Social Media Privacy Ranking 2025

The social media landscape has been a dynamic and unpredictable one since its inception, and 2025 has been no exception. With so much changing so quickly, Incogni’s researchers have revisited their 2024 social media privacy ranking, taking a more nuanced approach in ranking this year’s most popular social media platforms in terms of user privacy.

This year’s ranking has been compiled on the basis of data that could be considered available to an average user. For example, if a platform technically provides all the right information but in a way that’s impractically difficult for the average user to parse, then that information is still effectively inaccessible to the user. Likewise, if information can be accessed only by reaching out to the platform’s owner, then that platform shouldn’t be considered particularly privacy-friendly.

To these ends, Incogni’s research team determined the top 15 social media platforms by monthly user count and ranked them according to 14 criteria across 6 categories: “AI” integration and training, privacy-related regulatory transgressions, data collection, user control and consent, transparency, and user-friendliness. Predictably, Meta’s offerings and ByteDance’s TikTok round out the bottom of the ranking. Surprisingly, though, less popular platforms like Discord, Pinterest, and Quora fared particularly well.

Table of Contents
Key insights
Social Media Privacy Ranking 2025–overview
Category 1: AI training and personal data
Category 2: Privacy-related regulatory transgressions
Category 3: Data collection and retention practices
Category 4: Transparency
Category 5: User control and consent
Category 6: User friendliness and accessibility
Methodology

Key insights

  • Discord was found to be the least privacy-invasive platform, followed by Pinterest and Quora.
  • Meta’s products (Facebook, WhatsApp, Instagram, and Facebook Messenger) and TikTok were found to be the most privacy-invasive platforms, receiving penalties across all categories used to derive this ranking.
  • Telegram, Twitch, and Discord indicate that user data won’t reach AI models. 
  • Meta’s platforms, YouTube, Snapchat, Pinterest, X, and LinkedIn, indicate that they may use user data to train AI models.
  • Facebook was the most-fined platform for violating privacy regulations: 4 times under the GDPR (General Data Protection Regulation) in the EU, once in the US, and 5 times in other jurisdictions. 
  • LinkedIn, through its app, indicates that it may collect users’ race or ethnicity data, while Meta’s products (except WhatsApp) and LinkedIn may collect users’ sexual orientation data and health information.

Social Media Privacy Ranking 2025–overview

The overall ranking below was derived by taking into consideration 17 privacy criteria spread across 6 categories. The results for each category are then discussed separately, each one being broken down into its constituent criteria.

In this year’s privacy ranking of social media platforms, Discord is the least privacy-invasive platform, followed by Pinterest and Quora. At the other end of the ranking, Meta’s products (Facebook, WhatsApp, Instagram, and Facebook Messenger) and TikTok were found to be the most privacy-invasive, receiving penalties across all the categories Incogni’s researchers investigated when deriving this ranking. 

Despite a strong showing in the data collection and user friendliness categories, Discord was far from perfect—it doesn’t give users adequate control over how much of their data is visible to others and doesn’t have the best privacy defaults for new users. Nonetheless, it was the least privacy-invasive platform on this list.

Pinterest came in second. Despite its greater data collection, it gives its users many options to ensure their (partial) privacy and has accrued a relatively low number of regulatory transgressions.

Quora came in third with very limited data collection and a relatively low number of transgressions. It fell behind due, first and foremost, to a lack of transparency.

In general, those platforms that don’t require a lot of data at sign-up, and especially those that don’t require ID confirmation, scored better overall.

This year’s result is quite a shift from the previous ranking, where Reddit had the lowest privacy risk, followed by Snapchat and Pinterest. All of these platforms fell in the ranking this year, primarily due to AI considerations, which were absent last year. Discord, having been fourth last year, is now first due to not using or allowing others to use user data for generative AI training. 

Category 1: AI training and personal data

This category pertains to how so-called artificial intelligence (AI) and generative models are integrated into the social media platforms, and how this impacts users’ privacy.

