Social Media Privacy Ranking 2024

Incogni’s latest research highlights some of the stark differences in how leading social media platforms handle user data. Our researchers have created a comprehensive privacy ranking that reveals significant variations in the data-protection practices of these platforms. They evaluated the top 15 social media platforms by monthly user count to assess each platform’s relative privacy risk, presented in our Social Media Privacy Ranking.

Key insights

  • Our researchers found that Reddit, with a score of 8.9, represented the lowest privacy risk, followed by Snapchat (9.99) and Pinterest (10.49).
  • Facebook, with a score of 18.98, Facebook Messenger (16.51), and Instagram (15.84), were found to present the greatest risk to users’ privacy.
  • Instagram and Facebook were found to have the most problematic data collection and retention practices.
  • Instagram, Facebook, Facebook Messenger, YouTube, and Discord keep users’ data the longest after a successful account deletion request.
  • LinkedIn and X (Twitter) publicly display the most user data with the strictest “visibility” settings selected.
  • Facebook had the highest number of GDPR, CCPA, and similar regulatory violations, while LinkedIn suffered the greatest number of data breaches and mass data scrapes.

The most and least privacy-invasive platforms overall

Our researchers ranked the 15 biggest social media platforms (by monthly user count) based on 14 criteria across five key categories: transgressions, data collection and retention, user control and consent, transparency, and user-friendliness. Each criterion was quantified to facilitate a direct comparison of diverse features and practices. Incogni’s researchers then evaluated these criteria according to their potential impact on the privacy of the platforms’ users, assigning a severity coefficient to each criterion (see Methodology for more details).

The research reveals that Reddit is the least privacy-invasive platform of those studied, scoring 8.9, followed closely by Snapchat (9.99) and Pinterest (10.49). In contrast, Facebook (18.98), Facebook Messenger (16.51), and Instagram (15.84) were identified as having the most privacy-invasive practices.

These scores and the Social Media Privacy Ranking they facilitate are based on five basic categories of analysis, otherwise referred to here as pillars:

Data collection and retention varies considerably across platforms and contributes significantly to our ranking. This category played a big role in the poor scores of Meta’s products (with the exception of WhatsApp), and saw Telegram come out on top. 

User control and consent was also inconsistent in how much effect it had on the investigated platforms’ overall scores. This category contains criteria concerning things like what privacy settings are available and what the default settings are, what can be opted out of, and the public display of users’ personal information with the strictest visibility options set. Facebook Messenger and WhatsApp (both Meta platforms) performed the worst in this category, while Pinterest, Reddit, and Twitch did the best.

Transgressions, a category concerned with fines and data breaches, saw 4 platforms with the best possible score of 0: Telegram, Reddit, Quora, and Discord. At the other end of the ranking, X (Twitter) saw over a quarter of its total score come from this category, and Facebook over 30%. 

Transparency, a category concerned with how much user data reaches governments and how accessible certain features and information are to users, had varying levels of impact across platforms. Quora and Telegram had the worst ratings for transparency, while Discord, Snapchat, and LinkedIn performed better in the category. 

User-friendliness, a category comprising two criteria, is concerned with how easy it is to understand the privacy policy and how many steps it takes for a user to delete their account. This category has relatively little impact on the total scores and results were fairly consistent across the platforms in our sample. However, Facebook, Facebook Messenger, and Youtube still turned out to be the least user-friendly in terms of privacy policy clarity and the effort required to delete an account.

What follows is a closer look at the categories and criteria our researchers used to evaluate these platforms.

The data collection and retention pillar

The data collected and stored by social media platforms is a critical aspect of their users’ privacy. This has implications for the consequences of data breaches, how invasive advertising can be, and other aspects of users’ digital lives. The severity coefficients for the criteria in this category were 3 for data collection and handling by the platforms’ apps and 1 for how long data is kept after account deletion. 

In this category, Meta’s products once again stand out for all the worst reasons, followed closely by Alphabet’s YouTube platform.

