Check out the full Terms & Conditions archive.
Welcome to the first edition of Terms & Conditions, a weekly column where we break down the tangled mess of online sites’ and services’ terms of service, privacy policies, and other lawyerly mumbojumbo, into language anyone can understand. This week, we’re tackling a doosey: Facebook’s privacy policy, also known as the “Data Use Policy.”
Given its history of brushing aside users’ privacy concerns, Facebook has broken its Data Use Policy into multiple parts, in an apparent attempt to make it easier to understand. It has also excluded many of the enigmatic legal phrases often used in privacy policies. Still, at about 8,700 words, the document remains nearly impenetrable. Let’s simplify things a bit, shall we?
Part 1. Your privacy, information, and (vaguely) how it is used
This one is simple: Facebook can record and access all information you share on Facebook — all of it. (Though it cannot always share that information with advertisers or other third-parties — more on this later.) It can also access information other Facebook users share about you on Facebook. Lastly, it can access a variety of information from the websites you visit through its “Like” button — even if you’re not logged into Facebook at the time. In fact, you don’t even have to have a Facebook account at all for the social network to scoop up certain bits of data.
Assuming you do have a Facebook account, here is a quick-as-possible list of the information Facebook is probably collecting on you:
- Name
- Age
- Gender
- Email address
- Networks
- Photos and videos
- Tags and facial data (for Tag Suggestions) Update: Read more about Facebook’s disturbing facial recognition capabilities here. (Thanks, anon e mouse!)
- Which profiles you look at
- Who you chat with through Facebook Messenger
- Relationship status
- “Likes” (anytime you click the “Like” button on Facebook or a third-party website)
- Lists of favorite things (movies, music, books, etc)
- Political affiliation
- Which websites you visit and when
- Anything you purchase with Facebook Credits
- Browser type
- Operating system type
- IP address
- GPS location
- User ID number
- Username
Public vs. private
Your public data: Facebook allows you to make certain information private, or to make all of your information public. However, even if you adjust your privacy settings to make everything private, some information is public, no matter what you do. All public information can be seen by anyone, even if they do not have a Facebook account. And “anyone” includes other websites, games, and various Web applications. Always-public information – what Facebook refers to as your “basic info” — includes:
- Name
- Profile pictures
- Cover photos
- Gender
- Username
- User ID
- Comments made on public websites that use Facebook’s commenting plug-in
- Comments made on public websites through Facebook’s commenting plug-in about you by other people
Aside from those details, the rest of the information you choose to share with Facebook can be made private to a greater or lesser degree. Facebook also does a fairly good job of explaining how information you share publicly may be used. From the Data Use Policy:
Choosing to make your information public also means that this information:
- can be associated with you (i.e., your name, profile pictures, cover photos, timeline, User ID, username, etc.) even off Facebook;
- can show up when someone does a search on Facebook or on a public search engine;
- will be accessible to the Facebook-integrated games, applications, and websites you and your friends use; and
- will be accessible to anyone who uses our APIs such as our Graph API.
Your private data: Facebook allows you to make most of the information you share private. What “private” means is up to you. You can either share with all your friends, or use the “customize” sharing option accessible on each status update box, which lets you share the status update or photo with certain people, but not others. To learn how to check or update your privacy settings, click here, or read on.
“How Facebook uses your data” (or something like that)
This section is easily one of the most important parts of Facebook’s Data Use Policy — it has “data use” right in the name! It is also easily the most confusing, worthless part of the whole bloody document.
Facebook is, by all measures, an advertising company — that is how it makes money. The way it sells advertising is by collecting all of the aforementioned information about its users, then using that data to sell “targeted ads” — ads that you are more likely to click on than ads made for just anyone.
As part of its Data Use Policy, Facebook outlines the situations for which it reserves the right to use your information, and some examples of how that information may be used. Notice I said “outlines” — not “explains,” “details,” or any other word that means Facebook actually tells you anything worthwhile here. Also, notice that I said “some examples” — Facebook does not tell us all of the ways it may use your data, just some cute examples.
So, what does Facebook use your information for? This: “We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use.”
What “in connection with” means here remains disturbingly vague. Facebook rattles off a few examples, but does not enumerate each and every way it may use your information, as I believe it should.
It does, however, say that all of the information you provide to Facebook — i.e. everything you do on Facebook, or anything one of your friends do on Facebook that links with your data — is available to the company. Facebook also reserves the right to use your data, as long as it has either:
- received your permission
- told you it would do so (through the Data Use Policy)
- or removed any personally identifiable information, such as your name
In other words, Facebook reserves the right to use your information however it sees fit, as long as it is “in connection with the services and features” it provides. What “services” or “features” mean, well, take a guess.