In this category, Incogni’s researchers examined whether user data can be used to train the platforms’ own “AI” models, whether user data is available for other companies to train their models on, and if users can opt out of having their posts, media, and interactions being part of the training data sets.

Each of these criteria was assigned a weight of 2 out of a possible 3, as Incogni’s researchers deemed the integration of so-called AI in a privacy-respecting manner to be very important.

Having reviewed the privacy policy and other legal and privacy resources provided by the platforms, Incogni’s researchers found that Telegram, Twitch, and Discord seem to neither create a legal basis for training nor declare an intent to train their own models on user data or provide user data for other entities to train their models. 

Notably, a third of the studied platforms allow users to opt out of such training, scoring relatively well in Incogni’s ranking. 

Training the platform’s own or other companies’ models

TikTok does not directly mention “AI” in its privacy policy, nor do the other resources it provides address whether or not user data is used to train generative models. However, the privacy policy does mention that user data can be used to improve machine learning models and develop products. Given that TikTok does appear to have an AI-based product, for the purposes of this ranking, it’s inferred that user data could be used to develop generative AI models. 

Reddit itself does not train generative models, but has given access to user-generated content to several AI developers. Similarly, Quora claims it doesn’t train its large language models (LLMs) on user data, but allows users to opt out of having their data used by other companies in the development of LLMs. 

Other platforms that indicate the possibility of appropriating user data to train generative models include:

  • Meta’s offerings
  • YouTube
  • Snapchat
  • Pinterest
  • X
  • LinkedIn.

Only three platforms either directly state that user data won’t reach generative models or at least have privacy policies that don’t seem to allow them to appropriate user content for such ends:

  • Telegram
  • Twitch
  • Discord.

The ability to opt out

Even if user data is being diverted to train generative models, having the ability to opt out is an important indicator of a privacy-respecting platform.

The lack of transparency regarding how TikTok’s model is trained is compounded by the fact that the privacy policy does not seem to include a description of a mechanism through which users can opt out of having their data used to improve the platform’s machine learning algorithms. 

Reddit does not seem to offer its users the ability to opt out of its data-sharing agreements with Google and OpenAI. 

YouTube allows video creators to send an opt-out signal that expresses their desire to have their content excluded from third parties’ generative-model training processes. However, no equivalent option could be found for regular users across the legal and policy resources provided by Google. 

Meta’s platforms used to include an opt-out option, but all that remains now is a form that users can fill out if they find their personal information in a model’s output. The usefulness of this option regarding opting out of future data misuse is unclear. WhatsApp stands out here: its policies indicate that if a user doesn’t interact with Meta AI, their data won’t be used in its development or improvement. 

However, several platforms train generative models that either do so on an opt-in basis or at least give their users an option to opt out:

  • Snapchat
  • Pinterest
  • X
  • Quora
  • LinkedIn.

Category 2: Privacy-related regulatory transgressions

Incogni’s researchers also looked at instances of the companies behind the examined platforms failing to respect and protect user data. In this category, Incogni’s researchers looked at the fines these social media platforms received from the EU, the US, and other jurisdictions’ data protection authorities. In addition, they looked at the data breaches experienced by the platforms. All of the criteria in this category were deemed highly important and were given the maximum weight of 3.

While Telegram has been fined in the past, for the purposes of this ranking, the lack of fines or legal action due to privacy violations helped it secure the top place in this category. Discord came in second, having experienced a single enforcement action. Reddit and Quora share third place, having experienced a data breach each.

Fines

The majority of the investigated platforms received fines related to privacy matters. Lawsuits have been filed against the platforms that are relevant to privacy concerns, but these are outside the scope of this research.

Notably, Meta’s products all received privacy risk points due to fines issued to the parent company, Meta. However, there are also numerous instances where Meta’s products, namely Instagram, WhatsApp, and Facebook, were named specifically when a fine was issued. For example, Facebook was named 4 times in fines issued under the GDPR in the EU, once in the US, and 5 times in other jurisdictions. 