A useful way of understanding what data reaches the social media platforms’ servers (potentially staying there) is to look at what each platform claims to collect. To this end, our researchers looked at what data is collected by the platforms using the CCPA (California Consumer Privacy Act) framework which lists 12 types of personal information. 

Since the categories listed in the CCPA’s legal text can be rather vague, our researchers also took a more detailed and standardized look at what personal details are collected and shared using the privacy disclosures of each platform’s native app. This allowed us to get a more fine-grained look at what data users are (potentially) offering up when engaging with these platforms.

Whilst not universal, some government and supranational bodies require that their citizens have the ability to delete their accounts and data from the records of businesses that possess it. However, the fact that people are able to remove their accounts doesn’t mean that these deletion requests are treated the same across platforms. For this measure, we looked at how long it takes for a person’s data to be deleted once they submit such a request.

We can see here a familiar pattern with Meta and Alphabet’s platforms taking the longest to delete data. Discord joins them at the bottom of the pile, while Telegram takes the clear lead, owing to the platform’s distributed nature.

The user control and consent pillar

The ability to choose what data is collected and shared is crucial if a platform is going to respect its users’ privacy. This category, user control and consent, consists of three measures and is intended to capture how much user data is displayed to other users on a given platform. Incogni’s researchers deemed the criteria in this category important, with all being weighted at 3/3, except for data visibility with strictest settings enabled, which was weighted at 2/3. 

Here’s a more detailed description of each of the three criteria that make up this pillar:

The first criterion in this category is concerned with what privacy settings are available to the user and what the defaults are. This combines the importance of giving users options while making sure that less privacy-savvy users are presented with privacy-respecting settings by default. Since users don’t always know or remember to change these default settings to decrease their exposure, the defaults are important. For those who do know to manually check their settings, having adequate options there is essential. 

Pinterest performed the best in this category, collecting relatively little data during account creation and giving users a lot of options to mitigate their data exposure, although its default settings were on the more problematic side. Similarly, the other platforms that allow for relatively private usage, such as Snapchat, Quora, Reddit, and Twitch, present the user with a variety of impactful options such as those to disable ad personalization based on on-platform and off-platform activity.

TikTok stood out as the worst platform for options and default settings, mainly due to its “privacy settings” primarily concerning how much other users can see about the user instead of what the platform can do with the user’s data. 

Platforms like Facebook and YouTube performed relatively well in this category, since despite collecting a lot of data, the privacy settings on Meta and Google products are quite extensive. Other Meta products fared more poorly compared to Facebook since their “on-platform” settings were quite limited.

The second criterion in this category has to do with the extent to which the user can control how much of their data leaves the platform. Even in cases where a lot of data is collected, if the company has a solid security track record and is not abusive with how it uses user data, some users might decide that, as long as the data stays with the platform’s parent company, giving up some privacy is worth it. This measure captures how much data sharing can be opted out of (and how much data is there to begin with). 

Similarly to the criterion regarding what privacy options are available to users, Pinterest, Reddit, and Twitch performed the best here, with Snapchat and Quora not far behind. These platforms allow users to opt out of personalized advertising based on on-platform and off-platform actions, with some, such as Pinterest, going so far as to allow the user to simply opt out of off-site-action-derived inferences. 

Facebook Messenger and WhatsApp were penalized the most under this criterion due to the platforms themselves having limited-to-no options related to data sharing. Data generated by these platforms can end up with other Meta platforms. TikTok was penalized due to limited settings while Telegram suffered due to an obscure privacy policy and no on-platform settings (the reason for which is unknown).

The third criterion is particularly relevant to users wishing to leave the smallest possible digital footprint while staying on their platform of choice. The ability to restrict how much of a user’s information is visible to other users and the general public is key here. This measure is concerned with how much data is visible to other users (with whom the data subject has no on-platform connection) and even non-users (e.g., through profiles being indexed with web search engines) when so-called “visibility” options are set to be as restrictive as each platform allows.

Our researchers found that LinkedIn and X (Twitter) have the most-exposed accounts, even if the user tries to limit which information is available to others on the platform and beyond. For example, X allows users to opt out of using their phone or email contacts as a means of connecting with others, but offers no other meaningful means of limiting connections. 

