further, to the content layer. Organisations can protect their sensitive content when they can see where it sits in the organisation, who has access to it, and what’s being done with it.

   Similarly, employees should be cautious with the permissions they grant to apps and third-party integrations.

   Implement strong, unique passwords for your social media accounts and enable multi-factor authentication where possible. Regularly review and revoke access for any apps that are no longer needed to minimise potential security risks.

4.  Stay informed and educated
   Provide employee training on cybersecurity and best practices for social media use. Stay updated on the latest threats and techniques used in social engineering attacks. Regularly audit and review social media activity across the company to ensure that no sensitive information has been inadvertently shared.

   By taking these steps and educating employees about the privacy policies of the platforms they use, businesses can mitigate risk and maintain better control over their digital footprint. Protecting personal and business data is not just an individual responsibility but a collective effort that requires vigilance and continuous education.”