European data protection bodies have been frequent issuers of fines to the investigated platforms. For violating the GDPR, these bodies issued fines to:

  • TikTok, 4 times
  • Facebook, 4 times
  • WhatsApp, Instagram, and YouTube, twice each
  • Discord and LinkedIn, once each. 

The US, specifically the Federal Trade Commission (FTC), has charged 5 of the investigated companies for privacy-related transgressions:

  • Facebook
  • YouTube
  • TikTok
  • Snapchat
  • X (Twitter).

Outside of the US and the EU, Incogni’s researchers found a variety of fines and penalties for privacy-related offenses, including those concerning platforms not fined in the aforementioned markets:

  • Twitch TV was fined in Turkey for a data breach and in Russia for alleged data storage violations
  • Facebook Messenger was named as the Meta product that resulted in fines in Turkey and Canada
  • Pinterest was fined in Russia for alleged data storage violations. 

Facebook, WhatsApp, Instagram, and X (Twitter) were also the recipients of international fines, with Facebook receiving fines in Argentina, Brazil, Australia, and Canada. 

More details are linked in the public data set for those wishing to peruse the reasons behind these fines.

Data breaches

Out of the 15 investigated platforms, 10 had experienced at least one data breach each, with a total of 15 breaches uncovered by Incogni’s research team overall.

Some notable examples of such breaches include the 2017 breach of Instagram that led to celebrities’ phone numbers and emails being leaked and misused. The breach is said to have resulted from a bug in one of the platform’s APIs.

A nefarious party gained access to Quora’s systems in 2019, potentially gaining access to approximately 100 million users’ information, including:

  • “Account information, e.g., name, email address, encrypted password (hashed using bcrypt with a salt that varies for each user), data imported from linked networks when authorized by users.”
  • “Public content and actions, e.g., questions, answers, comments, upvotes”
  • “Non-public content and actions, e.g., answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)”.

In late 2021, Twitch was breached by an anonymous hacker, who managed to exfiltrate Twitch users’ personally identifiable information (PII) as well as all the source code for every version of the platform since its launch, including developers’ comments.


Finally, Snapchat was compromised in 2016, leading to personal data being exfiltrated. The hack relied on a phishing attack that compelled Snapchat to inadvertently share the personal data of current and former employees with a hacker.

Category 3: Data collection and retention practices

For this category, Incogni’s researchers determined how much data the platforms collect from their users and how long that data is retained after a user requests its deletion. 

The first data collection criterion—how much data is collected—was scored through checking the platforms’ Android and iOS application data-handling sections on the respective app distribution platforms. This criterion was given a weight of 2.

The second data collection criterion—how long data is retained after deletion is requested—was scored through analyzing the platforms’ privacy policies and determining whether or not they share or sell data as defined by the CCPA. This criterion was given a weight of 3. 

Lastly, Incogni’s researchers sought out, through the privacy policies and other resources on the companies’ websites, how long user data is kept once a user initiates the deletion of their account. This criterion was given a weight of 1.

In this category, many platforms performed similarly in terms of how much data their apps collect and share, but where some stood out was through their privacy policies, specifically whether user data is shared (as defined by the CCPA). Telegram, Discord, and WhatsApp came out on top overall in this category.

What data is collected and is it shared or sold? 

In terms of data collected, there were several recurring CCPA-defined data types that were commonly collected by the platforms:

  • Identifiers
  • Commercial info
  • Internet or electronic activity
  • Geolocation
  • Audio and visual information.

Some things that stood out to Incogni’s researchers include:

  • All platforms except WhatsApp, Telegram, and Quora could draw inferences from the other types of data they collect to profile users.
  • Professional or employment data could be collected by Meta’s products (except for WhatsApp), Pinterest, X (Twitter), Reddit, Quora, LinkedIn, and Twitch.
  • Sensitive personal information could be collected and processed by Discord, Twitch, LinkedIn, Snapchat, TikTok, YouTube, and Meta’s products (except for WhatsApp).