On the other hand, WhatsApp, Pinterest, and Telegram performed well by comparison. With Pinterest going so far as to enable hiding user profiles from others unless the user specifically invites other users to follow them. WhatsApp and Telegram make some profile information accessible to those who have the given user’s phone number. 

In the majority of cases, the strictest available settings result in at least the profile picture and username being visible to other users of the platform until some sort of connection is made.

The transgressions pillar

The category deemed to have the greatest impact on user privacy concerns the transgressions of these platforms. We looked at whether these platforms experienced data breaches and whether they were found to be breaking privacy-related laws in the US, EU, and elsewhere. Our researchers scored each transgression on a scale of 0 – 1 and then multiplied that value by an importance coefficient.

With the exception of Twitch and Snapchat, all the platforms that experienced a data breach were the least privacy-respecting overall. X (Twitter), LinkedIn, and Facebook performed the worst, thanks in large part to the data breaches and mass data scrapes they’d experienced, but Facebook’s position was also determined by the fines it (and Meta) had received. With four platforms receiving 0 points in this category, it’s clear that some platforms have a better track record than others. 

Data breaches are one of the worst-case scenarios for social media platforms and, more importantly, their users. Given how much data these companies have regarding their users, it getting into the wrong hands can have serious consequences. 

Incogni’s researchers found that Twitch, X (Twitter), LinkedIn, and Facebook have all experienced data breaches or leaks. With 4 data breaches and leaks that resulted in the exposure of user data, LinkedIn received 10 penalty points after adjustment for relative weight. X (Twitter) and Facebook are tied for second place in terms of data breaches, with two breaches each, receiving 5 penalty points each in our ranking. Lastly, Twitch, which saw one data breach, received 2.5 points. Other platforms were seemingly able to avoid these incidents. 

Fines are a reflection of past failures to meet legal requirements. Our researchers investigated which platforms received how many privacy-related fines from governments (non-governmental legal action was not considered). Given that laws vary from country to country, we did not consider the amount fined, just the number of fines. 

These measures are slightly less straightforward due to Meta having received four fines without a specific product being mentioned (although other fines levied against Meta were ascribed to specific products) and Google having received two in a similar fashion. To take this into account, we penalized all Meta platforms unless specific ones were mentioned in the verdicts against Meta, we also added penalty points to YouTube where fines were levied against Google. 

With this taken into account, Facebook received the highest penalty in our rankings, having received 8 fines (three from EU bodies and five from other jurisdictions) due to privacy violations. WhatsApp was fined five times, twice in the EU and once each in Turkey, Nigeria, and Argentina. Following these, TikTok and X (Twitter) received four fines each. Only 5 out of the 15 social media platforms received no fines for privacy-related violations (see: Sources).

One such fine was levied against Meta specifically for the Facebook and Instagram platforms, which were accused of employing non-transparent means to get user consent for the processing of certain user data after the GDPR (General Data Protection Regulation) was introduced in the EU.

The transparency pillar

In this category, our researchers looked at the numbers of governmental requests for user data to which each social media platform had responded as well as how many difficulties we had finding the other measures outlined above. Even if the company collects or shares a lot of data, it is important that users have options and know what those options are. The criterion of data disclosures to governments was given a severity of 2 out of a maximum 3, and the inaccessibility of information was rated at a 3/3. 

Governmental requests for user data are a relatively common occurrence in which law enforcement and other judicial agencies reach out to companies to ask for details about a specific account or group of accounts. The company reviews the request and can choose to comply with or reject it. Recently, more and more companies have started making statistics regarding this practice available to the public.

While gathering data to rank the platforms, Incogni’s researchers ran into some issues. Sometimes, information important to those who care about their privacy was difficult or even impossible to find. Our researchers realized that this is an important factor in deciding to which platforms to entrust personal information.

There are two main reasons that social media platforms received penalties under this criterion: hiding information about how long the platform holds onto user data after a deletion request is accepted, and the availability of information regarding how frequently it shares user data with governmental agencies and organizations.

