By 
The EU Commission announced this month that social media platform “X” (formerly “Twitter”) breached EU guidelines under the Digital Services Act (DSA). This follows an investigation launched into X’s advertising transparency, availability of data, and risk management.1
RELATED: EU countries hit with over €30m in GDPR fines in Q1 2021
With this in mind, experts at Kiteworks, which unifies, tracks, controls, and secures sensitive content communications with a Private Content Network, investigated the privacy policies of leading social media platforms to understand how they harvest personal data.
Key findings:
- Meta collects the most personal data, collecting 91% of the 35 data points identified
- Despite being found to breach EU guidelines, “X” collects fewer personal data points than TikTok and Meta
- TikTok collects “Body data” which includes hand and head movements, but is the only platform analysed found to not collect your precise location
- Patrick Spencer, spokesperson at Kiteworks, shares the best practices for employees posting on social media to protect personal data
The Data Collected Across Platforms
As stated in their privacy policies, Meta, X, and TikTok all collect personally identifiable information (PII), including username, password, email, phone number, date of birth, language, location, and address book uploads. As well as payment information, usage data and content data, including posts, messages, photos, videos and audio data.
What Types of Data Does Each Social Media App Collect?
|
Data category |
Type of data ADVERTISEMENT
 |
Meta |
X |
TikTok |
|
Contact info |
Name |
✓ |
✓ |
✓ |
|
Email address |
✓ |
✓ |
✓ |
|
|
Phone Number |
✓ |
✓ |
✓ |
|
|
Physical address |
✓ |
✓ |
✓ |
|
|
Other user contact info |
✓ |
✓ |
||
|
Health and fitness |
Health |
✓ |
||
|
Fitness |
✓ |
|||
|
Financial info |
Payment info |
✓ |
✓ |
✓ |
|
Credit info |
✓ |
|||
|
Other financial info |
✓ |
✓ |
✓ |
|
|
Location |
Precise location |
✓ |
✓ |
|
|
Coarse location |
✓ |
✓ |
✓ |
|
|
Sensitive info |
Sensitive info |
✓ |
||
|
Contacts |
Contacts |
✓ |
✓ |
✓ |
|
User content |
Emails or messages |
✓ |
✓ |
✓ |
|
Photos or videos |
✓ |
✓ |
✓ |
|
|
Audio data |
✓ |
✓ |
✓ |
|
|
Gameplay content |
✓ |
|||
|
Customer support |
✓ |
✓ |
||
|
Other user content |
✓ |
✓ |
✓ |
|
|
Browsing history |
Browsing history |
✓ |
✓ |
✓ |
|
Search history |
Search history |
✓ |
✓ |
✓ |
|
Identifiers |
User ID |
✓ |
✓ |
✓ |
|
Device ID |
✓ |
✓ |
✓ |
|
|
Purchase history |
Purchase history |
✓ |
✓ |
✓ |
|
Usage data |
Product interaction |
✓ |
✓ |
✓ |
|
Advertising data |
✓ |
✓ |
✓ |
|
|
Other usage data |
✓ |
✓ |
||
|
Diagnostics |
Crash data |
✓ |
✓ |
✓ |
|
Performance data |
✓ |
✓ |
✓ |
|
|
Other diagnostic data |
✓ |
✓ |
✓ |
|
|
Surroundings |
Environment scanning |
|||
|
Body |
Hand movements |
✓ |
||
|
Head movement |
✓ |
|||
|
Other types of data |
Other data types |
✓ |
How is the Data Used?
While each privacy policy outlines slightly different uses for the information they gather, the most common use case is to personalise and enhance user experience by providing customised content and ads. Additionally, all three emphasise the importance of data collection to ensure safety and security and support research.
Key Differences in Data Collection
Meta collects and integrates data across multiple platforms, including Facebook, Instagram, and WhatsApp, leading to a broader range of data collection compared to X and TikTok.
Although X and TikTok collect extensive data, their focus is more on their individual platforms, resulting in Meta having not only more data but more detailed and comprehensive data from across its platforms and user interactions.
All platforms collect payment information, but the context for collection varies: X collects this data for ads, Meta for marketplace transactions, and TikTok for in-app purchases.
Ultimately, with the extensive amount of personal data being collected by social media platforms, it’s crucial for users to be aware of what data is being collected and how it’s being used.
Data Collection Also Poses Risks for Businesses
Businesses must also be aware of social media platforms. In many instances, social media users are corporate employees who frequently post at work or about work. Posts about company events, partners, or customers, and images containing desks, computer screens, facilities or other proprietary assets put companies at potential risk of exposing sensitive information like customer data and intellectual property.
To help navigate these challenges, Patrick Spencer, spokesperson at Kiteworks, has shared the best practices for employees posting on social media:
“While individual consumer behaviour is important, the harvesting of social media data can also significantly impact businesses. Unauthorized or inadvertent sharing of sensitive business information or personally identifiable information (PII) on platforms known for extensive data harvesting can lead to security breaches, cyber threats, intellectual property theft, and reputational damage. To mitigate these risks, we strongly encourage organisations to follow these recommendations.”
-
Thoroughly check privacy policies
“The most important thing you can do to protect sensitive data is to adopt a proactive approach to safeguarding digital assets and personal information. It’s pivotal to thoroughly read privacy policies before using any online service, paying attention to key sections such as data collection, usage and sharing. You need to understand what data is collected, how it is used, and who it is shared with.”
-
Avoid sharing sensitive information
“When posting on social media, do not include photos of workspaces where customer, financial, or other sensitive content may be visible on desks or computer screens. Refrain from posting images or descriptions of proprietary equipment or research without explicit permission from your employer.”
-
Use strong security practices
“Organisations should take a ‘zero-trust’ approach to protecting their business, which includes their content. In a zero-trust security approach, no user has unfettered access to all systems. A ‘content-defined zero-trust’ approach takes this model a step further, to the content layer. Organisations can protect their sensitive content when they can see where it sits in the organisation, who has access to it, and what’s being done with it.
Similarly, employees should be cautious with the permissions they grant to apps and third-party integrations. Implement strong, unique passwords for your social media accounts and enable multi-factor authentication where possible. Regularly review and revoke access for any apps that are no longer needed to minimise potential security risks.”
-
Stay informed and educated
“Provide employee training on cybersecurity and best practices for social media use. Stay updated on the latest threats and techniques used in social engineering attacks. Regularly audit and review social media activity across the company to ensure that no sensitive information has been inadvertently shared.”
“By taking these steps and educating employees about the privacy policies of the platforms they use, businesses can mitigate risk and maintain better control over their digital footprint. Protecting personal and business data is not just an individual responsibility but a collective effort that requires vigilance and continuous education.”
–
Credit : https://kiteworks.com/
