Social Media Privacy

Over the past three decades, social media platforms have become vast and powerful tools for connecting, communicating, sharing content, conducting business, and disseminating information. Major networks––such as Meta (formerly Facebook), X (formerly Twitter), Instagram, TikTok, Snapchat, YouTube, LinkedIn, and dating apps like Grindr and Tinder––now host millions or even billions of users.

This extraordinary growth has granted platforms unprecedented access to and influence over users’ lives. Social media companies harvest sensitive data about individuals’ activities, interests, personal characteristics, political views, purchasing habits, and online behaviors. This data is often used to keep users on platforms for as long as possible, sell behavioral advertising, and train AI models, which frequently produce distortive and discriminatory outcomes. 

The privacy risks posed by social networks are compounded by platform consolidation. Mergers and acquisitions have allowed dominant companies to stifle competition, exercise monopolistic control, and block the emergence of privacy-focused alternatives. Additionally, personal data collected by these platforms is vulnerable to be accessed and misused by third parties, including law enforcement.

As EPIC has long urged, Congress must enact comprehensive data protection legislation to place strict limits on the collection, use, retention, and sale of personal data by social networks and other entities. The FTC should use its authority to curb abusive data practices. Both Congress and federal agencies must act swiftly to prevent monopolistic behavior and promote competition in the social media market. State Attorneys General must protect their constituents from the privacy harms associated with unregulated social media platforms, and state Legislatures must step up and pass strong data privacy laws protecting their constituents’ privacy to fill the gap left by Congress’s failure to protect the privacy and autonomy of all Americans. Unelected leaders of these massive conglomerates must be removed from decision-making positions in our government.

Social Media & Surveillance Advertising

Social media companies, particularly Meta, Instagram, and TikTok, collect vast quantities of personal data to “microtarget” advertisements. Known as surveillance or behavioral advertising, this practice harms privacy, disrupts the flow of information, and damages users’ psychological well-being.

Former CFPB Director and FTC Commissioner Rohit Chopra described the dangers of behavioral advertising in his dissent from the FTC’s 2019 Facebook order, “Behavioral advertising generates profits by turning users into products, their activity into assets, their communities into targets, and social media platforms into weapons of mass manipulation.” Chopra explains how surveillance advertising operates in Facebook’s case:

This data-driven model creates a feedback loop. Advertisers willing to pay premiums for user engagement incentivize companies like Meta to curate content designed to influence users’ psychological states and real-time preferences. As a result, platforms concentrate advertising profits—tech giants like Google, Meta, and Amazon capture more than 65% of all digital ad revenue—while businesses must compete fiercely for limited consumer attention. This dynamic drives up advertising costs without yielding proportional benefits to companies buying ads.

The harms of tracking and behavioral advertising extend beyond the platforms themselves. Companies like TikTok and Meta employ hard-to-detect tracking technologies to monitor individuals across apps, websites, and devices. Even those who avoid social media platforms are subject to these pervasive data collection practices. Social media companies collect information about non-users and major social media companies have so much power in the marketplace that their practices can influence consumers’ behavior, even when not on the app. Social media companies can collect information across many platforms and apps and share that information with third parties. Even if a person doesn’t use one of the social media platforms, the data collection and sharing practices continue to add information to dossiers about that person.

The emergence and proliferation of AI further exacerbates these concerns. Social media companies increasingly rely on algorithms to boost user engagement, curate content, and deliver targeted ads. These systems depend on sweeping data collection practices, heightening privacy and fairness concerns.

In the absence of comprehensive federal data privacy legislation, 19 states have enacted comprehensive privacy laws, and numerous states have enacted or proposed other types of tech legislation that directly affects social media companies, including Age-Appropriate Design Code bills or bills that would mandate warning labels on social media platforms. These state laws take a range of approaches, including restricting excessive data collection, requiring clear opt-out tools for targeted advertising, mandating data minimization practices, and requiring privacy-protective settings to be turned on by default. Although their scope and enforcement vary, these laws signal a growing consensus that social media companies must adopt more responsible data-handling practices.

Social Media & Competition

Data collection is at the core of many social media platforms’ business models. For this reason, mergers and acquisitions involving social networks pose acute risks to consumer privacy. In recent years, platforms that initially prioritized user privacy have been repeatedly taken over by companies that fail to protect user privacy.

One prominent example is Facebook’s 2014 purchase of WhatsApp, a messaging service that attracted users precisely because of strong commitments to privacy. In 2012, WhatsApp’s founder assured users: “[w]e have not, we do not and we will not ever sell your personal information to anyone.” Despite efforts by EPIC and the Center for Digital Democracy to block the merger, the FTC approved it after Facebook and WhatsApp promised not to change WhatsApp’s privacy policies. However, in 2016, Facebook announced it would begin collecting the personal information of WhatsApp users, directly violating their earlier commitments.