When it comes to government disclosures, our researchers penalized Pinterest, X (Twitter), Quora, and Twitch for withholding this information. We also gave smaller penalties to Meta’s products for not providing product-specific disclosure rates, Reddit for not having a recent (H2 of 2023) report and, lastly, Telegram, which claims not to disclose user information, but has some news outlets making claims to the contrary2

When it came to account deletion, Incogni’s researchers had to reach out to several of the platforms, Quora, Twitch, Snapchat, and TikTok, to find out how long a user’s data is kept by the platform once account deletion has been requested. This information was not discoverable through reasonable efforts, in the privacy policy or elsewhere. 

Telegram’s poor privacy policy also attracted some penalty points, as it lacked information about what data was collected and for what purposes. 

The user-friendliness pillar

User friendliness, in our Social Media Privacy Ranking, refers to how much control a user has over their data and how easy it is for them to exercise that control. This category looks at criteria such as how difficult it is to read the privacy policy, how quickly and easily the user can delete their account, and what privacy settings are available to them. The severity of both criteria in this category was rated at 1/3, meaning that the calculated values were multiplied by 1 before they were added to the total scores. 

It’s important that users understand the documents that detail how the platform handles their data. To measure this in a standardized way, we used wordcounter.net3, which employs the Dale-Chall readability formula to evaluate the reading level required to understand a given text. In this case, the texts were the privacy policies of the various platforms.

Account deletion ought to be a relatively easy process. Social media users can protect their security and privacy in case of a data breach or other unwanted data disclosure by deleting their account and any associated user data from the platform’s servers before a breach occurs. This criterion assigns scores based on how many clicks or taps the user needs to perform to get from their “home page” or “feed” to an account-deletion page.

Yet again, we see Meta’s and Alphabet’s platforms leading the pack when it comes to privacy-invasive practices—in this case, setting obstacles to account deletion. 

Conclusion

Mainstream social media platforms are not only not private, their various profit-generating strategies often depend on collecting and making use of as much and as detailed personal information as possible. That’s why our ranking is ordered from the least to the most privacy-invasive platforms: there are no privacy-respecting options among the top 15 platforms by monthly user count.

Privacy-respecting alternatives do exist, though. Platforms like Mastodon, Nostr, and Matrix avoid most of the pitfalls of their mainstream counterparts and often offer more and better features (like federation and an ad-free experience). The one thing they haven’t been able to offer thus far have been large, diverse user bases. 

It’s this network effect that keeps many users “locked in” to mainstream services. Users of such platforms often mistakenly think of themselves as customers, but these platforms are more likely to consider the advertisers they work with as their customers. Through research like this, Incogni hopes to help people make informed decisions when exchanging privacy for convenience, connection, or entertainment.

Methodology

Incogni’s researchers determined the top 15 social media platforms by monthly user count and then ranked them according to how privacy-invasive they are. Platforms accessed primarily by users from a single country or very few countries were excluded, bringing the focus onto those with broad, international userbases. The ranking is based on 14 criteria across 5 categories: transgressions, data collection, user control and consent, transparency, and user-friendliness.

These criteria were standardized to the extent that it was feasible to do so, to allow for numeric representations that would facilitate direct comparisons between the platforms. Each of the 14 criteria was assigned a severity score depending on its potential impact on users’ privacy. 

The severity score indicates how impactful a criterion is or could be (e.g., in case of a breach, leak, or other incident) to a person’s privacy. The severity score acts as a coefficient, multiplying the numeric value for a given criterion by: 1 for low severity, 2 for medium severity, and 3 for high severity. 

Some criteria required Incogni’s researchers to create accounts on the platforms. To ensure that these criteria were measurable and comparable between platforms, the accounts used were created as if the user was an EU citizen. This provides several benefits, like a legal guarantee that the data collected by a given platform can be accessed by the data subject and that a mechanism to request that the account is deleted exists. 

