What is Facebook Allowed To Do with Your Data?

By Ryan M Norchi

January 25, 2021

How often do people agree to the terms and conditions of any company without reading them, and then proceed to use their online services without any knowledge of what they have agreed to? According to multiple studies and surveys conducted since 2010, more often than not, upwards of 90% of users of any given social media platform will agree to the “terms and conditions” without reading them. It is highly probable that the vast majority of readers of this article find this number to be extremely believable even without cited studies. It would also be a safe bet that if you are here right now, you most likely care about the data policy section of the terms of service. Complete understanding of which types of data are being farmed, how it is being done, and what can be done with that data requires a full dive into the Facebook data policy, as well as any data protection laws passed by the government. If this is what you are looking for, you have come to the right place.

There are almost 3 billion active Facebook users worldwide. Many of these users prefer using Facebook’s Single Sign-On, (SSO), because it allows for more convenience when accessing other websites. Many of us are aware of the potential risks, such as phishing, hacking, and invasion of our privacy, and will still use Facebook to login to various online accounts. Obviously this is not free. Facebook is able to support this service, and their entire infrastructure, by bringing in funding primarily through data monetization. Data monetization means that Facebook is able to use the data you have agreed to give them to predict your future actions and current interests. This is then used to maximize the advertising efficiency of companies that would like to use Facebook for marketing purposes, as well as any other third party services involved with Facebook.


Without going through the Facebook terms and conditions, it might not be super obvious exactly what data is being used by Facebook, or what it is being used for. First, and most obviously, Facebook collects any information posted to your public profile. This includes life events, religious and political views, relationships and family, and potentially even race and ethnic origin. They will also collect data from any content you create in the form of posts, and messages on Facebook messenger. “Content you create” means that if you post a photo, the time and place of that post will be recorded, as well as the date of creation of any files you submit. This also includes data from their provided features, such as anything seen through their camera with facial recognition technology. Other companies that use Facebook products, such as their login service may also have the rights to collect and share your data across platforms. While Facebook does have a vetting process to ensure responsible collection and use of your data in compliance with their standards, it is highly likely that your data is collected even when you are not logged into Facebook. Something that may come as a surprise is anytime you complete a financial transaction, such as purchasing a game or making a donation, on the app, the financial information you provide will also be recorded by Facebook. This includes credit card information, as well as billing and shipping information.

How you use the product is also tracked very closely. Information is collected on your use of all Facebook products. The types of posts and advertisements you interact with, how long you spend interacting with particular content, and the frequency with which you engage with certain types of media. The last time you were on Facebook, how long you were on Facebook, all of the videos you watched, all of the pictures you looked at, how long you looked at them, and how you used certain features on the app are all recorded to the most accurate of available measurements.

The last major piece of data that Facebook takes is from your actual device, (see, “device information”). That is, the computers, phones, and televisions on which you use Facebook’s login service. Facebook is then able to use this information to differentiate your usage and activity on one device as opposed to another. They are able to pull the operating system, battery level, all cookie data, wifi strength, storage space, whether or not the Facebook product being used is spending more or less time in the foreground vs the background, and even mouse movements. All of this data, plus all previously mentioned data, is collected on every individual device that uses or integrates a Facebook product. They even go a step further, Facebook is able to trace nearby cell towers, bluetooth signals, and uses your GPS location whenever possible.

There are three primary uses for this collected data: to customize a user’s experience with advertisements, to customize a user’s experience with the products, and to provide measurements and numbers for analytic and other business services. More time spent on a particular type of post will cause Facebook to start emphasizing similar posts in the feed, while not showing other types of posts. If your activity paints a picture of someone with a particular political leaning, most of what you see will reflect that. This could be an underlying cause of the increased political polarization in America.

It is well documented, and usually fairly obvious, that our data is used to tailor our advertisement experiences. The more time a user spends looking up the cost of new windows, the more advertisements for window installation companies will appear. However the next step is even more surprising. Beyond helping companies advertise more efficiently, Facebook data is used for mass analytics. Facebook affiliates will use Facebook’s data to learn about the users and people interested in their own products. It works like cheap, mass market research. If a toy company discovers a correlation between people with children and people with an interest in going to movie theaters, they may start using movie theaters as an advertising platform more. Facebook collects data on who has children, and can use either location data, or items people click on to infer how often somebody goes to movie theaters, and which types of people go more than others.

The question that most people want the answer to, is whether or not Facebook can sell their data. The answer as of right now, is no. In their data policy, they state explicitly that, “We don’t sell any of your information to anyone, and we never will. We also impose strict restrictions on how our partners can use and disclose the data we provide.” This is generally comforting news for most people. The primary reason Facebook would never sell your data, is that your data is their competitive edge. The reason these companies can make money off of your data is that they have access to information nobody else has. This is why companies will pay to have Facebook advertise their products; it gives the company access to valuable market research that they would not otherwise be able to access. Facebook makes money because they have an incredible amount of unique data on billions of people worldwide. The company that has the most information about the largest number of people can charge the most for advertising. If they start selling off this information, they miss out on future potential revenue streams, and could scare away potential new customers that do not like the idea of their data being sold. The same is true for Google. Any time you use reCAPTCHA, they are collecting your data as well, albeit, in a slightly different way than Facebook does.

If a company goes bankrupt, however, they may decide to sell off assets and salvage some cash to pay off debts. While Facebook and Google are likely here to stay for the long term, it might be pertinent to understand the laws and regulations that prevent them from changing their terms of service, and selling off any assets they may have, (this would be your data). While the U.S. Privacy act of 1974, and HIPPA, passed in 1996, provide some basic rights for privacy, the primary purpose of these acts is transparency as it relates to data collected by the government, and healthcare agencies. GLBA and COPPA provide some protection for children and financial information, but the data specific laws end there. Some states are starting to pass state-level laws protecting citizens in that state, though there is no legislation preventing the sale of information to overseas entities. The majority of legal action taken on behalf of consumers against companies using their data is actually an extension of the powers of the Federal Trade Commission. The FTC, created in 1914, has the power to go after companies for, “unfair and deceptive acts or practices”. The primary target of the FTC was originally false advertising and misleading marketing campaigns. If Facebook sells your data without telling you, changes their terms and conditions without giving you a chance to agree, or makes it difficult to note the change in the policy that might allow them to sell your data, the FTC can go after Facebook for misleading business practices. This is the extent to which legislation can go in protecting consumers and their data. There are, however, recent attempts being made to rectify this hole in the judicial system. While it is very possible for large data farming companies such as Facebook and Google to one day sell users’ data, it is highly unlikely to happen anytime soon. If legislation is passed, and new companies, such as humanID, continue to fight these issues, then there is no reason to believe that mass selling of data will ever become an issue.

The amount of data being collected on any particular person can be daunting. Google, Facebook, and Apple likely have almost complete profiles on many people around the world. Most of these people probably are not totally aware of the full extent these online profiles can go. This was a semi-deep dive into one company’s data policy section of their terms and conditions. If you read this article and feel uneasy, you aren’t alone. This is why humanID has remained non-profit. There is no monetary incentive to collect, store, use, or sell any personal data.

Securing funds primarily through donations and grants, humanID is a completely secure login service that is able to provide maximum transparency through open-source code. humanID, and hopefully more companies like us, in conjunction with the passing of better legislation should be enough to keep people safe going forward.