Notably, Telegram didn’t have any privacy policies (or addendums) that indicated what types of data (as defined by the CCPA) the platform interacts with.

Usefully, if a California-specific version (or addendum) of a privacy policy exists, a user can clearly see whether the company shares or sells user data. Under the CCPA, selling is defined as disclosing personal information in exchange for monetary or valuable consideration, while sharing is defined as the transfer of personal information to a third party (like a service provider) for a specific business purpose.

The following platforms can be interpreted as sharing user information:

  • YouTube
  • Pinterest
  • X (Twitter)
  • Quora
  • LinkedIn
  • Twitch.

When it comes to selling user data, the list is much shorter: only Pinterest has indicated that its handling of user information could be interpreted as the sale of user data under the CCPA.

Mobile app data collection and sharing

Having looked at application data handling practices in the past, Incogni’s researchers noted the large number of data points these social media apps interacted with. The Android apps interacted with an average of 24 out of the possible 38 data types. Facebook and Instagram lead the pack, interacting with 37 data types each. They’re followed by LinkedIn, with 31, and Pinterest and YouTube, with 27 each.

At the other end of the spectrum, Telegram interacted with 9 types of user data while WhatsApp interacted with 15.

Some things that stood out to the researchers when it comes to data collection:

  • LinkedIn is the only social media platform that indicates that it could collect users’ race or ethnicity data.
  • Meta’s products (except for WhatsApp) and LinkedIn could collect users’ sexual orientation data and health information.
  • Pinterest, Reddit, and Quora share users’ in-app search histories with third parties.

Data retention after account deletion

Incogni’s researchers looked at this criterion as a means of understanding how quickly companies honor users’ requests to have previously collected data removed. Notably, several companies don’t make this information readily available:

  • Reddit, in an earlier version of its privacy policy, had indicated a time frame, but has since removed it.
  • Telegram has several privacy-friendlyprivacy friendly methods of deleting users’ data, but it doesn’t make it clear how long it actually takes once the deletion mechanism is activated.
  • TikTok does not have an answer to this question readily available. 

It’s important to note, though, that as is common, most platforms indicate that they can’t delete all the data they have about a user, as they’re required by law to retain certain types of information for set periods of time. Given the fact that this is a response to legal requirements, Incogni’s researchers disregarded these exceptions.

Category 4: Transparency

In this ranking category, Incogni’s researchers looked at how transparent the platforms are with the government and their users.

The first criterion here refers to the (partial) disclosure of user information to government agencies that request this data. This criterion was assigned a weight of 2. The second criterion is used to penalize companies for information that is inaccessible, or not readily available, to the user, —specifically whether information is available to rate the platforms across other criteria used in this research. This second criterion was assigned the maximum weight of 3.

In this category, platforms with extensive privacy policies, and specifically those with well-constructed help or privacy centers, performed well, as Incogni’s researchers were able to find all the information needed to evaluate other criteria. 

Response rates to government requests for user information

For this criterion, our researchers identified three platforms—Telegram, Quora, and Twitch—for which data on responses to government requests was unavailable. These platforms were assigned a score based on the average of all other platforms and penalized in a subsequent criterion for not having this information available.

From the platforms that did have this data available, for the most recent available data for each company, Incogni’s researchers identified X (Twitter) as disclosing information least often: 51% of requests resulted in some data being disclosed. X was closely followed by LinkedIn (at 53%) and Pinterest (at 54%). 

The highest disclosure rates were found to have come from Snapchat: 82%. Snapchat was followed by Meta’s products (78%) and Discord (77.4%). 

The clumping together of Meta’s offerings was an issue here, but statistics for individual Meta platforms were unavailable. Overall, Meta disclosed some data in response to 78% of the requests it received from governmental agencies. However, since the details are unavailable on a per-platform basis, Meta’s products have been penalized in a subsequent criterion (to a lesser extent than the platforms without any statistics available at all).

Inaccessible criteria

This criterion was added to the ranking to ensure that platforms that fail to adequately disclose privacy-related information are penalized.