Despite the EU accounts, the privacy policies were analyzed from a CCPA (California Consumer Privacy Act) angle, as if the user were a California resident. This is due to the common use of a specific data-policy layout across platforms, which makes automated data collection more robust. 

For this research, we penalized mass data scrapes (publically accessible information from a great number of users collected and shared in nefarious forums and websites) as if they were data breaches. Such publicly available datasets enable hostile actors to target the platforms’ user base, which can theoretically be prevented with anti-scraping measures. Such instances are also presented in the same manner as a typical data breach by our source – HaveIBeenPwned-which helps consistency. This impacts LinkedIn and X (Twitter).

A detailed explanation of how each criterion is evaluated is available in the public dataset (shared below). 

The data used in this research and further information regarding the methodology for its collection are available here: Public dataset.

References:

  1. Data Protection Commission. “Data Protection Commission announces conclusion of two inquiries into Meta Ireland.” Last modified January 4, 2023. https://dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland
  2. Ahmed, Deeba. “Telegram Shared Personal User Data With German Authorities.” HackRead, June 8, 2022. https://hackread.com/telegram-shared-personal-user-data-german-authorities/
  3. WordCounter. “Home.” Accessed September 4, 2024. https://wordcounter.net/.
  4. Sidley CCPA Monitor. “California Consumer Privacy Act (CCPA).” Accessed September 18, 2024. https://www.sidley.com/en/us/sidley-pages/ccpa-text/.

Sources:

  1. https://www.enforcementtracker.com/ETid-1094
  2. https://www.enforcementtracker.com/ETid-1502
  3. https://www.reuters.com/technology/norway-data-regulator-fine-meta-over-privacy-breaches-2023-08-07/
  4. https://www.accc.gov.au/media-release/20m-penalty-for-meta-companies-for-conduct-liable-to-mislead-consumers-about-use-of-their-data
  5. https://apnews.com/article/technology-south-korea-252a9cc71f0875575340ade7265af951
  6. https://www.enforcementtracker.com/ETid-485
  7. https://www.enforcementtracker.com/ETid-980
  8. https://www.enforcementtracker.com/ETid-1543
  9. https://www.enforcementtracker.com/ETid-1176
  10. https://www.enforcementtracker.com/ETid-1373
  11. https://www.enforcementtracker.com/ETid-2032
  12. https://www.enforcementtracker.com/ETid-1496
  13. https://www.enforcementtracker.com/ETid-1578
  14. https://www.enforcementtracker.com/ETid-820
  15. https://www.enforcementtracker.com/ETid-979
  16. https://www.enforcementtracker.com/ETid-1543
  17. https://www.enforcementtracker.com/ETid-1730
  18. https://www.enforcementtracker.com/ETid-203
  19. https://www.enforcementtracker.com/ETid-770
  20. https://www.ilnipinsider.com/2020/03/facebook-and-X (Twitter)-fined-for-violation-of-requirements-for-the-personal-data-localization/
  21. https://economictimes.indiatimes.com/tech/technology/russia-fines-foreign-firms-for-alleged-data-storage-violations/articleshow/92520168.cms?from=mdr
  22. https://www.agbi.com/media/2024/05/turkey-fines-facebook-owner-meta-over-customer-data-sharing/
  23. https://www.canada.ca/en/competition-bureau/news/2020/05/facebook-to-pay-9-million-penalty-to-settle-competition-bureau-concerns-about-misleading-privacy-claims.html
  24. https://www.agbi.com/media/2024/05/turkey-fines-facebook-owner-meta-over-customer-data-sharing/
  25. https://apnews.com/article/nigeria-meta-fine-facebook-whatsapp-9c79447e348dcaaa1b8c59898e60c7fa
  26. https://www.batimes.com.ar/news/argentina/argentina-fines-facebook-for-abusive-privacy-terms-in-whatsapp.phtml
  27. https://apnews.com/article/nigeria-meta-fine-facebook-whatsapp-9c79447e348dcaaa1b8c59898e60c7fa
  28. https://www.agbi.com/media/2024/05/turkey-fines-fac

Is this article helpful?
YesNo
Scroll to Top