The European Union fined Facebook $122 million in 2017 for intentionally misrepresenting its ability to integrate WhatsApp user data, yet the FTC took no further action. It was not until the FTC’s 2020 antitrust lawsuit against Facebook—six years after the merger—that the agency identified Facebook’s acquisition of WhatsApp as part of a broader pattern of anticompetitive behavior.

Historically, the United States has largely ignored privacy as a key dimension of competition in the digital economy. But this approach may be shifting. The 2020 wave of federal and state antitrust lawsuits against Facebook and Google, as well as the DOJ’s 2024 antitrust action targeting Google’s dominance in search and advertising, signal growing recognition of privacy’s role in competitive markets. Moving forward, antitrust enforcers must integrate data protection and privacy into their enforcement actions and competition assessments. If dominant platforms continue acquiring emerging competitors and consolidating user data, firms with superior privacy and security practices will have no meaningful chance to compete.

Social Media & Data Breaches

The massive stores of personal data that social media platforms collect and retain are vulnerable to hacking, scraping, and data breaches, particularly if platforms fail to implement robust security measures and access controls. Depending on the network, the data at risk can be quite sensitive, including location information, health information, religious identity, sexual orientation, facial recognition imagery, private messages, personal photos, and more. The consequences of exposing this information can be severe: from stalking to the forcible outing of LGBTQ individuals to the disclosure of one’s religious practices and movements. 

Without federal comprehensive privacy legislation, users must rely on state data breach laws to mitigate harm after their data has been breached. Although social media companies typically publish privacy policies, these policies are wholly inadequate to protect users’ sensitive information. Privacy policies are disclaimers published by platforms and websites that purport to operate as waivers once users “consent” to them. But these policies are often vague, hard to interpret, full of loopholes, subject to unilateral changes by the platforms, and difficult or impossible for injured users to enforce. 

EPIC’s Work on Social Media Privacy

For more than a decade, EPIC has advocated before Congress, the courts, and federal agencies, including the Federal Trade Commission and the Federal Communications Commission, to protect the privacy of social media users.

Beginning in 2008, EPIC warned of the exact problem that would later lead to the Facebook Cambridge Analytica scandal. In Senate testimony in 2008, then-EPIC President Marc Rotenberg stated that, “on Facebook … third party applications do not only access the information about a given user that has added the application. Applications by default get access to much of the information about that user’s friends.” 

In 2009, EPIC and nine other public interest organizations filed a complaint with the FTC detailing how Facebook changed its privacy settings to begin disclosing information that users had sought to keep private to third-party applications and the public. Facebook implemented these changes without obtaining affirmative consent from its users or even giving them the ability to opt out. In 2011, the FTC announced that Facebook had settled charges that it deceived users by failing to keep its privacy promises and credited EPIC with providing the factual basis for its complaint against Facebook.

In 2014, EPIC filed a complaint with the FTC alleging that Facebook “altered the News Feeds of Facebook users to elicit positive and negative emotional responses.” Facebook had teamed up with researchers to conduct a psychological experiment by exposing one group of users to positive emotional content and another group of users to negative emotional content to determine whether users would alter their own posting behavior. The study found that “emotional states can be transferred to others via emotional contagion, leading people to experience the same emotions without their awareness.” EPIC alleged that the researchers who conducted the study “failed to follow standard ethical protocols for human subject research.” EPIC further alleged that Facebook engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by not informing users that they were potentially subject to behavioral testing. Finally, EPIC alleged that Facebook’s psychological study violated the 2011 FTC Consent Order by misrepresenting its data collection practices.

Also in 2014, when Facebook entered a deal to acquire the text-messaging application WhatsApp, EPIC and the Center for Digital Democracy filed a complaint with the FTC urging the Commission to block the acquisition unless adequate privacy safeguards were established. Although the FTC approved the merger, the Commission sent a letter to Facebook and WhatsApp notifying the companies of their obligations to honor their privacy promises. In 2016, WhatsApp announced its plans to transfer users’ personal information to Facebook for use in targeted advertising. 

In March 2018, news broke that Facebook had allowed Cambridge Analytica, a political data mining firm associated with the Trump campaign, to access personal information on 87 million Facebook users. EPIC and a coalition of consumer organizations immediately wrote a letter to the FTC urging it to investigate this unprecedented disclosure of personal data. The groups made clear that by exposing users’ personal data without their knowledge or consent, Facebook had violated the 2011 Consent Order with the FTC, which made it unlawful for Facebook to disclose user data without affirmative consent. The groups wrote that, “The FTC’s failure to enforce its order has resulted in the unlawful transfer of [87] million user records … [i]t is unconscionable that the FTC allowed this unprecedented disclosure of Americans’ personal data to occur. The FTC’s failure to act imperils not only privacy but democracy as well.”