Bottom line: This section is extremely vague, and should make you wary about having a Facebook account at all.
Deactivate vs. Delete
Facebook allows for two levels of cutting ties with the social network: deactivation, which simply puts your account on pause; and deletion, which completely removes all of your data from Facebook and its servers.
Deactivate: If you simply deactivate your account, you will still appear in your friends’ “friends list,” which means that information can still be accessed by Facebook or any third-party website, game, or application that gain access to your friends’ contact lists. You can also easily reactivate your account at any time.
To deactivate your account, click here.
Delete: Deleting your account is permanent, and cannot be undone once you do so. Most of you data will be deleted from Facebook’s servers — but the process takes up to 90 days to complete. (Why it takes so long, Facebook doesn’t say.) But beware: Even if you delete your account, certain information — like all of you conversations with other Facebook users, or group posts — will remain on the site, as they are not exclusively associated with your account. So keep that in mind.
To permanently delete your account, click here.
Part 2. Sharing
This is one area where things get tricky. As mentioned above, you have the ability to choose how (most of) your information is shared. Problem is, your friends also have that ability — and some of the information they share includes data about you.
For example, even if you have your privacy settings marked to the tightest possible option, others can still see comments you leave on status updates, photos, links, or videos that they share; the person who posted it controls who sees the update and all related comments.
Also, even if you hide your friends list, you will appear on your friends’ friends lists, which may be publicly available or shared with third-party websites or apps.
In short, any content that is about you, but controlled by someone else, is out of your hands.
Facebook allows you to control the privacy setting for each status update. Here are the instructions Facebook gives, which explain how this works:
Whenever you post content (like a status update, photo or check-in), you can select a specific audience, or even customize your audience. To do this,
- simply click on the sharing icon and choose who can see it. Choose this icon if you want to make something Public. Choosing to make something public is exactly what it sounds like. It means that anyone, including people off of Facebook, will be able to see or access it.
- Choose this icon if you want to share with your Facebook Friends.
- Choose this icon if you want to Customize your audience. You can also use this to hide your story from specific people.
If you tag someone, that person and their friends can see your story no matter what audience you selected. The same is true when you approve a tag someone else adds to your story.
Facebook also notes here that you should “always think before you post, especially because “information you share on Facebook can be copied or re-shared by anyone who can see it.” Sage advice indeed.
Contact info: Facebook lets you find people by searching an email address or phone number that has been associated with that user’s Facebook account. However, you can change your privacy settings so that only your current friends can find you this way (or friends of friends, or anyone who has that information). To change this, click “edit settings” under “How you connect,” and choose your setting on the first option in the pop-up window.
Facebook also allows people to find you through their contact importer, which imports people you have connected with through, say, Gmail.
Mobile access: Not surprisingly, information you reveal to Facebook may be accessible through your friends’ mobile devices (either in an app, or through Facebook’s mobile website). This information can — as you should know by now — be re-shared by your friends through their mobile devices.
Friends sharing with you
Links and tags: Surprise! Your Facebook friends can share links with you. One way this is done is by “tagging” the link they share with your name. You can either choose to review each link a friend tags you in, automatically approve every link, or set it up so that certain people can tag you automatically, while other’s have to have your approval first. To set this, choose the “Timeline and tagging” option in your privacy settings, and select your preference.
Tagging in either a message or a comment thread only allows those with permission to view that information can see the tag.
Groups: You have the choice whether or not to join a Facebook Group. Once you have, however, anyone in that group can invite you to subgroups. Your name will appear as “invited” to the subgroup until you opt in or out.
Pages: Just assume that everything you do that’s associated with a Facebook Page — which are public, and are often used by business and publications — is public. “Liking” a Page is a public endorsement of it, and your Facebook friends may see that you’ve “Liked” a particular page in their News Feed. Comments on Pages are also public — so be careful what you say on a Page.
Activity log: Facebook lets you see some of the activity associated with your Facebook account, such as websites or products you have “Liked,” or links you’ve shared. To view this, click on your “Activity Log,” which appears just below your cover image on your Timeline. From that page, you can “unlike” or delete each action.
Part 3. Websites and third-party apps
Facebook Platform: This is a service offered by Facebook that allows websites, games, and other third-party applications to access your Facebook information.
Apps and your info: A big way your personal Facebook information is spread around the Web is through apps — both those that you personally use, as well as those that your friends use.