Three main issues resulted in such penalties being applied to the investigated platforms:

  • A lack of (global) statistics regarding disclosures to governments; the following platforms were penalized:
    • Telegram
    • Quora
    • Twitch.
  • A lack of information regarding the time to deletion following an account-deletion request; the following platforms were penalized:
    • TikTok
    • Telegram
    • Reddit.
  • A lack of CCPA-friendly privacy policies or policy addendums; the following platforms were penalized:
    • YouTube
    • TikTok
    • Telegram
    • X (Twitter).

As already mentioned, Meta’s apps were also penalized for not having independent statistics regarding their rates of user-data disclosure in response to governmental agency requests. 

Lastly, Telegram was penalized for not allowing the user to delete their account from the app, instead requiring the user to navigate to a specific URL using a browser. 

Category 5: User control and consent

This category is concerned with on-platform privacy settings and how much control a user is given therein.

Specifically, the criteria consist of: what options are made available to the users (weight of 3), what the default options are (weight of 3), and, for those seeking to minimize their digital footprint, what the most-private or least-visible account exposure is (weight of 1).

Pinterest leads this category with the smallest data footprint under the strictest privacy settings and the most comprehensive opt-out options for users. Telegram ranks second, followed by four platforms (Snapchat, Quora, Reddit, and Twitch) that scored lower, due to either larger minimum-data footprints or less privacy-focused default settings.

Privacy defaults and available options

When it comes to privacy options set for users by default, the platforms that already collected a smaller amount of data—Pinterest, Telegram, and Snapchat—did the best. Pinterest and Snapchat performed well by giving users a lot of options and collecting relatively limited information when creating their accounts. Telegram’s high score is based on strong defaults and minimal data collection at the account creation stage. 

TikTok, as well as Facebook Messenger and WhatsApp (both Meta platforms), performed the worst in this category. Meta’s products were penalized for extensive data collection during account creation and having mediocre default and available options. TikTok suffered from relatively poor privacy defaults and lacked extensive options to manage user privacy. 

The smallest digital footprint

The ability to use a given platform, browse content, and interact with others on the user’s own terms is another criterion in this category. To measure this, we looked at how a user’s profile looks to others when they have the strictest visibility settings enabled.

Several platforms, especially those focused on chat, allowed users to limit the visibility of their profile details to only those they’ve added to friends or contacts lists. Platforms with such options scored well and included: WhatsApp, Telegram, Messenger, and Pinterest.

Platforms with a slightly less private minimal exposure, usually displaying a profile picture and username at minimum, included: Facebook, YouTube, Instagram, TikTok, Quora, and Snapchat.

The remaining platforms, even on the most private settings, will display more information than just a profile picture and username, such as account creation date, previously posted content or other details.

Category 6: User friendliness and accessibility

This ranking category is focused on how easy it is to understand and act on privacy-related matters.

The first criterion, based on the Dale-Chall readability formula, concerns how difficult the privacy policies are to read; this criterion carries a weight of 1. The second criterion measures how many steps a user needs to take to delete their account (weighted at 2).

In this category, 3 platforms tied for first: Snapchat, X, and Discord. They all have relatively legible privacy policies and make account deletion relatively quick and easy for their users.

Readability of privacy policies

An important aspect of users having control over their privacy is understanding what they’re signing up for. To this end, Incogni’s researchers looked at how difficult the platforms’ privacy policies are to read and understand. In order to do this in a standardized and measurable way, they used the Dale-Chall formula, which looks at the vocabulary used in a given text and assigns a difficulty rating, often expressed as a requisite education level. 

The privacy policies Incogni’s research team analyzed fell into one of two difficulty levels:

  • College graduate, which was the difficulty level for:
    • Facebook
    • YouTube
    • Instagram
    • TikTok
    • Messenger
    • Pinterest
    • Reddit
    • Quora
    • Twitch.
  • College student, which was the difficulty level for:
    • WhatsApp
    • Snapchat
    • Telegram
    • LinkedIn
    • Discord.