EPIC also submitted an urgent FOIA request to the FTC following the Cambridge Analytica revelations. The request sought all the privacy assessments required by the FTC’s 2011 Order and all communications between the FTC and Facebook regarding those privacy assessments. Following the FTC’s release of heavily redacted versions of the assessments, EPIC filed a Freedom of Information Act lawsuit to obtain the full, unredacted reports from the FTC.

In 2019, following a proposed settlement between the FTC and Facebook in connection with the Cambridge Analytica breach, EPIC moved to intervene in United States v. Facebook to protect the interests of Facebook users. EPIC argued in the case that the settlement was “not adequate, reasonable, or appropriate.” 

In 2020, following President Trump’s threat to effectively ban social network TikTok from the United States, Oracle reached a tentative agreement to serve as TikTok’s U.S. partner and to “independently process TikTok’s U.S. data.” In response, EPIC sent demand letters to Oracle and TikTok warning both of their legal obligation to protect the privacy of TikTok users if the companies entered a partnership. The deal would have paired one of the largest brokers of personal data with a network of 800 million users, creating grave privacy and legal risks. “Absent strict privacy safeguards, which to our knowledge Oracle has not established, [the] collection, processing, use, and dissemination of TikTok user data would constitute an unlawful trade practice,” EPIC wrote. In 2021, the Oracle-TikTok deal was effectively scuttled. 

Also in 2020, EPIC and coalition of child advocacy, consumer, and privacy groups filed a complaint urging the Federal Trade Commission to investigate and penalize TikTok for violating the Children’s Online Privacy Protection Act. TikTok paid a $5.7 million fine for violating the children’s privacy law in 2019. Nevertheless, TikTok failed to delete personal information previously collected from children and was still collecting kids’ personal information without notice to and consent of parents.

In 2023, EPIC filed comments with the Colorado Department of Law recommending the use of Universal Opt-Out Mechanisms (UOOMs) as a way for users to automatically opt out of data collection and targeted advertising across multiple platforms. In its comments, EPIC emphasized that privacy-protective technical standards like the Global Privacy Control (GPC) can help users exercise their privacy rights efficiently without having to navigate each platform’s complex privacy settings individually. Such mechanisms are particularly important as social media companies continue to track users across different websites, apps, and devices for advertising purposes.

In 2023, EPIC filed an amicus brief in the Supreme Court cases concerning Florida and Texas social media laws (NetChoice v. Moody and NetChoice v. Paxton). EPIC argued to the Court that while some content-based regulations of social media companies may trigger heightened First Amendment scrutiny, many important privacy and consumer protection regulations should not. EPIC warned that treating all social media company activities as protected speech would create a dangerous precedent, making it nearly impossible to regulate harmful business practices online, including privacy violations, addictive design features, and exploitative data collection. The brief urged the Court to adopt a context-sensitive approach that preserves legislatures’ ability to protect consumer privacy while respecting genuine First Amendment rights.”

Also in 2023, EPIC, along with Public Knowledge and other consumer advocacy groups, filed comments urging the Federal Communications Commission to use its Title II authority to establish strong privacy protections for broadband users. EPIC emphasized that Title II classification would enable the FCC to implement comprehensive data minimization requirements, enhance oversight of Internet Service Providers’ data collection practices, and immediately initiate privacy and data security rulemaking.

In 2024, EPIC filed an amicus brief in Doe v. Grindr before the Ninth Circuit, urging the court to resist overly expansive interpretations of Section 230 that would shield tech companies from accountability when they harm users. While Section 230 plays an important role in protecting online speech, EPIC argued that tech companies often push for interpretations that go far beyond Congress’s original intent, incorrectly claiming that any limitation on their immunity would destroy free speech and innovation online. EPIC’s brief demonstrated how the Ninth Circuit’s previous decisions limiting Section 230’s scope had not resulted in the catastrophic outcomes predicted by tech companies and warned that the real danger lies in granting powerful tech companies complete immunity from responsibility for harmful conduct simply because they operate on the internet.

In 2025, EPIC joined a coalition led by the Consumer Federation of America to demand an investigation into Grok, Elon Musk’s AI tool on X (formerly Twitter), facilitating non-consensual intimate imagery.

Also in 2025, EPIC Counsel Suzanne Bernstein testified before the Massachusetts Joint Committee on Advanced Information Technology, the Internet and Cybersecurity last week in support of S.30/H.4229, An Act Protecting Children from Addictive Social Media Feeds. EPIC’s testimony explains why S.30/H.4229 would provide significant privacy and online safety protections for minors by regulating harmful data management and design practices that deprive minors of their autonomy and lead to social media over-use. Many companies employ design features that structure feed content based on information gathered through passive surveillance of users. Like techniques in the casino industry, companies use this behavioral data to predict and design what arrangement of media is likely to keep a user on the platform longer, invading minors’ privacy and contributing to compulsive use.