Before you install an app, you must approve it. Each app requests to access (and store on its own servers) parts of your Facebook data. Some apps want little access; some want a lot. But remember: Apps can often access your information simply because a friend of yours approved the app. Facebook gives you the ability to restrict the types of data your friends’ apps may access — but you have to un-check each category of info individually under the “Apps, Games and Websites” part of your privacy settings. To do so, edit your settings under the “How people bring your info to apps they use” subsection.
Logging in with Facebook: When you choose to log in to a third-party website with your Facebook credentials, Facebook provides that website with your Facebook User ID, but does not give that site your email address. Some sites may automatically connect you with your Facebook account if you use the same email address to log in to both.
Social plug-ins: Facebook describes social plug-ins as a “little piece of Facebook” embedded on other websites. The most prevalent social plug-in is the “Like” button and the “Share” button. Anytime you visit a website with any Facebook social plug-in (i.e. most websites) while still logged into Facebook, Facebook receives information about your visit to that site (your name, browser, IP address, date and time of your visit, etc.) Some of this information is shared with Facebook even if you are not logged in, or don’t have a Facebook account.
Facebook gets this info by installing cookies on your computer (more on this below). These cookies are used to show you ads on and off of Facebook. Facebook says it does not use the information to make a “profile” on you or your browsing habits — but it may be used without your personally identifying details, or as part of a group of data “to improve ads generally and information we receive to study, develop or test new and existing products or services.” That data is kept for 90 days.
Instant personalization: Facebook has partnered with a number of websites, like Rotten Tomatoes, to provide “instant personalization.” This means that, if you’re logged into Facebook, one of these partner websites can access your “public information,” as well as your User ID and friends list. This gives you the ability to comment on the site, and see how your Facebook friends have used the site.
The sites Facebook have partnered with are:
- Bing – Social Search
- Pandora – Personalized Music
- TripAdvisor – Social Travel
- Yelp – Friends’ Local Reviews
- Rotten Tomatoes – Friends’ Movie Reviews
- Clicker – Personalized TV Recommendations
- Scribd – Social Reading
- Docs – Document Collaboration
- Zynga – Social Games (The Ville, Zynga Slingo and 7 other games)
- Kixeye – Social Games (War Commander and Battle Pirates)
- EA – Social Games (SimCity Social)
To turn off instant personalization, click “edit settings” under the “Instant personalization” subsection in the Apps, Games and Websites portion of the privacy settings. (You may have to close a video about instant personalization before you can actually access the privacy setting.) Once you’ve closed the obnoxious pop-up video, uncheck the box at the bottom of the screen.
Note: If you have already visited an instant personalization-enabled site with the feature allowed, then that site (and Facebook) may still have your data from those visits stored.
Search engines: You can choose whether to have your Facebook profile show up in search engines, like Google. This option is enabled automatically. To turn it off, click here, and un-check the “enable public search” box at the bottom,
>> Next page: Advertising, Facebook tracking, and odds & ends
Part 4. Advertising
Your “basic info” and any other information you’ve shared publicly, or otherwise given Facebook access to, can be used to by the social network to deliver ads.
Advertisers: When someone advertises on Facebook, the social network allows them to choose the exact demographic they want to target. (You can try making your own ad here.) This information comes from your Facebook profile and activity on the site.
“Social context”: Facebook will often pair ads with other content from around the Web that is related — just as Google and many other online advertisers do.
Sponsored Stories: Sponsored Stories are like ads from your friends. They are created from your actions on Facebook (Likes, RSVPs to invitations, etc), and appear in the same place as ads to on your Facebook News Feed dashboard.
Facebook content: Facebook sometimes promotes its own features based on services you or your friends use. So if you use a Facebook contact import tool, Facebook might tell your friends you did so, or vice versa.
Part 5. Facebook’s tracking technology
Facebook uses opt-in cookies, pixels (invisible blocks of code embedded in a website), and other similar technologies to track what you do around the Web. Facebook likes to talk about how this collected data helps make Facebook better — but remember: this is the primary way your data is collected. In other words, when people complain about Facebook “spying on you,” these are the technologies they are talking about.
You can block these cookies and pixels using a browser plug-in, like Do Not Track Plus or Ghostery.
Part 6. Odds & ends
At the end of Facebook’s Data Use Policy, it tosses in a variety of other information, like how to contact the company, what to do if a Facebook user dies, and details about how it abides by the laws of certain countries. None of it is likely vitally important for most users, but it’s worth a look.