Notably, there is a complication with WhatsApp, as certain features (such as interacting with MetaAI) do end up leading the user to Meta’s privacy policy, which is of a more difficult reading level. For the purposes of this ranking, only the base WhatsApp policy is considered. 

Number of steps required to delete an account

This criterion tests how easy it is to exercise an important aspect of a user’s privacy—account deletion—across the investigated social media platforms. While all platforms allow for it, Telegram does not have a direct way of deleting accounts through the app, only the website. However, a user can set an inactivity deadline according to which, if they don’t use the platform for a certain period of time, their account is deleted automatically. 

From the settings menu (whether in an app or browser), all of the remaining platforms only require a couple of steps to affect account deletion, although there is some variation. Between one and three steps are required until the user has the opportunity to press the ‘delete’ button. 

Conclusion

Although on the one hand limited by its somewhat subjective point of view (tackling the issues as though from the point of view of an average yet privacy-conscious user), this year’s social media privacy ranking adds nuance and texture to data that might otherwise lack both. Questions like what information is provided by a platform are supplemented with ones asking how readily available (easy-to-find) that information is and, once in hand, how difficult it is for the average reader to parse.

There’s still an overall ranking, an overall winner, and some platforms to avoid overall. But the additional insights provided by this research allow different users to make different decisions regarding their choice of platform based on their preferences, use cases, and threat profiles. A user, for example, who intends to provide only false personal information when setting up a profile mightn’t care about where that information goes, but they might worry instead about who can view their posts or acquire their location data.

As the privacy landscape becomes more complex, the granularity of information required to make informed decisions increases. One of the core principles motivating Incogni’s research here is the idea that consent to have personal information gathered and processed has to be properly informed to be valid and meaningful. It’s research like this that arms users with not only the facts but also the tools to inform their choices.

Methodology

Incogni’s researchers determined the top 15 social media platforms by monthly user count and ranked them according to how privacy- invasive they are. Platforms accessed primarily by users from a single country or very few countries were excluded, bringing the focus onto those with broad, international user bases. The ranking is based on 14 criteria across 6 categories: AI, transgressions, data collection, user control and consent, transparency, and user-friendliness.

These criteria were standardized to the extent that it was feasible to do so, to allow for numeric representations that would facilitate direct comparisons between the platforms. Each of the 14 criteria was assigned a severity score depending on its potential impact on users’ privacy. 

The severity score indicates how impactful a criterion is or could be (e.g., in case of a breach, leak, or other incident) to a person’s privacy. The severity score acts as a coefficient, multiplying the numeric value for a given criterion by: 1 for low severity, 2 for moderate severity, and 3 for high severity. 

Data, namely the applications’ privacy and data-handling policies and other privacy and/or legal resources, were collected (downloaded or screencaptured) between the 15th and 29th of August, 2025. Any webpages from which information was taken were archived using the Internet Archive between September 8th and 14th, 2025. 

Some criteria required Incogni’s researchers to create accounts on the platforms under investigation. To ensure that these criteria were measurable and comparable between platforms, the accounts used were created as if the user were an EU citizen. This provides several benefits, like a legal guarantee that the data collected by a given platform can be accessed by the data subject and that a mechanism for requesting that the account be deleted exists. 

Despite the EU accounts, the privacy policies were analyzed from a CCPA (California Consumer Privacy Act) angle, as if the user were a California resident. This is due to the common use of a specific data-policy layout across platforms, which makes automated data collection more robust. 

A detailed explanation of how each criterion is evaluated is available in the public dataset (shared below). 

The data used in this research and further information regarding the methodology for its collection are available here: data.

Use of visuals

Notwithstanding the terms of the CC BY-NC-SA 3.0 licenses of the visuals above, we grant news organizations and other media entities permission to use the specified asset(s) in their news coverage or commentary, including on pages that display advertising.

The visuals can be downloaded or embedded using the menu at the top right of the visual. Embedded visuals preserve their interactivity.

Is this article helpful?
YesNo
Scroll to Top